Data Protection rules and regulations have been in place for many years. However connectivity of systems and the amount of data and ways that data is stored and used have changed considerably. In order to support these changes the General Data Protection Regulation or GDPR comes into effect in the UK and across Europe on 25th May this year. Although this is European regulation it still applies to the UK even though we will be leaving the European Union.
Providers of healthcare services such as care homes and nursing homes work with a large volume of sensitive personal data relating to patients, carers, families and staff, including vulnerable individuals and those not able to give consent on their own behalf.
Care data is highly sensitive and can include the need for explicit consent for personal information and for medical support. The regular usage and security of data, and the environment that it’s used in, should be part of the operational procedures of a care home. Here are a few areas to look out for, where you have potential risks of not adhering to the regulations:
Information Security Risks
What process do you have in place for Systems Access? If you have new starters are they aware of security processes? If staff leave the business are their details and logins removed so that there is no possibility of a breach? How often do you change access passwords/logins?
Clear desk policy and workplace security – is personal information correctly stored and not left in the open where it may be seen, for example on a desk. Are files correctly put away and screen saving routines adhered to?
Encryption – are your sensitive documents encrypted? If you use removable media or equipment such as laptops, tablets and mobile phones are they password protected?
Physical security – are there entry controls in place to the facility and to areas around the facility? Do you use CCTV or monitoring equipment? Can visitors access restricted areas? Are there passwords/entry codes in place and how are these shared with staff? How often are these changed?
Monitoring and reporting – how do staff monitor any potential incidents and report any issues?
Manual Records Risks
Logging, tracking and moving of manual records – whether records are paper or electronic there needs to be a process for how records are created, updated, stored and moved between internal and external sources.
How are records stored both for live and for archived information?
How is the quality of the data maintained – what processes are in place to ensure information is current and up to date?
Is your staff training up to date for maintaining this record information? Do you have a consistent process for maintaining information?
Subject Access Requests
Staff Access Requests - do staff know what SAR’s are and how to deal with them?
Are SAR redactions and exemptions logged or reported?
Are timescales being met for SAR requests?
Your operational procedures need to be in place, noted in a central point and regularly communicated to staff, both new and regular, permanent and temporary. Organisations need to ensure that the information is readily available and easy to access to comply with GDPR and to ensure that individuals and families can be informed about what information is held and how it is used and stored.
Hopefully you have already heard about these changes and have started to look at your operational procedures, practices and behaviours. If you haven’t heard about this now is the time to make yourself aware of the changes that you will need to make to the way that you organise and plan the data information in your care business. There’s a lot of information online about what you need to be doing, but the following links provide comprehensive and fairly clear support information including FAQs, checklists and webinars:
The Information Commissioner’s Office ICO has created an extensive website detailing all aspects of GDPR, including a specialist Healthcare page https://ico.org.uk/for-organisations/health/
The NHS Digital Information Governance Alliance has also produced guidance and FAQs about the GDPR. https://digital.nhs.uk/information-governance-alliance/General-Data-Protection-Regulation-guidance
Although the introduction of these changes to data protection may involve time, organisation and potential new ways of working it should be seen as beneficial to the individual. It is designed to protect personal data from bad practices and the more serious negative use of everybody’s information.