The General Data Protection Regulation (GDPR) is a legal framework that sets guidelines for the collection and processing of personal information of individuals within the European Union (EU). This framework sets out the principles of data management in regards to the rights of the individual and covers all companies that deal with data of EU citizens. The GDPR will come into effect across the EU on May 25, 2018. This article discusses the potential implications of GDPR for care homes and care professionals.
In the UK, the Information Commissioners Office (ICO) has recently outlined the subject matter and will be the body responsible for regulating and enforcing company compliance in the UK.
This article aims to give a clearer understanding regarding the changes to UK legislation that will replace the Data Protection Act 1998 (DPA). Please note that while every effort has been made to ensure that sections that cover social care work and GDPR for care homes are cited below, our advice is to check the latest government information if you are unsure of any actions you should take.
What are the principles of GDPR?
The principles contained within the Data Protection Act 1998 (DPA) and the GDPR are very similar, however, there are differences that should be noted.
According to the ICO cited on the ICO website the principles are as follows:
Article 5 of the GDPR requires that personal data shall be:
- Processed lawfully, fairly and in a transparent manner in relation to individuals; collected for specified, explicit and legitimate purposes; and not further processed in a manner that is incompatible with those purposes.
- Further processed for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes.
- Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
- Accurate and, where necessary, kept up-to-date. Every reasonable step must be taken to ensure that personal data that is inaccurate, having regard to the purposes for which they are processed, is erased or rectified without delay.
- Kept in a form that permits identification of data subjects, for no longer than is necessary, for the purposes of personal data being processed. Personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, subject to the implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals.
- Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
Article 5 requires 'that the controller shall be responsible for, and be able to demonstrate, compliance with the principles.'
All care home providers therefore must take measures to demonstrate that they comply with the requirements listed above.
How can I demonstrate compliance with GDPR for care homes?
The Information Commissioner Office’s guidance note under 'Accountability and governance' states that you must:
- Implement appropriate technical and organisational measures that ensure and demonstrate that you comply. This may include internal data protection policies such as staff training, internal audits and processing activities, and reviews of internal HR policies.
- Maintain relevant documentation on processing activities.
Organisations with over 249 employees have an obligation to maintain internal records of processing activities, as well as producing and highlighting comprehensive policies. Those with fewer than 250 employees will have an obligation to document activities concerning high-risk processing. Where appropriate, appoint a data protection officer to implement measures that meet the principles of data protection by design, and data protection by default. Measures could include:
- Data minimisation
- Transparency, allowing individuals to monitor processing
- Creating and improving security features on an ongoing basis
- Use data impact assessments where necessary
In terms of operational activities for health and social care providers we have identified the following areas where revisions to your existing operational procedures will most likely be required:
- Processing conditions, privacy notices and contracts
- Create new policies or update existing ones to cover: data protection; employee data protection; and data retention
- Perform a risk assessment on possible areas of exposure and create a checklist of actions to ensure overall compliance
- Security arrangements
- Ensure all internal security processes are compliant
- Revise procedures for on-site physical security including CCTV usage and appropriate signage
- Rights of individuals whose data is being processed
- Ensure you and your staff understand all the rights of anyone that you hold data on
- Responding to subject access requests (SAR)
- Ensure you understand what is required in response to an SAR, how long your organisation has to respond and what types of personal data are exempt from such requests
- Roles and responsibilities of data protection officers
- Provide training for management teams on GDPR listing actual changes to existing legislation and their responsibilities
- Breach and enforcement action
A specific section is highlighted in regards to GDPR and Children.
GDPR for care home related courses
Flexebee provides care home compliance training courses with individual programmes on Communication and Record Keeping training and GDPR Awareness training, both of which are key elements of the changes to GDPR.
If you are in any doubt regarding the new regulations, please ensure you seek legal advice or follow the instructions found here.