Care homes handle large amounts of personal information; some will be typical of all organisations such as employee records, however, due to their very nature much of this data will relate to individuals and residents and will be of a private and sensitive nature (for example health records).
The ICO has noted that care homes are particularly weak in certain common areas:
- There is an apparent lack of training of staff on data protection issues generally and poor awareness of the need to protect personal data;
- It has been found that staff are generally not aware of the need to protect the unauthorised access to personal data;
- Staff commonly share passwords (which are often weak) and devices containing personal/sensitive data were found not to be encrypted;
- By and large care homes do not have policies and procedures in place for data protection generally, and especially for data sharing (which is commonplace in the care sector).
It’s not all bad news however as care homes were found to have better than average security to their overall premises with controls being in place which restrict the movement of persons into and around their premises.
Why is it important to have adequate controls in place?
- Care home managers and owners should, from an ethical perspective, wish to retain the integrity and secrecy of the data that they possess about their residents.
- There is a legal obligation under the Data Protection Act 1998, to store, control and otherwise deal with personal data in certain ways.
- Failure to deal with personal data correctly may lead to significant fines. For example, NHS Surrey was fined a six figure sum when hard drives that were found to have thousands of patients’ sensitive data contained on them, were sold on an online auction site. For more information click Here
What can be done?
Thankfully, remedies to achieve compliance are not difficult to put in place; these include:
- Risk Assessment and Audit: care homes, and other organisations, should undertake a review of their current procedures and policies. This will determine what needs to be done to achieve compliance with current data protection laws;
- Training. Organisations should provide training on data protection issues to those members of its staff that have access to personal data. This training should be repeated annually and staff monitored on their performance; where additional training is required, this should be determined and provided. Access to personal data should be restricted until such training has been taken;
- Policies. Policies and procedure should be adopted to highlight how personal data is collected and processed, and be used to ensure internal compliance with data protection requirements. These policies typically include, for example, the use of e-mail, homeworking, and the destruction of documents and records;
- Security and Encryption. All workstations should be secure, and where shared by employees only be accessed by individual log in details. Any portable device which stores personal data should be encrypted;
- Data Sharing. Care Homes will typically be required to share personal data with other organisations, for the proper care of its residents. As a data controller, a care home should have in place agreements with third parties to determine (at least) how its data will be used by that third party, what security measures are required and any arrangements concerning the destructions of it.
Our expert and dedicated Care Home Team is equipped to advise your organisation on the full range of data protection issues. If you require further information please contact Darren Carter, Nathan Combes or Alex Evans.