This page contains a Flash digital edition of a book.

Protecting Sensitive Information

Judith Davison, professional support lawyer, at BLM offers up some tips on how care homes can adhere to the Data Protection Act and avoid unwanted data breaches.

The Data Protection Act imposes a range of obligations on businesses that hold and process information. All of the information held by care homes about employees and customers such as health and sickness records, pay details, bank details, address and contact information is not only confidential but is also protected under the Data Protection Act 1998 (DPA).

Key obligations imposed by the Act are to process data fairly and lawfully, use information only for specified and lawful purposes, to make sure information is accurate and not kept for longer than is necessary, as well as ensuring it is kept securely. With a particular focus on health and social care the government has appointed a National Data Guardian to assist in developing guidelines for protecting such material.

Data Protection Issues

for Care Homes The Information Commissioner’s Office (ICO) recently published a report following a number of advisory visits to residential care homes. The visits concentrated on the security of personal data, records management and data sharing. A number of concerns were highlighted including:

• Very little formal training on data protection was in place.

• Issues with IT systems such as staff sharing generic accounts to access IT systems, passwords not being sufficiently complex or regularly changed, data held on portable devices being encrypted, and security measures restricting the

use of personal media to transfer data rarely being applied.

• Few formal policies and procedures in place particularly for data sharing.

• Retention policies seldom in place and often applied to manual records.

• Individuals not always supplied with adequate information as to how their personal data was processed and even where it was available, it was not always communicated to residents as well as it could be.

Failing to adhere to the Data Protection Act brings a number of associated risks including:

Individual compensation claims The DPA says that an individual can claim compensation if they suffer damage as a result of a data breach, they can also claim compensation for distress.

However, the Court of Appeal has recently awarded compensation for distress alone on the basis that the financial loss requirement was incompatible with EU law and an individual’s fundamental rights. Whilst the case is being appealed to the Supreme Court it seems highly likely that the decision will stand and that any data breach will give rise to a possible claim for compensation.

ICO sanctions The ICO can impose monetary penalties up to £500,000, criminal prosecutions, cautions, enforcement notices and undertakings.

In addition to action by the data subject or the ICO data breaches can lead to reputational damage, loss of

intellectual property and increased insurance premiums.

How to Avoid a Data Breach Care homes should implement extensive training programmes for all staff, as well as establish policies and procedures regarding retention and disposal of information, incident reporting and data sharing.

Care homes should also ensure their IT security by encrypting email systems and portable devices, restricting access to USB ports, DVD/CD drives, as well as record those who require the information. All staff should be assigned individual log ins, audit trails should be implemented and a password policy should be developed.

Care facilities should also ensure premises are secure and that information is held securely, as well as inform residents how their information will be used and with whom it could be shared.

Subject Access Requests (SARs) SARs can put immense pressure on a care home’s resources. Individuals can request a copy of their personal data as held by an organisation, which must be provided within 40 days. It is important that staff are trained to recognise an SAR and act on it without delay.

The SAR must be in writing, however before providing any information, a care home needs to be satisfied as to the individual’s identity and ensure that no third party information is disclosed without consent, redacting as necessary. The ICO has recently published a SAR code of practice (available on the ICO’s website) with advice on how to deal with and respond to SARs.

- 35 -

Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28  |  Page 29  |  Page 30  |  Page 31  |  Page 32  |  Page 33  |  Page 34  |  Page 35  |  Page 36  |  Page 37  |  Page 38  |  Page 39  |  Page 40  |  Page 41  |  Page 42  |  Page 43  |  Page 44  |  Page 45  |  Page 46  |  Page 47  |  Page 48  |  Page 49  |  Page 50