ARE YOU READY FOR GDPR?GDPR, the new data protection regulation, comes into force on 25th May 2018. Find out what it means for care homes and how care home software can help you to become compliant. Sign up to receive our GDPR whitepaper
Hang on, what is GDPR?
GDPR stands for General Data Protection Regulation. It is EU legislation that replaces the Data Protection Act on 25th May 2018. It introduces new rights and responsibilities and will protect people’s sensitive and personal data that is held by third parties by making data processors continually accountable for the data they hold. It also introduces accountability and tougher penalties for data breaches. GDPR is not designed to prevent sharing of data.
What will change with GDPR?
Rights of Individuals
Under GDPR, individuals will have increased rights, including the following:
The right to be informed – you must let people know why you are processing the data, and provide a privacy notice to inform people and transparency over how you use personal data.
The right of access – you must give confirmation that their data is being processed and give access to their personal information.
The right of rectification – you must allow people’s information to be amended if information is inaccurate or incomplete.
The right to erasure – the right to erasure is also known as ‘the right to be forgotten’. This right is to enable an individual to request the deletion or removal of personal data where there is no compelling reason for its continued processing.
Article 5(2) requires that “the controller shall be responsible for, and be able to demonstrate, compliance with the principles.”
The data you process must be:
- Obtained lawfully, fairly and transparent
- For a specified and legitimate purpose
- Adequate, relevant and necessary in line with stated purpose
- Processed and kept securely in an appropriate way for the type of data being held
- Accurate and up-to-date, only kept for as long as necessary
Data Controllers and Data Processors can both be held accountable so you’ll need to:
- Follow comprehensive but proportionate governance measures
- Make use of good practice tools outlined by Information Commissioner’s Office (ICO), such as privacy impact assessments
- Minimise the risk of breaches
What is a personal data breach?
ICO defines a breach as “A personal data breach means a breach of security leading to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This means that a breach is more than just losing personal data”
- Notification within 72 hours to supervisory authority
- Must notify if breach is likely to have significant detrimental effect on individuals
- Notify nature of breach, impact & actions taken to deal with the breach any measures taken to mitigate adverse effects
Potential impact of getting it wrong
- Non-compliance, potential fines of up to €10m or 2% of turnover
- Failure to report a data breach can attract fines up to €20m or 4% of turnover!
- Loss of business
- Impact on your reputation
- Safety and wellbeing of the people you support
Causes of data breaches?
Common source of risk of data breach:
- Keeping data inappropriately (too long, too much, irrelevant and unnecessary)
- Disclosure to 3rd parties that individuals do not want it to be disclosed to
- Where data is used in ways that are unacceptable to or unexpected by the person it is about
- Data stored inadequately
Does GDPR apply to Care Providers?
Yes, it applies to anyone that processes personally identifiable data about ANY individual
- Care providers in particular will have sensitive data in care plans
- It applies to all forms of data. Paper contains data too!
- GDPR still applies even though we are leaving the EU
- Data protection isn’t a new thing, and the financial impact alone under GDPR is tougher!
- Whitehead Nursing Home, County Antrim, was fined £15,000 after an unencrypted laptop was taken from the home of a staff membe
What data might you be processing?
What does ‘processing’ data mean?
- Storing, typing and reading is processing!
Types of personal data held by providers
- Medical information
- Mental Health
- Personal preferences
- Financial information
- Contact details
Who you might hold data on
- Prospects, Clients, Service User, Staff and Contacts
- Assess the impact of the data being held
Where might your data sources be?
Paper filing systems
Providers will need to be compliant with GDPR as any manual records containing personal data applying to staff or service users are included within GDPR. This means filing systems and paper care plans are affected, as are daily records and charts kept in a folder.
Back up to USB drive and tape
Due to the new accountability requirement, older computer systems backups and replication to USB drive or tape will not be compliant with GDPR as they contain just as much personal data and are subject to the same regulations.
Printing from a computer system
Printing a care plan from a computer system means there are both ‘manual’ and ‘automated’ copies and, under the new regulation, both need documentation to show how they are processed.
Evidencing how data is managed
This brings us to the change with GDPR from the Data Protection Act. You will have to not just be compliant but be able to evidence how compliance is achieved.
To be compliant with GDPR it is necessary to have a reason for holding personal data, and that reason must be documented. If your organisation is fully compliant with the Data Protection Act, then the first step would be to document how data is managed.
Understand and document your data for GDPR
You must maintain internal records of processing activities:
- Purposes of the processing
- Description of the categories of individuals
- Categories of personal data
- Details of transfers to third countries including documentation of the transfer mechanism safeguards in place
- Retention schedules
- Description of technical and organisational security measures
Data Fluidity – Where is your data going?
The volume and types of data being sent around the world is every increasing:
- How is it required?
- Who can access it?
- Where is it stored?
- How many copies are there?
Privacy Impact Assessment
- Identify where a PIA is required
- Describe the information
- How is the data stored, how it flows, other 3rd party disclosure
- Identify the risks to Individual & to the organisation
- Cost benefit of solution(s)
- Organisation sign off
- PIA as part of culture and project plans
So, why are people choosing to go digital?
Digital care records and evidence of care
- Enables better care
- Better analytics
- More informative
- Gives care providers transparency, visibility & control
- Involvement of relatives with Relatives Gateway
- More data, better data, more evidence
- Enables better care
The right software solution is safer than paper and will enable you to comply with GDPR
Weren’t we safer with paper?
- Paper is not secure and can also lead to data breaches, but it is also…
- Costly to track who has copies
- Time to find what you are looking for
- Multiple copies can be dangerous
- Provides less value than digital
- Cumbersome archives
- Easily lost
What should you do to prepare?
Document what data you are holding on whom and why
- Privacy Impact Assessment (PIA)
- Escalation and notification policy
Identify any risks of breeches and how to reduce them
Educate and train staff on data protection and handling
Define your Digital Strategy and review it regularly
- Ask questions of your software provider (or prospective partner)
- Where is your data?
- How is it managed?
- How is it protected?
- But, don’t forget to include any paper ‘systems’!
If you haven’t started already…start now!
- Review and document the data you hold
- Understand why you need it and any legal grounds for holding it
- Complete Privacy Impact Assessments
- Raise awareness of GDPR in your organisation
- Review systems and processes to reduce risk of data breaches
- Appoint responsible person for data protection
- Do some research
Where to get help?
- The ICO
- Other local businesses
- Software vendors
- Your DPO (Data Protection Officer)
- Internal working party
- Independent GDPR consultants
- Legal advice
- Business Insurance
What we're doing to help Care Providers
There is a shortcut to becoming compliant with GDPR.
You will still be responsible for ensuring compliance, but if your data is managed by a third party, and the data processing is managed by the third party, you can ask the third party to document how they manage GDPR compliance.
Mobile Care Monitoring is care home software that meets the data processing requirements of GDPR. Our customers use a fully hosted (cloud) system and we provide documentation on how our infrastructure meets GDPR regulations.