The Data Protection Act imposes a range of obligations on businesses that hold and process information. Care homes will, by their very nature, hold a wide range of information including information about employees and customers (including for example health and sickness records, pay details, bank details, address and contact information). All of this information is not only confidential but is also protected under the Data Protection Act 1998 (“DPA”).
The key obligations imposed by the Act are to process data fairly and lawfully (the Act sets out conditions which must be complied with to achieve this), to use information only for specified and lawful purposes and to make sure information is accurate, is not kept for longer than is necessary and is kept securely. There is a particular focus on health and social care and the government has appointed a National Data Guardian to assist in developing guidelines for protecting such material.
What are the data protection issues for care homes?
The Information Commissioner’s Office (ICO) recently published a report following a number of advisory visits to residential care homes. The visits concentrated on the security of personal data, records management and data sharing. A number of concerns were highlighted:
• Very little formal training on data protection was in place.
• There were issues with IT systems, staff sharing generic accounts to access IT systems, passwords not being sufficiently complex or regularly changed, data held on portable devices (such as laptops) being encrypted and security measures restricting the use of personal media to transfer data rarely being applied.
• There were little in the way of formal policies and procedures in place particularly for data sharing.
• Retention policies were seldom in place and often applied only to manual records.
• Individuals were not always supplied with adequate information as to how their personal data was to be processed and even where it was available, it was not always communicated to residents as well as it could be.
What are the risk implications of a failure to comply with DPA requirements?
Individual compensation claims
The DPA says that an individual can claim compensation if they suffer damage as a result of a data breach. If they have suffered damage, they can also claim compensation for distress.
However, the Court of Appeal has recently awarded compensation for distress alone on the basis that the financial loss requirement was incompatible with EU law and an individual’s fundamental rights. Whilst the case is being appealed to the Supreme Court it seems highly likely that the decision will stand and that any data breach will give rise to a possible claim for compensation.
ICO sanctions
The ICO can impose monetary penalties up to £500,000, criminal prosecutions, cautions, enforcement notices and undertakings.
Additional consequences
In addition to action by the data subject or the ICO, a data breach can lead to reputational damage, loss of intellectual property and increased insurance premiums.
What can be done to avoid a data breach?
There is much that care homes can do:
• Training - training for all staff with annual refresher training.
• Policies and procedures – especially regarding retention and disposal of information, incident reporting and data sharing.
• IT security – encryption of email systems and portable devices; restrict access to USB ports and DVD/CD drives; restrict access to records to those who require the information; ensure staff have individual log ins; enable audit trails to be implemented; adopt a password policy in line with government guidance.
• Physical security – ensure premises are secure and that information is held securely.
• Inform residents how their information will be used and with whom it could be shared.
Subject access requests (SARs)
SARs can put immense pressure on a care home’s resources. Individuals can request a copy of their personal data as held by an organisation. This must be provided within 40 days. It is therefore important that staff are trained to recognise an SAR and to act on it without delay. The SAR must be in writing, but no specific format is required. Before providing any information, a care home needs to be satisfied as to the individual’s identity and ensure that no third party information is disclosed without consent, redacting as necessary. The ICO has recently published an SAR code of practice (available on the ICO’s website) with advice on how to deal with and respond to SARs.
Judith Davison
Professional Support Lawyer
020 7029 4268
judith.davison@blmlaw.com
0+