Earlier this month, the Information Commissioner’s Office (the ICO) published a report of its findings following 11 visits undertaken during 2014 to residential care homes. The objective was to understand how the care homes were processing personal data, to identify the shortcomings and to recommend improvements in practice.
Data protection is, or at least should be, a major consideration for residential care homes, presenting challenges above and beyond those that a commercial organisation will typically face. The residential care home industry does not just deal with employees and customers but also with sensitive personal data relating to its residents. The processing of personal data is, of course, subject to the Data Protection Act 1998 (theAct), policed by the ICO, and breach of the Act can incur a fine of up to £500,000. The reputational damage that may follow public exposure of a data breach may be even more costly and in some extreme cases could even result in irreparable damage.
What residential care homes are doing wrong
The failings identified by the ICO were:
- little, if any, formal training for staff on data protection and related issues such as data security and records management
- widespread use of shared generic accounts to gain access to IT systems on which personal data (including sensitive personal data) is stored
- overly simple passwords which were not changed with sufficient frequency (where indeed there was password protection)
- failure to encrypt personal data held on personal devices
- few, if any, formal policies and procedures regulating data protection and data sharing
- end point security restricting the use of portable media to transfer data was rarely applied to computers
- few, if any, retention schedules and those that were in place often applied to manual records only
- failure to provide individuals with adequate information about how their personal data was to be processed.
On the plus side, the ICO found that physical building security (such as having adequate controls relating to access and movement within premises) was “generally good”.
The Act contains eight data protection principles. A number of the ICO’s findings identify failings which may cause a breach of the seventh principle - the requirement to maintain appropriate technical and organisational measures to safeguard against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
The ICO’s findings also criticised residential care homes for not complying with the first principle, namely that personal data shall be processed fairly and lawfully in accordance with conditions specified in the Act and for failing to comply with the fifth principle, that personal data shall not be kept longer than is necessary for the purpose it was obtained.
The ICO has made a number of recommendations to tackle the failings identified in its investigation, including:
There should be formal induction and at least annual refresher training, with data protection as the focus, as opposed to a focus on care standards only. Training content should be kept under regular review and there should be bespoke training for staff in key roles, such as information security and records management.
Existing retention schedules should be reviewed and amended, if necessary. In particular, they should cover electronic as well as manual records. Retention schedules should document responsibilities, disposal methods and justify the term of retention for particular types of document and any exceptions.
Residential care homes need to establish procedures for the effective communication of fair processing information to individuals.
More use should be made of encryption and, where a care home is using encryption, it should do so on a more systematic basis than is often the case at present.
Portable devices that store personal data, such as laptops, USB sticks and DVD/CD media should be encrypted.
There should be more use of individual and not shared logons, with more complex passwords than is the case at present. More use could be made of anti-virus and malware solutions. Consideration should be given to how to ensure that as few staff as necessary have access to personal data.
Access to USB ports and DVD/CD drives should be restricted so far as practicable to mitigate the risk of loss of personal data and the transfer of malware onto systems.
Residential care homes that are regulated by Ofsted must have an internal reporting procedure. However, in practice this is restricted to care incidents and not data security breaches.
Formal policies and procedures should be implemented to address the sharing of personal data with other organisations. These should stipulate when information can be shared, the necessary security measures, who may authorise data sharing, the maintenance of records and how to deal with subject access or freedom of information requests.
There should be formal agreements with the organisations with whom data is shared, stipulating how the information will be processed and how it will be disposed of.
Data protection policies
Residential care homes should have a data protection policy dealing with, among other things, email usage, disposal of documents, physical security, home working, archiving and retention.
Faxes are not yet obsolete and where they are used there is a risk of personal data being inadvertently sent to the wrong recipient. A fax usage policy can help to reduce risks, for example, by making more use of pre-programmed numbers and restricting the information that may be sent by fax.
How Walker Morris can help
With the ICO having published detailed recommendations for residential care homes to help them achieve data protection compliance, we can expect the sector to remain on the ICO radar. Residential care homes have to accept that they are now in the regulatory spotlight in the context not just of care standards but also data protection.
Each residential care home is unique, with its own operational needs and with its own daily challenges. Not all the failings identified by the ICO will be applicable to all residential care homes, and its recommendations will not be appropriate in every case.
At Walker Morris, we combine expertise in data protection law with experience of advising clients in the health care sector. We can review your existing practices, procedures and policies and recommend how these can be updated to reflect best practice and to avoid enforcement action by the ICO. We can update or prepare data protection policies that are tailored to your business. We can review, or if necessary draft, data sharing agreements.
We can also arrange and deliver general training for staff, and bespoke training for key staff, a priority identified in the ICO report. Our training will also offer hints, tips and best practice pointers which, if implemented and enforced, should significantly reduce the likelihood of getting the wrong side of the ICO.