The GDPR is a European wide regulation and applies to ALL organisations across both the public and private sectors. In this blog we take a look at the GDPR in the Care Home Sector.

While the GDPR is more onerous than the Data Protection 1998, the basic principle of best practice still applies and it is not a great leap to become compliant with the changes brought about by the new regulation.

In a bid to bring the rules around the protection of individuals in line with the way society works today, the GDPR introduced a number of key requirements. Some of these requirements have a direct effect on the social care sector and in particular, state and privately owned care homes.

In this article, we take a look at what those key changes are and what, if anything, care home operators should be doing about them.

The Register of Data Controllers

The GDPR removed the requirement to register with the Information Commissioners Office (ICO) as a data controller although this was replaced with the requirement for ALL data controllers to pay a data protection fee.

There are exemptions from paying the fee but due to the particularly sensitive personal information that is regularly processed for health administration and patient care purposes, care homes are not exempt from registering and paying the fee.

In early 2019 the ICO reported that the care home sector was heavily under represented on the register of data controllers and that they would be taking formal enforcement action against those care homes that have so far failed to register and pay the data protection fee.

While the fine for non payment is set as a maximum of £600, the concerns raised by the ICO and their intention to carry out enforcement action highlights how important it has become for organisations to obey the new rules.

In the eyes of the ICO at least, there is a potential wider issue around the level of understanding of care homes in relation to the GDPR and non-payment of the registration fee is a good marker for further investigation.

Data Protection Officer (DPO)

The role of the Data Protection Officer or DPO as it commonly referred to is a new one for many organisations. The DPO plays an important and often pivotal role and is key to ensuring the success of a privacy programme.

While it is mandatory for ALL public bodies to appoint a DPO, the requirement is not the same in the private sector and organisations need to make their own decision on whether or not to appoint one.

As there are no hard and fast rules on the appointment of a DPO outside of the public sector, consideration must be given to a number of factors.
A key consideration is how much personal data is being processed and how much of that data would be classed as ‘special category’ information i.e. health and medical records.

By their very nature, care homes process special category data relating to their residents but not all care homes will be processing data on a large scale. If your organisation operates on a large scale or operates multiple homes then you will likely need to consider appointing a DPO.

The role of the DPO does not have to be carried out inhouse and can be outsourced. If you do decide to appoint a DPO careful consideration should always be given to ensure the right person or outsourced provider with the right experience is chosen. It is recommended that before taking on an internal or external resource that organisations take the time to make sure the provider understands both the law and your business.

Smaller organisations such as independent care homes who may not need to appoint a statutory DPO should still consider assigning someone within the organisation to take on a “Champion” role. The role of Champion can offer an excellent supporting structure for general data security and data protection matters but on a much smaller scale.

It is important to note that a person who is given a ‘Champion’ type role should not be called the Data Protection Officer unless you wish for them to act in the official capacity under Article 37 of the GDPR.

Changes to consent

Possibly the widest reported change from the introduction of the GPDR was the premise consent. While the regulation changed the key definition of consent the basic premise remains the same.

When relying on common law confidentiality purposes, consent (implied or explicit) is still a valid reason for sharing information. However when relying on consent for sharing special category data such as medical records, the consent given must be ‘explicit’ meaning that the exact purposes must be clearly laid out and understood by the data subject which can be hard to achieve in social care environments.

There are a number of other lawful basis’ for processing special category data under the GDPR and the Data Protection Act 2018 which include processing for the purposes of preventative medicine, the provision of health or social care treatment or the management of health or social care systems and services which are much more suited to the care home sector.

Consent is not always the most appropriate basis for processing and consideration should always be given to the other lawful basis’ first.
Whatever lawful basis your organisation chooses to rely on for processing, it is important to always document the decision and reasoning as you may be called upon to demonstrate your thinking to the regulator in the event of a breach.

Incident reporting and management

One of the most significant changes is the requirement for data controllers to report personal data breaches to the ICO within 72 hours of them becoming aware.

It is important to note that this requirement only relates to those incidents where it is highly likely that there will be an impact on the rights or freedoms of the individuals concerned. Not all incidents will need to be reported to the regulator but they should all be reported and investigated internally within your organisation.

An effective and well managed incident reporting and management procedure is vital for any successful data protection framework. Tracking and monitoring incidents from their inception to remediation will provide valuable learnings and can help your business to identify weak areas of control.
All staff within your organisation should be trained on not only how to spot a potential data breach but how to report incidents to the relevant persons in charge of data protection.

Accountability is at the core of the GDPR and lies at the heart of what the regulation set out to achieve. Organisations have a responsibility to protect the data that they hold while providing access when required and demonstrating why they carry out certain processes.

Making sure your residents, their families and your visitors are appropriately informed of how their personal data is being processed and used is fundamental to complying with the regulation to the success of your data protection framework.

Accurate, easy to understand and friendly privacy notices, clear and concise permission statements and accessible guidance documents and information leaflets are all great ways of keeping your service users informed.

The GDPR was designed to harmonise data protection law while also giving greater control to individuals over how their information is processed and used.

A good understanding of data protection within your organisation can not only protect you from regulatory action, it can also engender trust in your customers and enhance your business potential.

Richard Merrygold, Principal Consultant, Intelligent STORM Solutions Limited