General Data Protection Regulation (GDPR) in care homes

The Data Protection Act was replaced by the General Data Protection Regulation and is EU legislation which came into effect on 25th May 2018. Compliance with GDPR will ensure further protection of residents’ sensitive and personal data that is held within their care plans and of staff that are employed in the care home. GDPR also introduced stronger penalties for data breaches.

Share this article

Why is GDPR important to care homes?

The Data Protection Act was replaced by the General Data Protection Regulation and is EU legislation which came into effect on 25th May 2018. Compliance with GDPR will ensure further protection of residents’ sensitive and personal data that is held within their care plans and of staff that are employed in the care home. GDPR also introduced stronger penalties for data breaches.

Making sure policies comply with General Data Protection Regulation and registering with the Information Commissioners Office (ICO) should be a priority for all care establishments.

CareDocs Blog Best Practice and Advice General Data Protection Regulation (GDPR) in Care Homes

What are the GDPR principles?

Personal data should be:

1. Processed lawfully, fairly and in a transparent manner.

Lawfully: Processing must be done in line with the requirements within the legislation, and any regulatory or contractual requirements, and any duty of confidentiality.

Fairly: There must be a legitimate reason for collecting and using the data. Be transparent about how the data is to be used and handle the data in a way that would be reasonably expected and not use in ways which would have an adverse effect on the individual.

2. Collected for specific, explicit and legitimate purposes.

This is to ensure that the reasons for obtaining personal data are obvious and that what is done with the information is in line with the reasonable expectations of the individuals concerned. If an organisation intends to use the data they hold for other purposes than for what it was collected, they should inform the individuals concerned.

3. Adequate, relevant and limited to what is necessary.

Adequate: Having enough information to fulfil the purpose(s) for which it was obtained.

Relevant: Justification is on a case-by-case basis.

Not excessive: Data minimisation – consideration should be given to the type of data collected, how much is held and how long it should be retained.

4. Accurate and, where necessary, kept up to date.

Accurate: Data will be inaccurate if it’s incorrect or misleading as to any ‘matter of fact’. Data must be kept up to date, however, it may become inaccurate over time. There is some expectation on individuals to inform the organisation when information held has changed.

Opinions about individuals are personal data. However, generally, opinions cannot be challenged under the 4th principle. Opinions should be recorded as such and put in context where appropriate.

5. Kept in a form which permits identification of data subjects for no longer than is necessary for the purpose(s) for which those data are processed.

There are statutory requirements to retain some information and those guidelines should be followed. The 5th principle is there to prevent retention of personal data without good reason. Any deletion of personal information must be done securely.

6. Processed in a manner that ensures appropriate security of the personal data.

Personal data must be processed in line with the data subject’s rights:

  • The right to know who will see and use their personal data.
  • The right to know why their data is being collected and what it will be used for.
  • The right to have copies of ALL their personal data that is being processed or held.
  • The right to have any codes or jargon within provided copies of their personal data explained to them.
7. Personal Information must be secure.

There should be appropriate and organisational measures in place to protect the personal data that is handled.

CareDocs Blog Best Practice and Advice General Data Protection Regulation in Care Homes What are the GDPR Principles

Rights for individuals under GDPR

  • Subject access.
  • To have inaccuracies corrected.
  • To have information erased.
  • To prevent direct marketing.
  • To prevent automated decision-making and profiling.
  • Data portability.

How can care homes comply with GDPR?

Data Protection Impact Assessments (DPIAs) can help to identify the most effective way to comply with data protection obligations and meet individuals’ expectations of privacy.

Privacy risk

The risk of harm arising through use or misuse of personal information. Some of the ways this risk can arise is through personal information being:

  • Inaccurate, insufficient, or out of date.
  • Excessive or irrelevant.
  • Kept for longer than necessary.
  • Disclosed to individuals without consent from, or knowledge of the data subject.
  • Used in ways that are unacceptable to, or unexpected by the data subject.
  • Not kept securely.
  • The outcome of a DPIA should be a minimisation of privacy risk.

The DPIA includes the following steps:

  • Identification for the need to have a DPIA.
  • Describes how information flows.
  • Identifies the privacy and related risks.
  • Identifies and evaluates the privacy solutions.
  • Records the DPIA outcomes.
  • Integrates the outcomes into a project plan.
  • Has consulted with internal and external stakeholders as needed throughout the process.

Where is your data, how is it managed & how is it protected?

It is wise to appoint a responsible person for data protection who does some research and training. Make sure all staff receive training in GDPR and fully understand the need for confidentiality at all times.

What happens when things go wrong?

Sometimes things do go wrong and breaches of security occur. I.e. the destruction, loss, alteration, unauthorised disclosure of, or access to personal data.

In such instances, notification within 72 hours must be made to the supervisory authority. The notification will contain information as to whether there is likely to be significant detrimental effect on individuals.

CareDocs and GDPR

Here at CareDocs, the protection of data is one of our prime concerns. Our care management system has been carefully designed to comply with the principles set by the EU regarding GDPR and to ensure that all information and records are safely secured.

Consent is obtained to retain personal data: CareDocs’ care plan assessments include specific questions that establish consent to keep personal data for the purposes of supporting an individual’s health and social care needs.

Access to personal data is restricted: CareDocs restricts access through an in-built security interface, and audit logs validate when care files have been accessed, added to or amended.

Data is secured through its entire lifecycle: All data for CareDocs in stored in encrypted format, ensuring that the data is secure from time of entry to eventual deletion/archiving.

Personal data that is no longer necessary or relevant, is deleted: CareDocs has the facility to remove data concerning individuals after a specified period and also to delete an individual’s personal data should consent be withdrawn.

Data collection is minimised: CareDocs only keeps personal information that is relevant to an individual’s health and social care needs, in their own best interests and for legal compliance.

For more information regarding how CareDocs can support your care business with data protection compliance, please email sales@caredocs.co.uk or phone 0330 056 3333.

One of our friendly members of staff will be more than happy to explain how our innovative software, and technology in general, can help you maintain compliance with the principles mentioned in this blog.

CareDocs benefit:
GDPR compliance

Click here to learn more about how we support our customers.

Originally published on January 3, 2018
Article updated on May 12, 2022

Share this article

Facebook
Twitter
LinkedIn
WhatsApp
Email

Author

Search

Book a demo

Book a free demo to see how we can transform your business.

Find Out More...

Book a demo...

Don't miss out!

Subscribe to our newsletter before you go for updates, offers & more...