CHRISTOPHER GRAHAM • INFORMATION COMMISSIONER • INFORMATION COMMISSIONER’S OFFICE
The TalkTalk cyber-attack has brought into sharp focus just how careful all businesses have to be when looking after other people’s information. It’s clear that organisations in all sectors are waking up to their obligations under the Data Protection Act. And our recent work with care homes suggests there is much more that should be done. Our message is simple: taking care of people means taking care of their data too. This means, among other things, that you have to use their data fairly, only gather what you need for the purposes you need it, make sure it’s secure and don’t keep it for longer than necessary.
We visited 11 residential care homes for adults and children and found that many were struggling to meet the requirements of the Data Protection Act and could be risking a breach of the law. Our recently published report identifies a number of areas of improvement.
Training – we found little in the way of formal data protection training. Where training did take place, we found the focus tended to be on the importance of good record-keeping for providing an appropriate standard of care to residents, rather than what’s required to meet data protection obligations.
Electronic data retention – some care homes had systems in place to dispose of written records but were less rigorous when it came to deleting electronic data. Encryption – despite sharing often very sensitive personal details, few of the homes we visited had encrypted email systems in place or used encryption to protect information on portable devices like laptops, USB sticks and DVDs. There were also inadequate measures in place to restrict access to USB ports and CD drives, posing a significant risk to the security of personal data and the networks and systems used to process it.
Fair processing – most did not inform individuals about how their information would be used and who it could be shared with. Sometimes, it was written down but it could and should have been better communicated to residents.
System security – while everyone we visited had up-to-date anti-virus software in place, few had robust systems to restrict access to records or defend against cyberattack. Many had limited IT resources and passwords were neither complex nor changed regularly.
Incident reporting – we found that reporting procedures tended to focus on internal issues. We’ve advised that any data loss or inappropriate disclosure, including near misses, should be properly dealt with to prevent it happening again.
Data sharing – in a sector where sharing and receiving sensitive personal data with partner agencies is a day-today occurrence, we found insufficient arrangements in place to ensure proper and safe data handling.
These issues are not unique to the care home industry and, of course, it’s worth pointing out there are many examples of good practice. The care homes we visited were strong on physical security, ensuring buildings and offices were secure, filing cabinets were locked and that there were restricted areas to prevent unauthorised access by residents or visitors. But it is clear that wider data protection issues must be better addressed. The Health and Social Care Information Centre’s Information Governance Toolkit has helped many care homes understand and meet their Data Protection obligations, but this is not enough.
Neither is it satisfactory to simply know about the Data Protection Act, draft a policy and give it to new staff at their induction session. In fact, most of the care homes we visited did not even have formal policies in place. Data protection must be an integral part of the culture of the business. Every member of staff, from the receptionist to the chief executive, must fully understand the importance of data handling and what role they should play in that.
Our aim is to make things better. As well as promoting good practice through this report, we also work closely with the Care Quality Commission over information governance matters. But, as the regulator, we have powers of enforcement and can fine organisations in breach of the Data Protection Act up to £500,000. And breaches do happen. In March 2014, homecare provider Neath Care was found to be in breach after files of ten vulnerable and elderly people were found in a local street. A month later we issued an enforcement notice against Wokingham Borough Council after sensitive social services records relating to the care of a child, which were requested by the family, were lost after the delivery driver left them outside the requestor’s house.
Dealing with personal information is a responsibility to be taken seriously at every level of the organisation. Personal data must be handled with care.
Do you have robust data protection policies? Log in to share your thoughts and read the reports mentioned here. Subscription required.