How to improve data protection in care homes

shutterstock_103173653In September 2015 the ICO published its findings from visits it made to residential care homes for adults and children. The report, which is aimed at all residential care homes and other organisations that provide similar services and includes guidance and advice to help them improve their data protection practices, can be found here

During 2014, the ICO undertook 11 voluntary data protection advisory visits with residential care homes. The scope of these visits focussed on the technical and organisational measures in place to address the following key issues:

  • Security of personal data
  • Records management
  • Data sharing

The objective was to understand how these organisations were processing personal data and this report highlights common problems and areas for improvement and offers guidance and advice to help these and similar organisations improve their data protection practices.

Summary of findings:

  • There was little if any formal training for data protection and associated issues such as security of personal data and records management
  • The use of shared generic accounts to gain access to IT systems was widespread
  • Where system access was password protected these were seldom complex. Passwords were also not changed regularly
  • Encryption of personal data held on portable devices was often not implemented
  • There was little in the way of formal policies and procedures in place for data protection and even less for data sharing specifically
  • End point security that restricts the use of portable media to transfer data was rarely applied to computers
  • Retention schedules were seldom in place and often only applied to manual records
  • Adequate information for individuals about how the organisations were going to process their personal data was not always supplied. There were instances of where processing information was written, but was not communicated to residents as well as it could have been

The main recommendation in the report concerned training. As the report says: “Training is a key tool for any organisation in ensuring that staff are aware of their responsibilities for data protection.” However, the ICO found was little formal data protection training in the care homes it visited and that where training did take place, ” it tended to focus on care standards for the use of information rather than data protection requirements.”

The report advises that key elements of good practice for data protection training include:

  • Mandatory induction training that ideally takes place before allowing staff to access personal data
  • Mandatory annual refresher training
  • Annual reviews of data protection training content to ensure that it is up to date and remains relevant to the residential care home needs
  • Specialised training for key roles, for example those dealing with requests for personal data, information security, or records management
  • Training logs that record completed data protection training; and
  • Procedures to ensure that incomplete training is monitored and addressed

Both adult and children’s residential care homes process information about their residents in paper and electronic form. This can include initial referrals, background information, care plans or sometimes sensitive medical information such as medication requirements.

Leave a Reply

Your email address will not be published. Required fields are marked *