General Data Protection Regulation (GDPR)

1. Introduction

1.1

GDPR stands for the General Data Protection Regulation, the name for the new set of rules from the EU to update data protection for all citizens, that came into effect from 25 May 2018. It's an update to the current data protection regulation we have in the UK and is basically aimed at giving people back control over their personal data in a ‘one-stop shop’.

1.2

Following Brexit, original GDPR has been kept in UK law as the UK GDPR, as of 28 June 2021.

2. What GDPR means for your service

2.1

Some small businesses are exempt from certain requirements of GDPR, but not care services. This is because health data is classed as 'special category' data and has stricter requirements as a result.  

2.2

Because you hold and manage your residents' data, you will become classified as a Data Controller.

This means you will have to:

• Know exactly what data you hold and where.
• Consider whether you should hold that data or not (it’s arguably best to hold as little as you need).
• Ensure your data is held in a secure manner (e.g., locked away or on a secure cloud).
• Assign a Data Protection Officer (DPO).
• Complete a Data Protection Impact Assessment (DPIA) and take any steps as a result.
• Update your policies and procedures to include how your business will deal with the new rights of individuals.
• Make sure your staff are aware and trained to the new standards.

3. The impact on managers and owners when using Log my Care

3.1

You need to be aware that Log my Care is now a place where you will be storing resident data.

3.2

All data is securely stored in the cloud and up-to-date with all current regulatory requirements.

4. How we mitigate data risks

4.1

All activities logged throughout using the careoffice.logmycare.co.uk website (the “Care Office”) and the Log my Care App (the “Carer App”) are recorded, giving you an audit trail, should you need it.

4.2

Data portability is built into the system by design, so you can extract your data as needed.

4.3

We have built Log my Care to meet all new data protection requirements from the ground up.

4.4

When using the Care Office, you will be required to enter a password to gain access.

4.5

Users of the Carer App will be prompted to enter a 4-digit PIN code to gain access. Additional security can be added to the App, through the use of 'shift passwords' that users will also be prompted to enter (if activated).

4.6

We have a requirement to inform you if any data breach does happen, meaning you will be in the know if anything were to go awry.

4.7

We have a robust set of privacy policies detailing what we do with data.

5. What you need to do

5.1

We advise you to:

• Ensure all your staff have their own login details.
• Keep your login details secret and do not write these down.
• Update your ‘shift password’ for each shift (if applicable) and only tell it to carers due to work at that particular time.
• Check to make sure you are running the latest version of our Carer App. We will always let you know when we have a new update.
• Get proper antivirus software for all your devices.

6. New rights of individuals

6.1

There are 8 rights of individuals that are core to the GDPR that you need to be aware of as a care provider. We make it easy to comply with each one:

6.1.1 The right to be informed

Data subjects have the right to know basic information about how you are holding their data and who the processor is. We can provide you with a template, laying out what Log my Care is and how it works. You can easily adapt it and send to those who need to know.

6.1.2 The right of access

You must be able to answer questions that data subjects have about their data or provide a copy of the data you hold on them. It's easy to get a copy of the data from Log my Care, just email support@logmycare.co.uk and one of our team will help.

6.1.3 The right to rectification

You can be asked to fix/update any errors in the data you hold on someone. In Log my Care, this is as easy as updating their profile.

6.1.4 The right to be forgotten

You can be asked to delete all the personal data you hold on someone. Our understanding is that you should still comply with the requirements of the Care Homes Regulations 2001 (e.g., hold data for 3 years after last entry for adults and 80 years for children) before deleting a resident's data. When needed, you can delete all of the data you hold in Log my Care for a resident.

6.1.5 The right to restrict processing

Data subjects can request that you stop processing their data in certain ways e.g., they could ask you to stop using a system like ours and go back to paper to manage their care records, if they really wanted to!

6.1.6 The right to data portability

Data subjects can ask for their data in a form that can be taken to another processor. We make this nice and easy with our Excel export function.

6.1.7 The right to object to processing

If data subjects feel that you do not have legitimate grounds to process their data, they can ask you to stop.

6.1.8 The right not to be subject to automated decision-making, including profiling

We do not use automatic decision making, so that’s an easy one!

7. Data compliance

7.1

We have incorporated GDPR principles of privacy into out design and security, when building our product and processes.

7.2

We protect data with AES-256 encryption, SSL technology, PIN/password requirements for every member of staff and our novel additional security layer, the ‘shift password’.

7.3

We use the same cloud provider as HMRC.

7.4

As a processor of special category health data, we worked with an accredited external Data Protection Officer (DPO), Mariel, who is one of the country's sharpest legal minds on GDPR.

7.5

We’ve been working together to help document our compliance by completing a full Data Protection Impact Assessment (DPIA) and review of our policies and procedures.

8. Recommendations for when you start using Log my Care

8.1

When you set the system up, we recommend that you send an email to inform the families of your residents.

8.2

You should train staff to not share passwords and to make sure they use the system appropriately, to enhance the care they provide.

8.3

You should regularly change ‘shift passwords’.

8.4

You should assess the data you are collecting and ensure you are only collecting information you need to operate.

9. Contact

9.1

If you have any questions about GDPR, you can contact us at support@logmycare.co.uk.

‍