What do care homes need to know?
What is GDPR?
GDPR is the acronym, which stands for the General Data Protection regulation, this is the name of a new set of rules from the EU to update data protection for all citizens. Its an update to the current data protection regulation we’ve got in the UK and is basically aimed at giving people back control over their personal data in a ‘one stop shop’.
What does GDPR mean for your care home?
Some small businesses are exempt from certain requirements of GDPR but not care homes. This is because Health data is classed as 'special category' data and has stricter requirements as a result. Because you hold and manage your residents' data, you will become classified as a data controller.
This means you will have to:
- Know exactly what data you hold and where
- Consider whether you should hold that data or not (it’s arguably best to hold as little as you need)
- Ensure your data is held in a secure manner (e.g. locked away or on a secure cloud)
- Assign a Data Protection Officer (known as a DPO for short)
- Complete a Data Protection Impact Assessment (DPIA) and take any steps as a result. The Information Commissioner Office’s template is a very good place to start
- Update your policies and procedures to include how your business will deal with the new rights of individuals
- Make sure your staff are aware and trained to the new standards
How does that impact you (the manager or home owner), when you use Log my Care?
You need to be aware that Log my Care is now a place where you will be storing resident data. Residents’ care data will also be stored in Log my Care. Your data is securely stored in the cloud and up to date with all current regulatory requirements
How does using Log my Care mitigate data risks?
- All activities logged throughout the ‘Care Office’ and ‘Carer App’ are recorded, giving you an audit trail should you need it.
- Data portability is built into the system by design, you can extract your data should you require
- Data protection by design, we’ve built Log my Care to meet the new requirements from the ground up
- Log my Care has two factor authentication with a PIN code and a ‘Shift Password’ required to use the ‘Carer App’
- We have a requirement to inform you if any data breach does happen, meaning you’ll be in the know if anything were to go awry
- We have a robust set of privacy policies detailing what we do with the data.
What you need to do when using Log my Care to meet your new responsibilities?
Using a secure system like Log my Care where a lot of the GDPR and Data Protection heavy lifting has already been done for you can take a real load off your plate. Here are a few simple tips to make sure you use the system properly and keep on the right side of the GDPR
- Make sure all your staff have their own login details (no sharing!)
- Try not to write down any login details but if you do, make sure they are locked safely away
- Update your ‘Shift Password’ as often as possible and only tell it to carers who are on that shift. We like having separate passwords for each shift.
- Check to make sure you’re running the latest version of our App. We’ll always let you know when we’ve got a new update and speak to you to make sure you know.
- Getting proper antivirus software for your devices is always a good idea
How does Log my Care make it easy to comply with the new rights of individuals?
There are 8 rights of individuals that are core to the GDPR and which you need to be well aware of as a care provider. We make it nice and easy to comply with each one
- The right to be informed; data subjects have the right to know basic information about how you're holding their data and who the processor is. We can provide you with a template, laying out what Log my Care is and how it works. You can easily adapt it and send to those who need to know
- The right of access; you must be able to answer questions that data subjects have about their data or provide a copy of the data you hold on them. It's easy to get a copy of the data from Log my Care, just email [email protected] and one of our team will help
- The right to rectification; you can be asked to fix/update any errors in the data you hold on someone. In Log my Care, this is as easy as updating their profile
- The right to be forgotten; you can be asked to delete all the personal data you hold on someone. Our understanding is that you should still comply with the requirements of the Care Homes Regulations 2001 (i.e. hold data for 3 years after last entry for adults, 80 years for children) before deleting a resident's data. When needed, you can delete all of the data you hold in Log my Care for a resident
- The right to restrict processing; data subjects can request that you stop processing their data in certain ways e.g. they could ask you to stop using a system like ours and go back to paper to manage their care records, if they really wanted to!
- The right to data portability; data subjects can ask for their data in a form that can be taken to another processor. We make this nice and easy with our Excel export function
- The right to object to processing; if data subjects feel that you do not have legitimate grounds to process their data, they can ask you to stop
- The right not to be subject to automated decision-making including profiling; we don't use automatic decision making. So that’s an easy one
What has Log my Care been doing to ensure compliance?
We set up Log my Care at a good time, knowing that the GDPR was coming. It was much easier to incorporate the principles of privacy by design and security when building our product and processes than other software companies that need to fundamentally change the way they work. We protect data with AES-256 encryption, SSL technology, PIN/password requirements for every member of staff and our novel additional security layer, the ‘Shift Password’.We use the same cloud provider as HMRC. As a processor of special category health data, we have been working with an accredited external Data Protection Officer (DPO), Mariel, who is one of the country's sharpest legal minds on GDPR. To top it off, we’ve been working together to help document our compliance by completing a full Data Protection Impact Assessment (DPIA) and review of our policies and procedures.
What do we recommend you do when you start using Log my Care?
- When you set the system up we recommend that you send an email to inform the families of your residents.
- You train staff to not share passwords and to make sure they use the system appropriately to enhance the care they provide.
- You regularly change ‘Shift Passwords’.
- You assess the data you’re collecting and ensure you’re only collecting information you need to operate.
If you’ve got more questions about GDPR or Data Protection?
We know this is complicated stuff so feel free to get in touch with any questions you still have. We're also happy to introduce you to Mariel, our Data Protection Officer, if you need her help. Just drop us an email to [email protected]