What is General Data Protection Regulations (GDPR)
You will no doubt be aware of the GDPR from the endless stream of emails you will have received requesting your consent to opt in. In a matter of days the GDPR will come into effect on 25 May 2018. It introduces new laws on holding and processing data. It is EU legislation and will be applicable in the UK and it repeals the Data Protection Act 1998. The Brexit plans will not impact on these changes as UK has confirmed that it will adopt GDPR. . It applies to all organisations, regardless of size. So if you are running a small organisation or you are a self-employed business working as for example an independent social worker do read on.
In essence the GDPR demands greater transparency in respect of an organisation’s collection, storage and use of personal data, which in essence must be for a legitimate process. For social care organisation this not only includes the service users personal data but also staff information such as CVs, staff files, references. As an employer you need to ensure that adequate training is provided to your employees in respect of collecting, handling and storing of third party data.
As social care professionals, do you need to know about GDPR?
Protecting data is necessary given it now considered to be the new precious metal due to its great value. Data Protection Laws are not new, we have had a Data Protection Act since 1984, and the concept of protecting Data started after the second World War when England was part of the writing of the European Convention on Human Rights. The data protection principles as set out in the Data Protection Act 1998 are fundamentally similar under GDPR. However the general principle under the GDPR is to protect the privacy of individuals rather than organisations. The GDPR gives the public more control of their personal data, and simplifies and unifies regulations for organisations across the European Union.
As social care professionals, it is essential that you collect and utilise certain data to do your job effectively. Hence there is no way of avoiding GDPR. You and your organisation will hold significant personal information relating to individuals, a proportion of that data is likely to constitute sensitive personal data. Therefore it is important to be familiar with the new laws.
Social care organisations and professionals will already be very familiar with existing data protection requirements. Compliance of data protection is required by not just the organisation but also individuals/employees within the organisation and breaches can have serious consequences on both the organisations and individuals.
There are many examples of Local Authorities and organisations being heavily fined for breaches, for example one Local Authority was fined £70,000 in 2017 for leaving vulnerable people’s personal data exposed online for 5 years.
For health and social care organisations, any breach is devastating not only because of the fine but also as it is likely to give rise to a loss of public trust, attract media attention and thereby inflict considerable reputational damage. Therefore, it is important organisations ensure strict compliance and ensure that their employees are provided with resources, support and training so that compliance is undertaken by all.
Non compliance can have a direct impact on individuals for example a council employee was fined £160 plus prosecution costs of £364.08 with a £20 victim surcharge after he was found guilty of stealing 349 service user and staff records to help set up a new business. In another case a medical receptionist received a 2 year conditional discharge and costs of £614 after she unlawfully obtained her sister in law’s medical records. The fines may seem relatively low but note that in case of convictions the individuals will also have a criminal record.
Non compliance cases involving social care professionals will also mean referral to the Health and Care Professionals Council (HCPC). In one case heard in October 2017 involved a children social worker who sent unredacted confidential information of service users to a personal email address. The information identified the service user and placed the service users and their families at risk of their confidential information being exposed. The social worker also was found to have undertaken poor case recordings. The practice committee held that the conduct amounted to misconduct and/or lack of competence and the social worker’s fitness was adjudicated to be impaired and a 12 months conditions of practice order was made. Amongst other conditions the social worker was required to make a personal development plan designed to address deficiencies in case recording, data protection and confidentiality.
A simple search will result in finding many more examples of cases where organisations and individuals have been held responsible for breaches in data protections requirements. Given the burden of responsibility it is essential that you are clear about your legal duties and responsibilities under the GDPR as ignorance of the law is no defence.
Changes in the law
The GDPR places new obligations on organisations that process personal data and special categories of data. The principles of data protection remain the same as under the Data Protection Act 1998, however the GDPR extends current requirements 1998 legislation. The GDPR introduces a raft of new obligations on the way data subjects are informed of their rights and on dealing with requests for information, alteration or deletion. Key changes include amongst others:
- Organisations will need to give clear notifications of each purpose they may use data and notify the subject of organisations with whom they may need to share their data.
- Enhanced requirements around consent. The GDPR requires greater information to be provided to data subjects about the personal data that is being processed. This could be a challenge, particularly for those working with services for children. There are additional layers of complexity, ranging from differing ages of consent and ensuring that there are child friendly explanations in relation to consent for data sharing.
- The right to be forgotten
- Subject access requests procedures that favours the individual. The GDPR removes the £10 fee and reduces the timescales from 42 days to 1 month
- Breaches must be reported within 72 hours and non-compliance can have serious consequences. Under the new rules the Information Commissioner’s Office (ICO) powers to penalise have been significantly increased, organisations can be fined up to a maximum of £17m (previously it was £500,000) or 4% of global turnover, whichever is higher.
The changes are referred to by the ICO as “evolution rather than revolution”
Sharing Information and consent
Local Authorities Social Services are frequently required to share personal data due to safeguarding reasons with other public services such as health, education or even the police. Social Services or whichever organisation is collecting the data will be required under the new rules to explain clearly about who may access their data and why. Children Services will need to explain this to the child (age appropriately) and those with parental responsibility. For that reason gaining informed consent early would be advisable as with that it will be normally sufficient legal basis for processing their data. The GDPR makes it very clear that consent must be unambiguous, explicit and recorded. It is therefore advisable to record how the consent was obtained clearly as you may have to show an audit trail.
Under the GDPR, all personal data held or processed must have been collected for a specific legal reasons. However as previously permitted if professionals have significant concerns in relation to safeguarding then if for example it is in the child’s best interest personal information can be shared. Again recording what information was shared, to whom and for what purpose is advisable in the event you are faced with a challenge.
The new laws may seem like a minefield, however with preparation it will make data protection easier for both the service user and professionals.
Data Protection Officer
All public authorities and any organisation that carries out regular and systematic monitoring of data subjects will be required to appoint a Data Protection Officer (DPO). A DPO’s role is to inform, advise and monitor compliance with the GDPR. Local Authorities may already have a DPO in post and so if in doubt or if you require further information or assistance, the DPO within your organisation may be able to assist, particularly if you have received a subject access request.
Remember breaches can be heavily penalised so be prepared and if in doubt take advice before you take action.
The information commissioner’s office (ICO) has produced a range of resources on its data protection reform website. GDPR guidance will continue to be published on this site.
The ICO has also has produced “Preparing for the General Data Protection Regulation (GDPR) 12 Steps to Take Now” which organisations may find of assistance in the preparation for the introduction of the GDPR.
How we can help
We are specialist in providing legal and social care training. If you require bespoke and practical skilled based training on Information Governance or any other subject matter please contact us or call us on 01908 969 039
Copyright:The content of this legal briefing is copyright of Kingsley Knight Training. It can be printed and downloaded free of charge in an unaltered form on a temporary basis, for personal use or reference purposes. However it is prohibited for any content printed or downloaded to be sold, licensed, transferred, copied or reproduced in whole or in part in any manner or in or on any media to any person without the prior consent of Kingsley Knight
Disclaimer:The contents of this guide are for information and are not intended to be relied upon as legal advice.