"The Data Security and Protection Toolkit: Information for Social Care Providers
Previous work at both the ICS and local level identified the need to establish and strengthen basic systems to support connectivity across health and social care providers so that staff can access care records. Providers need to achieve compliance with DPST and have access NHS Mail for the secure transfer of care records.
The Data Security and Protection Toolkit (DSPT) https://www.dsptoolkit.nhs.uk is an online self-assessment tool for data security which supports organisations in demonstrating:
1. General Data Protection Regulation (GDPR) compliance.
2. Compliance with the expected data security standards for health and social care for holding, processing or sharing personal data.
3. Readiness to access secure health and care digital methods of information sharing such as NHSmail and Summary Care Records (a summary of GP information about an individual) and local information sharing solutions. NHS mail allows personal care information to be shared between health & social care providers.
4. Good data security to the CQC as part of the Key lines of Enquiry (KLOEs).
The Care Provider Alliance also have more details on GDPR, including e-learning and templates which can be used to fulfil GDPR criteria: https://www.careprovideralliance.org.uk/information-governance.html
Training is available for Care providers on how to complete DSPT, please click here for more details.
The European General Data Protection Regulation (GDPR) is in force as of May 25th 2018.
It has changed how businesses and public sector organisations can handle the information of customers.
The following guidance has been released by Care Providers Alliance:
The Information Commissioners Office (ICO) has launched a new helpline aimed at SMEs and charities to advise how to be GDPR compliant, call 0303 123 1113 and select option 4.
Lancashire County Council recently hosted training for care providers - you can access the presentation here
Skills for Care have published a short briefing for employers on the implications of GDPR and will continue to update the Digital working, learning and information sharing pages over the coming months:
Important changes to the way you keep and record data
On 25 May 2018, the General Data Protection Regulations (GDPR) come into force. The new regulations will replace the Data Projection Act (DPA), which has governed the use of data information for adult social care services since 1998.
The regulations apply to any personal information you or your organisation hold relating to individuals, whether they are employees, people who need care and support or other customers, suppliers or contacts.
What do you need to do?
The GDPR extends current requirements set out in the DPA and places new obligations on organisations that process personal data and special categories of data. The Information Commissioners Office (ICO) have published 12 steps that all organisations should take:
1. Awareness: organisations should take steps to ensure that decision makers and key people are aware that the law is changing.
2. Information you hold: you should document what personal data you hold, where it came from and who you share it with.
3. Communicating privacy information: this is the information you provide which tells someone why and how you are using their data.
4. Individuals’ rights: these have been strengthened under GDPR so it is important to review your existing data protection policy.
5. Subject access requests (SAR): the GDPR removes the £10 fee payable to make a SAR1 and reduces the time for complying with one.
1 The SAR gives any person including current and former employees as well as people in need of care and support the right to request sight of all data you hold on them
6. Lawful basis for processing personal data: you should document your reasons for processing specific data.
7. Consent: if you are not already you will need to be clear on how you have identified where consent to use data and information has been sought and is required.
8. Children: you should consider whether it is appropriate for your organisation to have separate template notices and policies for adults and children.
9. Data breaches: Do you have the right procedures in place to detect, report and investigate a personal data breach.
10. Data Protection by Design and Data Protection Impact Assessments (DPIAs): privacy by design is now an express legal requirement and in some circumstances DPIAs are now mandatory.
11. Data Protection Officers: many social care organisations will need to appoint a formal data protection officer if they don’t already have one.
12. International: this only applies to organisations operating in more than one EU member state.