Carey Bloomer, Information Governance Specialist, BLS Stay Compliant Ltd
The Government drive for care providers to be digitally mature in adopting digital systems – and so improve information security – is rapidly gaining momentum. As a former Nursing Home Registered Manager, I know how difficult it can be to ensure that you have good data protection in place.
Processing sensitive personal data in order to input such digital systems is, of course, subject to the Data Protection Act 1998 and UK GDPR, policed by the Information Commissioner’s Office (ICO). Recently published figures by the ICO show that the health sector accounts for the largest number of data breaches.
Breaches can incur fines of up to £17.5m, but, whilst the monetary penalties can be large, the loss of reputation can often be more damaging.
Should your organisation be exposed to a data breach, the ICO will often ask whether staff undergo regular data protection training, requesting details on the date last trained. The ICO may also scrutinise your Privacy Notices and practices to see if reality matches intent. In short, good data protection training for all staff can mitigate enforcement action and being diligent with policies will ensure your processes are not only lawful but understood and accepted.
One way care providers can take effective steps to protect the data they process is by completing the Data Security Protection Toolkit (DSPT). It is compulsory to successfully complete the DSPT if you have an NHS email account, but it also demonstrates that your organisation holds data security in the highest regard and takes appropriate action, for the people you support, their families and your staff.
The DSPT states that 95% of a care organisation’s staff must have relevant data protection training appropriate to their roles and the National Data Guardian (NDG) – the independent body ensuring data is safeguarded correctly in the health and social care sector – has mandated that all Adult Social Care organisations must have a trained Caldicott Guardian (CG) in place by June 30th, 2023.
This places a significant onus on organisations to improve their data protection standards and associated procedures. But, in the current climate of ever struggling recruitment and retention, the lack of time or funding for such training is a huge challenge in itself.
The NDG recognises that Adult Social Care organisations are unique and therefore there is some flexibility in that organisations may group together and share a CG, train their own if resources and time permits or outsource the CG role to companies, such as BLS Stay Compliant.
In addition, Subject Access Requests (SARs) are increasing exponentially. Even a simple SAR can be very challenging, particularly if data retention policies are not being followed closely or staff are unaware of them. Information that can be requested includes emails and social media accounts such as WhatsApp or Facebook.
We appreciate that Registered Managers are already stretched, so if staff are trained to understand their responsibilities for the information they process, you can be reassured that you are well on the way to being compliant.
BLS Stay Compliant supports clients across all sectors, including health and social care, local and national authorities, schools and higher education institutes, charities, retail and hospitality sectors.
Please contact us to see how we can help with your data compliance and training.