Data protection rules overhaul: how care home managers can avoid incurring hefty fines

By Sarah Finnemore, solicitor, Litigation and Dispute Resolution Department, hlw Keeble Hawson

Care home owners and managers are urged to get to grips with the biggest overhaul of data protection law in a generation before new rules come into effect on May 25, 2018. The General Data Protection Regulation (GDPR) will spark a series of challenges for businesses across the care and healthcare sector. It will be regulated by the Information Commissioner’s Office (ICO), a government watchdog, and fines for non- compliance could be as much as €20,000,000 or 4% of annual turnover. A very complex area, covering a huge array of requirements, GDPR will govern how all private, public and third sector organisations across the EU handle personal data. The government has said that it will remain in place post-Brexit. Under GDPR, every person whose personal information is stored by a business for any reason - must be told why that organisation wants it and what it will do with it. Care homes seeking to share the data with any third party will also need the specific consent of the individual. This consent must be very clear. For example, you cannot simply rely on a click confirming that a privacy policy has been read. Legal consent under GDPR must be explicit, informed and freely given. It can be made in a statement or by ticking a box. Personal data must be stored securely with specified protocols to ensure that it is not breached, stolen, leaked or shared without authorisation. The far-reaching changes allow anyone to inspect their personal data at any time. As such, care homes must be geared up to handle ‘subject access requests’ - informing anyone who asks what data is held on them - and how it is used - within one month. This means that it must be kept accurate and up to date, with any changes made as and when they occur. The need for easy amendment and management is also vital as anyone can request that their personal data be removed at any time, or revoke any consent previously given. GDPR also requires that employees are trained in how to protect and manage the information they hold. The personal data of care home residents and their families are among the most sensitive held by any organisations – public or private. This means that they will have to look carefully at the specific rules that apply to processing “sensitive data” in order to not fall foul of the new regulations. The confidential nature of such information may also influence the security systems that care homes require in order to keep sensitive personal data safe and secure. Healthcare providers generally operate under the doctrine of “implied consent” when using sensitive personal details about an individual’s health in order to treat them and provide care. Under the new, more stringent GDPR rules, relying on the “implied consent” of the individual may not pass the requirement that consent be given explicitly. However, the regulations do provide an alternative legal basis of processing sensitive data for health or social care purposes. Some care home residents may lack the capacity to understand the implication of giving consent to their data being processed. This makes it even more inappropriate for an organisation to seek to rely on the consent basis for processing and vital that they can rely on another legitimate basis for doing so. Even if care homes do not seek to rely on a resident’s consent for processing their personal data, clear information about how it might be used should still be provided in their privacy policies.

A particular headache for managers and owners, who may already have amassed large amounts of information, is that GDPR applies retrospectively – i.e. to all data collected before May 2018, as well as all data from that date. Comprehending and complying with the massive overhaul will be extremely challenging - and it is still possible that there may yet be even more new developments and changes in the lead up to the new rules being implemented. Adopting the adage that forewarned is forearmed, enlisting a legal practice with a track record in data protection upfront can help to prepare your business for the changes to come, and avoid severe financial non-compliance penalties further down the line.

Made with FlippingBook Annual report