Top tips for GDPR

Jessica Dunn, Office Manager at Katherine Harriet Ltd looks at top tips for Homecare providers surrounding Data Protection and GDPR

Data protection law sets out what should be done to make sure everyone’s date is used properly and fairly. Data protection applies to all workplaces, even in the homecare sector. We have some top tips on how we can all keep on top of key principles and tackle any issues we face as homecare providers.

1. Ask yourself ‘why do I need this information?’ 

Any personal information you hold needs to be used fairly and securely in line with data protection laws. Most people think that data protection is focussed on keeping data secure, when actually the biggest challenge is thinking about what and why we collect and use the data.

Before collecting any personal data, we need a valid reason, this is also known as ‘lawful basis’, there are six types of lawful basis that we can use. We must ensure we do not collect and use more personal data than we actually need to, in order to deliver a high-quality service to our clients. 

For most day to day operations, we will need data because:

  • We are delivering a contracted service to a client
  • We have a legal obligation as an employer / provider of regulated care
  • Have a legitimate, business interest

If we are struggling to explain what we are doing with someone’s personal data and why we may find it difficult to identify a lawful basis, we should all think twice before collecting this information in the first place.

2. Think about security 

We must ensure any personal data that we collected is also stored and protected correctly, at Katherine Harriet we follow CQC and ICO guidelines for retention of documents, we dispose of documents with a secure shredding third party, all information is kept on password secure computers, apps and laptops and only authorised individuals have access to this, we also ensure any information messaged out is messaged encrypted.

3. Be transparent – clearly communicate what we are doing with this personal data<

We must ensure we tell people why we need their data, at assessment time, our Registered Manager, Rebecca Tilby, explains that we use the information collated to build a specialised care plan that allows our staff to carry out their role as safely and efficiently as possible, it helps our staff to build relationships with our clients and also gives us vital information needed, for exampled how to locate their property, any risks we need to be aware of, how to contact the client and their family, to name a few. 1st January 2024 

We do regularly review our assessment paperwork and care plans to ensure we are continually asking ourselves, ‘why do we need this information’, this helps us to ensure that our clients personal data is still accurate and being used for the correct purposes. 

4. Respond promptly to requests for information (from individuals) 

People have rights in relation to their information, for example, they can ask you to delete it, challenge the accuracy of it and object to what you’re doing with it. People can also ask us to provide a copy of their personal information, this is know as a Subject Access Request (SAR). However, we do have to still follow ICO and CQC guidelines in relation to what information has to be kept and for what length of time. 

5. Respond promptly to data breaches 

If any personal information is lost, accidentally destroyed, altered without proper permission, damaged or disclosed to someone it shouldn’t have been, this could be a personal data breach. At Katherine Harriet we must report and notify this to the ICO. We also complete a quarterly Data Protection Audit, this highlights any data breaches within the last quarter, how we dealt with this and any lessons learnt. 

6. Know when to use consent 

Whilst consent can be a ‘lawful basis’ to process data, it is not likely to be the main justification for your data-to-day activities. Consent is only truly valid if it means you would stop using someone’s data in the event they withdraw consent and you are likely to need a lot of personal data even if the individual objects. 

‘Best interests’ is not a ground for processing data under data protection law. If an individual does not have capacity to consent and you still believe it is necessity to use their data in a certain way, consider if other legal grounds apply such as the vital interests ground in an emergency situation. 

7. Understanding your responsibilities 

  • We take responsibilities for what we do with the personbal datas, and we must ensure that you, Wellbeing Assistants, can: 
  • Recognise the difference between personal data (relates to individual) and general information (which could be information or statistics)
  • Understand and explain what personal data is being collected and why, i.e details used in care plan to be able to carry out your tasks and services for the client

How to identify and report a potential data breach, this is contacting the office and reporting this in writing to the Registered Manager 

8. Disposing of old data that you no longer need 

We do not, and should not, have more personal data than we need to achieve our purposes, and the data must not include details that is irrelevant. We also cannot keep data for any longer than needed. Always thinking of our first tip ‘ why do we need this information?. 

We also must follow our own policies and procedures surrounding retention as well as the ICO and the CQC guidelines. 

If there are any uncertainties surrounding GDPR, contacting the office in the first instance for any queries and directing this to our GDPR officer, Rebecca Tilby. 

Jessica Dunn 

Office / Administration Manager 

Managers Blog