POLICY AND PROCEDURE DATA PROTECTION/RECORD KEEPING
Redcourt Care Home believes in the following:
Records required for the protection of service users and for the effective and efficient running of Redcourt Care Home are up to date and accurate.
Individual records and home records are kept in a secure fashion, are up to date and in good order. Are constructed, maintained and used in accordance with the Data Protection Act 1998/New GDPR which comes into effect 25th May 2018 and other satisfactory requirements.
Redcourt Care Home adheres to standard 37: Record Keeping of the National Minimum Standards for Care Homes for Older People.
AIM OF THE POLICY
This policy is intended to set out the values, principles and policies underpinning Redcourts approach to record keeping, data protection and access to records.
DATA PROTECTION POLICY
GDPR apply’s in all EU member states from 25 May 2018. GDPR is a regulation, not a directive.
Redcourt will adhere to the Data Protection Act 1998/NEW GDPR MAY 2018, and all storage and processing of personal data held in manual records and on computers in Redcourt Care Home, should comply with the regulations of the act. Redcourt Care Home understands that, according to the Data Protection Act 1998 /GDPR MAY 2018.
personal data should:
Be obtained fairly and lawfully.
Be held for specified and lawful purposes.
Be processed in accordance with the person’s right under DPA/GDPR.
Be adequate, relevant and not excessive in relation to that purpose.
Be kept accurate and up to date.
Not be kept for longer than is necessary for its given purpose.
Be subject to appropriate safeguards against unauthorised use, loss or damage.
Be transferred outside the European Economic Area only if the recipient country has adequate data protection.
The Data user/Data controller for Redcourt Care Home is the registered Manager.
ACCESS TO RECORDS POLICY
Redcourt believes that access to information and security and privacy is an absolute right of every service user.
Staff should do the following;
Ensure that all files or written information of a confidential nature are stored in a secure manner, or locked cabinet. Are only accessed by staff that has a need and a right to access them.
Ensure that all files or written information of a confidential nature are not left out where they can be read by unauthorised staff or others.
Ensure that all care records and resident’s notes, including care plans, are signed and dated.
Check regularly on the accuracy of data being entered into computers.
Always use passwords provided to access the computer system and not abuse them by passing them on to people who should not have them.
Use computer screen blanking to ensure that personal data is not left on screen when not in use.
CHANGES FOR GDPR MAY 2018
Redcourt Care Home will make all staff aware that the law regarding DPA is changing in May 2018 and what its changes mean.
We should document what personal data we hold, where it has come from and who we share it with. By doing this, it will help to comply with the GDPR’s accountability principle.
GDPR requires us to maintain records of our processing activities. If Redcourt has inaccurate personal data and we have shared this with another organisation, we will have to tell the other organisation about the inaccuracy so it can correct its own records.
COMMUNICATING PRIVACY INFORMATION
New legislation says we need to explain our lawful basis for processing the data, our data retention periods and those individuals have a right to complain to the ICO if they think there is a problem with the way we are handling their data. The GDR requires the information to be provided in concise, easy to understand and clear language.
The new GDPR rights for individuals are as follows:-
The right to be informed
The right of access
The right to rectification
The right to erasure
The right to restrict processing
The right to data portability
The right to object
The right not to be subject to automated decision-making including profiling.
On a whole the rights individuals have under the GDPR are the same as those under DPA but with some significant enhancements.
This is new and only applies:
To personal data an individual has provided to a controller;
Where the processing is based on the individuals consent or for the performance of a contract.
When processing is carried out by automated means.
SUBJECT ACCESS REQUEST
In most cases we should not charge for a request.
You have a month to comply rather than the current 40 days.
We can refuse or charge for requests that are manifestly unfounded or excessive.
If we refuse a request, we must tell the individual why and that they have the right to complain to the supervisory authority. We must do this without undue delay.
LAWFUL BASIS FOR PROCESSING PERSONAL DATA
Lawful basis in the GDPR is broadly the same as the conditions for processing DPA
Consent must be freely given, specific, informed and unambiguous. There must be a positive opt-in- consent cannot be inferred from silence, pre ticked boxes or inactivity. Must be separate from other terms and conditions. Consent has to be verifiable and individuals generally have more rights where you rely on consent to process data.
We are not required to automatically ‘repaper’ or refresh all existing DPA consents for GDPR, we need to make sure it meets the GDPR standard on being specific, granular, clear, prominent, properly documented.
We should notify the ICO and possibly other bodies if a breach has been made. We only have to inform the ICO of a breach where it is likely to result in a risk to the rights and freedoms of individuals. If it could result in discrimination, damage to reputation, financial loss, loss of confidentiality or any other significant economic or social disadvantage.
Failure to report a breach when required to do so could result in a fine. Its our responsibility to inform our data protection authority of any breach that risks people rights and freedoms within 72 hours of Redcourt becoming aware of it. The uk authority is the ICO( Information Commissioners Office. Failing to do this within 72 hours could result in a fine.
Telephone number for ICO is 0303 123 1113
All new staff should be encouraged to read the policy on data protection on their induction process.
Training in the correct method of entering information in service user’s records should be given to all care staff.