GDPR stands for the General Data Protection Regulation, the name for the new set of rules from the EU to update data protection for all citizens, that came into effect from 25 May 2018. It's an update to the current data protection regulation we have in the UK and is basically aimed at giving people back control over their personal data in a ‘one-stop shop’.
Following Brexit, original GDPR has been kept in UK law as the UK GDPR, as of 28 June 2021.
Some small businesses are exempt from certain requirements of GDPR, but not care services. This is because health data is classed as 'special category' data and has stricter requirements as a result.
Because you hold and manage your residents' data, you will become classified as a Data Controller.
This means you will have to:
You need to be aware that Log my Care is now a place where you will be storing resident data.
All data is securely stored in the cloud and up-to-date with all current regulatory requirements.
All activities logged throughout using the careoffice.logmycare.co.uk website (the “Care Office”) and the Log my Care App (the “Carer App”) are recorded, giving you an audit trail, should you need it.
Data portability is built into the system by design, so you can extract your data as needed.
We have built Log my Care to meet all new data protection requirements from the ground up.
When using the Care Office, you will be required to enter a password to gain access.
Users of the Carer App will be prompted to enter a 4-digit PIN code to gain access. Additional security can be added to the App, through the use of 'shift passwords' that users will also be prompted to enter (if activated).
We have a requirement to inform you if any data breach does happen, meaning you will be in the know if anything were to go awry.
We have a robust set of privacy policies detailing what we do with data.
We advise you to:
There are 8 rights of individuals that are core to the GDPR that you need to be aware of as a care provider. We make it easy to comply with each one:
Data subjects have the right to know basic information about how you are holding their data and who the processor is. We can provide you with a template, laying out what Log my Care is and how it works. You can easily adapt it and send to those who need to know.
You must be able to answer questions that data subjects have about their data or provide a copy of the data you hold on them. It's easy to get a copy of the data from Log my Care, just email email@example.com and one of our team will help.
You can be asked to fix/update any errors in the data you hold on someone. In Log my Care, this is as easy as updating their profile.
You can be asked to delete all the personal data you hold on someone. Our understanding is that you should still comply with the requirements of the Care Homes Regulations 2001 (e.g., hold data for 3 years after last entry for adults and 80 years for children) before deleting a resident's data. When needed, you can delete all of the data you hold in Log my Care for a resident.
Data subjects can request that you stop processing their data in certain ways e.g., they could ask you to stop using a system like ours and go back to paper to manage their care records, if they really wanted to!
Data subjects can ask for their data in a form that can be taken to another processor. We make this nice and easy with our Excel export function.
If data subjects feel that you do not have legitimate grounds to process their data, they can ask you to stop.
We do not use automatic decision making, so that’s an easy one!
We have incorporated GDPR principles of privacy into out design and security, when building our product and processes.
We protect data with AES-256 encryption, SSL technology, PIN/password requirements for every member of staff and our novel additional security layer, the ‘shift password’.
We use the same cloud provider as HMRC.
As a processor of special category health data, we worked with an accredited external Data Protection Officer (DPO), Mariel, who is one of the country's sharpest legal minds on GDPR.
We’ve been working together to help document our compliance by completing a full Data Protection Impact Assessment (DPIA) and review of our policies and procedures.
When you set the system up, we recommend that you send an email to inform the families of your residents.
You should train staff to not share passwords and to make sure they use the system appropriately, to enhance the care they provide.
You should regularly change ‘shift passwords’.
You should assess the data you are collecting and ensure you are only collecting information you need to operate.
If you have any questions about GDPR, you can contact us at firstname.lastname@example.org.