covid banner

Care home briefing 151 – How to handle personal data

In an increasingly digital age, it is obviously important to ensure that personal data is properly managed. Regulators are increasingly tough where breaches arise.

The Information Commissioner’s Office, a regulator responsible for ensuring that organisations comply with the Data Protection Act 1998, has visited several residential care homes in order to understand how they are processing and storing personal data. Below is a summary of their advice on how care home operators can improve their data protection practices.

Implement formal policies and procedures

To ensure compliance with data protection requirements care home operators should implement formal policies and procedures to inform staff of how personal data is to be processed. Training should include mandatory induction sessions and annual refresher training, as well as specialist training for staff in key roles, which is recorded in training logs and reviewed on a regular basis. There should be a high level of communication between employers and employees to ensure that employees understand their responsibilities for data protection.

Care home operators are encouraged to adopt a level of transparency with regard to their data protection practices and inform patients how their data will be used, who it will be shared with and how it can be accessed.

Minimise the risks

Once care homes are set up to share personal data with other care homes and local authorities, care home operators need to reduce the risks associated with data sharing.

Formal policies should be introduced to stipulate when information can be shared, how to deal with access requests, who is allowed to authorise sharing, what security measures need to be in place and how any sharing is to be recorded. With the widespread sharing of data, emails should be encrypted to protect personal data from being intercepted, or accessed by an unintended recipient.

The ICO has, in fact, suggested removing fax machines in favour of a secure electronic solution such as this, to remove the risk of sending information to the wrong recipient. Portable devices that store personal data, including laptops or mobile phones, also pose a high risk to data security and should use encryption to restrict access.

Manage secure systems

Care home operators must ensure that they do not hold personal data for longer than is necessary and it is important that any retention schedule in place applies to electronic client records as well as manual records. A retention schedule should set out the requirements for recording, justify the retention of records, set out any exceptions, specify who is responsible for destroying records and list appropriate disposal methods. Care home operators should have the procedures in place so that they are ready to identify and dispose of personal data as soon as it is no longer required.

Whilst personal data is held, a generic shared login for all staff members with a simple password does not offer adequate protection. Access to records should be restricted to only those that require the information and each staff member should be given a complex password to be changed regularly. Care home operators should also restrict staff access to USB ports and DVD/CD drives and log any information transfers.

Any offices where personal data is stored should be either staffed or locked when unattended with access restricted to staff on duty to prevent unauthorised access. Care home operators may also consider the use of CCTV surveillance to increase security should this be a proportionate response to the issue.

Review data protection practices

It is important to remember that the internal reporting procedure required by Ofsted applies to incidents of loss of personal data as well as care incidents. Such reports allow management to monitor incidents in relation to personal data, assess their frequency and identify potential weaknesses in their processes. Any policies, procedures, training or agreements need to be reviewed on a regular basis to ensure that they are up to date and fulfil the needs of the care home and the patients. Care home operators are urged to carefully consider their obligations in relation to personal data and seek legal advice, if necessary, to ensure that they meet the requirements of the Data Protection Act 1998.

For more information or guidance, please contact:

Andrew Parsons
Partner and Head of Healthcare – Providers 
T. 020 7227 7282

Lucy Bridger
Trainee Solicitor
T. 020 7227 7348


This briefing is for guidance purposes only. RadcliffesLeBrasseur LLP accepts no responsibility or liability whatsoever for any action taken or not taken in relation to this note and recommends that appropriate legal advice be taken having regard to a client's own particular circumstances.

Briefing tags ,