Please note that these resources are being regularly updated – so it is important that you regularly check to ensure you are working with the most up to date version.
These are the presentations that were shown at the GDPR events, hosted by NCF, Skills for Care and the Care Provider Alliance.
Click on the links to download the presentations.
During the events, speakers made reference to the forthcoming Data Security and Protection Toolkit
. This has not yet been published, however, there are a series of resources that have been prepared to support providers in complying with the finalised toolkit. These resources can be accessed here
Cyber Security Guidance -
Produced by CPA in collaboration with the Social Care Programme at NHS Digital. For extra information about cyber security, the guidance
includes links to web pages from Government approved organisations. They also
contain important information about other areas such as: The Data Security and
Protection Toolkit (replacing the existing Information Governance Toolkit April
2018) and GDPR (applies from 25th May 2018). Please see ‘5. Resource Library’ for more details.
This guide was a
key focus of discussion at the GDPR events with NCF has been involved with. You
can find Skills for Care’s cyber security guide available for download here
How to access
e-Learning for Healthcare programmes - Health Education England e-Learning for Healthcare (HEE e-LfH) works in partnership with the NHS and professional bodies to support patient care by providing e-learning to educate and train the health and social care workforce. All content is nationally quality-assured and available free of charge to all relevant users in health and social care (including care homes run by the independent sector).
The programmes are available on the e-LfH Hub which records user activity, enabling learners to run reports on all their learning activity and build a transferable life-long learning portfolio. Access to the whole library of content is available 24/7 from any device with an internet connection.
The data protection fee - a guide for controllers - from ICO
The Information Commissioner’s Office (ICO) is the independent supervisory authority set up to promote and oversee compliance with data protection legislation in the UK. This guidance deals specifically with the requirements of the 2018 Regulations. These were laid before Parliament on 20 February 2018 and are still in draft form. We have produced this guidance in line with the draft regulations to give controllers as much time as possible to work out what fee, if any, they are likely to need to pay under the new regime. However, the 2018 Regulations are still subject to Parliamentary approval and may be subject to change. We therefore intend to update this guidance before 25 May 2018.
Information Governance - visit the Care Provider Alliance for further resources
Appointing a Data Protection Officer
It has been drawn to our attention that some providers who attended the Information Governance, General Data Protection Regulations (GDPR) and Cybersecurity sessions were under the impression that all care providers will need to appoint a Data Protection Officer. This is not the case and only organisations which meet the criteria set out in the GDPR will be required to appoint a DPO.
Anthony Collins Solicitors have confirmed that there is a great deal of uncertainty about this requirement and in particular the meaning of “large scale”, especially since the guidance as to what is not large scale only references data processing by an individual. Organisations need to consider whether they fall under one of the categories set out in article 37 of the GDPR. These are where:
“(a) the processing is carried out by a public authority or body, except for courts acting in their judicial capacity;
(b) the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or
(c) the core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9 and personal data relating to criminal convictions and offences referred to in Article 10.”
The Article 29 Working Party has issued guidance on these requirements which is available here
It is important that organisations evaluate the criteria and record the reasoning behind their decision on whether to appoint a DPO or not. They should also revisit this decision if circumstances change in the future. You may obtain legal advice which is tailored to your organisation and Anthony Collins Solicitors would be happy to help.
Please follow this link to access the updated slides from these events: Slides above
Q: Do Attorneys have the power to make a subject access request?
A: In most circumstances, yes.
In theory, any third party can make a subject access request on behalf of an individual provided they have sufficient authority. This could be as simple as a letter signed by the individual, provided the individual (i.e. the data subject) has the capacity to grant the permission. If providers are in doubt, they should request a copy of the written authority relied upon by the person making the subject access request.
The ICO has confirmed “it is reasonable to assume that an attorney with authority to manage the property and affairs of an individual will have the appropriate authority [to make a subject access request]” and the same would apply to a Property & Financial Affairs Deputy. Importantly, an LPA can be granted and used by the attorney where the individual has capacity or not - this depends on the wording of the LPA itself.
The ICO is silent on Welfare Lasting Power of Attorneys and Deputies. For welfare attorneys/deputies providers may want to limit the information provided (under the subject access request) to that which relates to health, welfare and medical information. This is the type of information that the welfare attorney/deputy would need to make an informed decision about the individual’s health and welfare. However, this is probably not worth ‘over thinking’ as providers will often be able to rely on their experience and recognise when data should and shouldn’t be shared appropriately.
Obviously, making a subject access request is different to the normal process of consulting with friends and family members when making best interests decisions and complying with providers’ duties under the Care Act and the two processes should not be confused.