Please note: these resources are being regularly updated, so it is important you regularly check to ensure you are working with the most up to date version.
These are the presentations shown at the GDPR events, hosted by NCF, Skills for Care and the Care Provider Alliance.
Click on the links to download the presentations.
During the events, speakers made reference to the Data Security and Protection Toolkit. This has now been published. There are also a series of resources that have been prepared to support providers in complying with the finalised toolkit. These resources can be accessed here.Other Resources
Cyber Security Guidance – Produced by CPA in collaboration with the Social Care Programme at NHS Digital. For extra information about cyber security, the guidance includes links to web pages from Government approved organisations. They also contain important information about other areas such as: The Data Security and Protection Toolkit (replacing the existing Information Governance Toolkit April 2018) and GDPR (applies from 25th May 2018). Please see ‘5. Resource Library’ for more details.
This guide was a key focus of discussion at the GDPR events with NCF has been involved with. You can find Skills for Care’s cyber security guide available for download here.
How to access e-Learning for Healthcare programmes – Health Education England e-Learning for Healthcare (HEE e-LfH) works in partnership with the NHS and professional bodies to support patient care by providing e-learning to educate and train the health and social care workforce. All content is nationally quality-assured and available free of charge to all relevant users in health and social care (including care homes run by the independent sector).
The programmes are available on the e-LfH Hub which records user activity, enabling learners to run reports on all their learning activity and build a transferable life-long learning portfolio. Access to the whole library of content is available 24/7 from any device with an internet connection.
The data protection fee – a guide for controllers – from ICO
The Information Commissioner’s Office (ICO) is the independent supervisory authority set up to promote and oversee compliance with data protection legislation in the UK. This guidance deals specifically with the requirements of the 2018 Regulations. These were laid before Parliament on 20 February 2018 and are still in draft form. We have produced this guidance in line with the draft regulations to give controllers as much time as possible to work out what fee, if any, they are likely to need to pay under the new regime. However, the 2018 Regulations are still subject to Parliamentary approval and may be subject to change. We therefore intend to update this guidance before 25 May 2018.
Information Governance – visit the Care Provider Alliance for further resources
The UK Caldicott Guardian Council is putting on a free to attend day workshop on info sharing with relatives and others in central Leeds on Friday June the 8th this year. It is specifically for small-scale settings such as Care Homes, Hospices and Domiciliary agencies. The main presentations are from professional trainers. All the workshop details and how to register for this free event can be found here.Appointing a Data Protection Officer
It has been drawn to our attention that some providers who attended the Information Governance, General Data Protection Regulations (GDPR) and Cybersecurity sessions were under the impression that all care providers will need to appoint a Data Protection Officer. This is not the case and only organisations which meet the criteria set out in the GDPR will be required to appoint a DPO.
Anthony Collins Solicitors has confirmed that there is a great deal of uncertainty about this requirement and in particular the meaning of “large scale”, especially since the guidance as to what is not large scale only references data processing by an individual. Organisations need to consider whether they fall under one of the categories set out in article 37 of the GDPR. These are where:
“(a) the processing is carried out by a public authority or body, except for courts acting in their judicial capacity;
(b) the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or
(c) the core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9 and personal data relating to criminal convictions and offences referred to in Article 10.”
The Article 29 Working Party issued guidance on these requirements.
It is important organisations evaluate the criteria and record the reasoning behind their decision on whether to appoint a DPO or not. They should also revisit this decision if circumstances change in the future. You may obtain legal advice which is tailored to your organisation and Anthony Collins Solicitors would be happy to help.
Please follow this link to access the updated slides from these events: Slides above.Q: Do Attorneys have the power to make a subject access request?
A: In most circumstances, yes.
In theory, any third party can make a subject access request on behalf of an individual provided they have sufficient authority. This could be as simple as a letter signed by the individual, provided the individual (i.e. the data subject) has the capacity to grant the permission. If providers are in doubt, they should request a copy of the written authority relied upon by the person making the subject access request.
The ICO has confirmed “it is reasonable to assume that an attorney with authority to manage the property and affairs of an individual will have the appropriate authority ” and the same would apply to a Property & Financial Affairs Deputy. Importantly, an LPA can be granted and used by the attorney where the individual has capacity or not – this depends on the wording of the LPA itself.
The ICO is silent on Welfare Lasting Power of Attorneys and Deputies. For welfare attorneys/deputies providers may want to limit the information provided (under the subject access request) to that which relates to health, welfare and medical information. This is the type of information that the welfare attorney/deputy would need to make an informed decision about the individual’s health and welfare. However, this is probably not worth ‘over thinking’ as providers will often be able to rely on their experience and recognise when data should and shouldn’t be shared appropriately.
Obviously, making a subject access request is different to the normal process of consulting with friends and family members when making best interests decisions and complying with providers’ duties under the Care Act and the two processes should not be confused.
; 
