The use of data is a hot topic right now. Working in the UK social care sector, it greatly concerns me when I see news stories on how data is stored and used by some businesses, more often without the consent or knowledge of those it has been extracted from.
One highly anticipated and ongoing case on the use of peoples’ data is the landmark case alleging Google illegally tracked millions of iPhone users, which is now set for the Supreme Court. It will decide if Richard Lloyd, the complainant and former director of consumer rights group Which?, can bring the case against the search engine behemoth on behalf of those affected. Mr Lloyd alleged that between 2011 and 2012 Google cookies collected data on health, race, ethnicity, sexuality and finance through Apple’s Safari web browser, even when users had chosen a “do not track” privacy setting.
Although a judgement is not expected for weeks, if the case is allowed to go ahead, with the aim to get compensation for the 4.4 million affected people, many others are likely to follow, causing major ramifications for companies using peoples’ data unethically. Indeed, TechUK, which represents Google, believes proceeding with the case could open the floodgates for mass litigations and seriously damage firms who could face large penalties.
Time will tell whether these “floodgates” will be opened by Mr Lloyd, but the problem is, and has been for some time, how data is used once collected and, in the majority of cases, served its initial purpose. Take care providers in social and healthcare settings, for example. These are areas of work where data is highly sensitive and should be dealt with the strictest confidentiality. Unfortunately, the reality is that there’s an unprecedented amount of unencrypted data held within care environments, which anyone can access in the care framework. Such sensitive data on an individual’s health needs to be kept both technically and physically secure. The problem with this, however, is that it can’t be kept physically secure if it’s stored in laptops, tablets, smart phones or files, because you can lose/break these devices.
Ultimately, the core principle of storing data in places like social care homes is fundamentally flawed. It’s important care providers are aware that data should not be held on the computers or handheld devices in the care homes due to the fact they simply cannot provide the level of security required by the Data Protection Act 2018 (DPA). The Act states that everyone responsible for using personal data has to follow strict rules called ‘data protection principles’. They must make sure the information is:
- used fairly, lawfully and transparently
- used for specified, explicit purposes
- used in a way that is adequate, relevant and limited to only what is necessary
- accurate and, where necessary, kept up to date
- kept for no longer than is necessary
- handled in a way that ensures appropriate security, including protection against unlawful or unauthorised processing, access, loss, destruction or damage
It is important to note there is stronger legal protection for more sensitive information, such as health.
There are fundamental breaches of the DPA in holding on to the data for any length of time. Once the necessary data has been used and served its purpose, the care provider shouldn’t maintain a record of it.
When you breakdown the principles of the DPA, it’s made very clear that data usage should be fair and lawful. Care providers need to to provide transparency to how residents/patients data is used and ensure the usage is in accordance to how people would expect, so they can have an informed decision. In an environment looking after the most vulnerable members of society, it is paramount they are given the ability to make these informed decisions.
All social care data collated or gathered must be for a specific purpose. Minimisation must be carried out in all cases of data collection too, whereby only the minimum amount of information can be kept on record. These records of data must be kept up to date and accurate, only being held by the care provider when it is specifically required. So, if you’re providing medicine to a resident, for example, there is no reason to hold on to that medicine for any longer than a couple of days. On top of that, you’ve got to keep the data physical, technical and secure. A very high level of security must be used to protect the data due to risk of breaches where an individual’s medical situations could be exposed. Ultimately, the data should not be transferred outside the DPA.
Care providers using American-based software need to ensure that the information they hold isn’t transferred outside. Confidential and sensitive data cannot be left just lying around, and it must always be secure. The only way to achieve this across the board is to not allow the care home to control the data, but to have each individual hold that data from which the care home can look at rather than control, manipulate or store.
Effectively, when it comes to digital social care technology storing resident data, some care homes claim to have person-centred systems, but in most cases, this is – whether they are aware or not – completely false. The technology is not person-centred, it’s care-centred. Genuine person-centred systems would see that no data was shared by the care home.
Care providers with doubts regarding the compliance of the software they use in relation to what is going to be a huge data breach, must thoroughly review the DPA and understand its principles. If data is accessed inappropriately on a daily basis, a care home resident could be entitled to claim thousands and thousands of pounds.
If residents had access to their data and it was kept minimal and transparent, you would be providing a system that is centred around them as opposed to the care home. At a time when the complexities around data usage by companies is becoming more fragile and unpredictable, it is important to clarify there are ways to avoid getting caught in the insecure web of data harvesting, through using technology on the market that is both CQC and GDPR compliant. This technology gives control back to the resident rather than take it away, and potentially share and use it against its intended purposes. Smart technology given to residents on arrival at a care home, such as simple handheld tablets, can digitally record data and store it in the cloud, keeping it secure and in the hands of the resident, whose family and care home staff can access when needed. The data is still there, but now accessible to the resident on demand and can’t be lost, shared, corrupted, etc. Care providers using this technology no longer need to worry about breaches and residents and their family can’t accuse them of mishandling data, or keeping hold of it longer than needed as it’s no longer in their control. A simple solution to avoiding a substantial problem. My advice to care providers is to avoid getting lost down the rabbit hole of data do’s and don’ts by keeping everything uncomplicated – which is easy to do through such technology.
Overall, social care providers need to be aware of data breaches and use any data in accordance to the DPA to be seen as an efficient provider. Unfortunately, so many care settings across the UK have been sold software/care plans by some of the biggest companies in the industry, which have effectively put them in breach of the DPA. Mr Lloyd’s case against Google could be the tip of the iceberg in terms of people claiming compensation for data breaches, which could amass to huge sums, so it is critically important care providers don’t fall foul of how they use and store their residents’ data. Failure to do so, could result in smaller, independent care homes succumbing to vast losses, and in the worst-case scenario, going under, all because they weren’t aware of the breaches or neglected them. The silver lining is that there is technology out there that works in accordance with the DPA and if care providers were using this technology, all parties could move forward in the knowledge that the data is being handled appropriately. The full DPA guidelines can be found here.