A care home in Northern Ireland has been fined £15,000 for failing to safeguard confidential data, relating to staff and residents, which was stored on a laptop and subsequently stolen from a staff member’s house.
The investigation by the Information Commissioner’s Office (ICO), revealed systemic failings in data protection at Whitehead Nursing Home in County Antrim, which it described as placing both employees and residents at risk.
The breach occurred as a result of a member of staff taking an unencrypted laptop home, which was later taken from her house during a burglary. The laptop contained confidential information relating to almost 50 staff, including details of disciplinary investigations and sickness absence, as well as sensitive data about 29 service users.
With care services becoming increasingly reliant on IT systems for storage of confidential information, it is essential that your own data protection practices are safe and legally compliant, in order to protect both staff and service users. Failure to do so could result in a fine of up to £500,000 – read on to learn more about implementing sound data protection principles in your service.
The ICO released a document summarising its findings and recommendations for care homes in September 2015, based on its visits to a number of care providers. The publication, available from the ICO website, highlights common problems and provides additional links to sources of up-to-date information.
5 Essential Tips to Improve Your Data Protection and Avoid a Fine
- Read the ICO guidance. The document, available on the ICO website, details useful advice and, at only 15 pages long, can be used to provide an accessible briefing to staff of all grades.
- Provide staff training. All staff with access to confidential data should receive training on relevant areas of data protection as part of their induction. Access to IT systems is no longer limited to administration staff, so you should be sure to include carers and support staff in this process.
- Use only encrypted email. Using non-secure email systems to share confidential data can increase the risk of data breaches, so you should ensure that your service has access to an encrypted email account. Some care homes now have nhs.net accounts which provide the high levels of encryption found with the NHS and this may be possible for your service via your GP surgery.
- Remember password protection. Password protection is one of the most basic aspects of managing data securely but it is still not taken seriously by all providers. Ensuring that passwords are changed regularly and not shared between staff is essential if they are to be effective.
- Seek out further guidance. An additional publication from the ICO, aimed at small businesses, entitled ‘A Practical Guide to IT Security’, provides a more detailed overview of steps you can take to improve your data protection and is available on the ICO website.