Handling Information in Care Settings

Confidentiality and the secure and correct handling of personal information is crucial in all sectors, but no more so than in care settings, particularly as they process such large amounts of special categories of data such as information concerning people’s health. Care settings must look after information properly, protecting confidentiality, by managing information security and records. The potential repercussions of loss or unauthorised use of that data are significant.

What is handling information?

Service users and staff working in care settings have the right to confidentiality when sharing information with a care provider. Handling information is about the steps to be taken in order to ensure that any confidential information is handled appropriately.

There is a legal duty on care settings to protect the information kept and processed. Everyone who deals with personal data should follow specific rules; these are referred to as data protection principles.

Each care setting that handles information should have a code of practice outlining the roles, responsibilities and processes undertaken in their particular setting for information handling, so that staff follow the confidentiality rules. A code of practice also provides good practice guidance to those responsible for setting and meeting organisational policy on the handling of confidential health and care information, such as board members.

What types of information are handled in care settings?

Care settings hold many types of personal information about staff, the people they care for and their families, and third parties who they engage with.

This information includes:

Sensitive personal data – Personal data is any information in any medium that relates to a living person who is or who has been involved with an organisation. In a care setting, it would include information about service users and staff.

Sensitive personal data relates to things such as:

• For service users, for example:
  – Care details, treatment options, health information, etc.
  – Physical or mental health details.
  – Age and date of birth.
  – Ethnic or racial origin.
  – Political opinions (gained perhaps when assisting voting).
  – Religious or other similar beliefs.
  – Sexual orientation.
• For staff, for example:
  – Personal details including date of birth, address, contact details, NI number etc.
  – Employment records.
  – Sickness records.
  – Trade union membership.
  – Disciplinary records or the (alleged) assertion of any offence, etc.
  – Appraisals.
  – Training and qualifications.

Other information and records – This is information that is not of a sensitive personal nature but that is or can be confidential

For example:

• Policies and procedures.
• Information about the service such as contracts etc.
• Communications with other agencies and professionals, for example the Care Quality Commission (CQC), NHS, local authority, etc.
• Contact details for, and communications with, relatives/friends of service users.
• Health and safety records.

In short, confidential information usually falls within these three categories:

• Information that identifies a person.
• Information that may help to identify a person.
• Information that is held in confidence.

In a care setting, records need to be kept for the purposes of, for example but not limited to:

• Capturing important information that otherwise might be lost.
• Contributing to positive outcomes for the people receiving the service.
• Demonstrating accountability.
• Keeping track of events.
• Monitoring, reviewing and quality assurance.
• Promoting information exchange and communication.
• Providing evidence of compliance to the Care Quality Commission.
• Showing how decisions were made.
• Staff records for employment purposes.

Service users and staff have the right to know what information is being kept about them, why it is kept and whether or not it is accurate or necessary.

How to handle information in care settings

Information handling includes any processes involved with any information attained by the care setting.

This includes:

• Receipt of the information from its source.
• Circulation.
• Reviewing, editing or making changes.
• Transcribing.
• Categorising, indexing, filing and storage whether physically or electronically.
• Retrieval.
• Presentation and/or reporting.
• Data processing.
• Telecommunications such as for purposes of sharing information including, but not limited to, emailing, via the telephone, via a drop box etc.
• Archiving.
• Disposal.

When you are handling information in a care setting you must, at all times, respect people’s right to confidentiality. Whenever a service user tells a member of staff anything, unless they make it explicit that the information can be shared, the information should be considered confidential and not passed to any third party without the permission of the care user.

The commitment to confidentiality also requires care settings to take certain precautions with service user and staff personal information that is kept on file or computer. It must be handled in such a way that it is not accessible to anyone who does not have the authority to access it.

All confidential information should only be kept by a care setting for the legally required period of time and must be archived and disposed of securely.

What is required when handling information in care settings?

Care settings should establish and use standards for handling information, and document these in their policies and procedures. All staff handling information should have participated in information handling training relevant to their role.

A care setting must have secure data storage systems for all information that it handles, whether this is physical storage such as filing cabinets or electronic storage such as computers, USB drives or external hard drives. Physical storage should be lockable and kept locked, and electronic storage systems should be encrypted.

When handling information in a care setting, consent needs to be gained in order to handle any personal information. Consent needs to be informed, which means that the service user has enough information to make a decision about whether they give their permission for their information to be handled and possibly shared with other people. CQC Regulation 17(2)(c) states that accurate consent records must be kept and “include when consent changes, why the person changed consent and alternatives offered”. The ICO recommends that documentation should include who consented, when, how, and what they were told.

All information handling and processing must be lawful, fair and transparent. This means that all processing should be based on a legitimate purpose, the care setting must take responsibility and not process data for any purpose other than the legitimate purposes, and they must inform data subjects about the processing activities on their personal data.

What acts cover handling information in care settings?

Now the Brexit transition period has ended, there are two versions of the General Data Protection Regulation (GDPR)  that UK organisations might need to comply with: 

• The UK General Data Protection Regulation (GDPR), which, with the Data Protection Act 2018 (DPA), applies to the processing of UK residents’ personal data.
• The EU General Data Protection Regulation 2016 (GDPR), which continues to apply to the processing of EU residents’ personal data.

The key principles of these Acts are:

• DPA – Personal data shall be:
  – Processed fairly and lawfully.
  – Processed for limited purposes and in an appropriate way.
  – Relevant and sufficient for the purpose.
  – Accurate and kept up to date.
  – Kept for as long as necessary and no longer.
  – Processed in line with the individual’s rights.
  – Kept secure.
  – Only transferred with other countries with adequate protection (EEA).
• GDPR – Personal data shall be:
  – Processed fairly, lawfully and in a transparent manner.
  – Collected for specified, limited purposes.
  – Adequate, relevant and limited to what is necessary.
  – Accurate and kept up to date.
  – Kept in a form which permits identification for as long as necessary and no longer.
  – Processed in a manner that ensures appropriate security.

Legislation that relates to recording, storage and sharing of information

As well as the General Data Protection Regulation and the Data Protection Act 2018, there is other legislation that a care setting needs to comply with when recording, storing and sharing information.

This includes:

• The Human Rights Act 1998 – The Human Rights Act gives every individual the right to respect for their private and family life. This includes having any personal information held in confidence. This right, however, is not absolute and can be overridden if necessary, such as for a safeguarding concern.
• The Care Act 2014 – Under the Care Act, care settings have a duty of care to share information when they have a safeguarding concern. Under the Act, care settings should always seek consent to share information wherever possible. There are times when it is allowed to not inform the service user that their information is going to be shared.

People often wrongly think it is the Freedom of Information Act 2000 (FIA) that gives them the right to their personal information; however, the UK GDPR and the DPA 2018 exist to protect people’s right to privacy and include provision for requesting personal information, whereas the Freedom of Information Act is about getting rid of unnecessary secrecy.

Care settings only have to provide information about their NHS work, not sensitive confidential information following a Freedom of Information request.

Can anyone handle information in care settings?

All employees should be aware of their rights concerning their own personal data and what they must do to protect other people’s personal data. There is usually a limited number of roles in a care setting where staff handle confidential information.

The Caldicot Principals state that access to patient confidential information should be on a strict need to know basis. They also state that everyone with access to identifiable personal information should be aware of their responsibilities.

Roles and responsibilities for information handling under GDPR include:

• Data Controller – The controller is the natural person or legal entity that determines the purposes and means of the processing of personal data; for example, when processing an employee’s personal data, the employer is considered to be the controller. It is possible to have joint data controllers in certain circumstances. The key responsibility of a controller is to be accountable, that is to take actions in line with GDPR, and to be able to explain the compliance with GDPR to data subjects and the Supervisory Authority, as and when required.
• Data Processor – A natural person or legal entity that processes personal data on behalf of the controller. A processor is also called a third party. The key responsibility of the processor is to ensure that conditions specified in the Data Processing Agreement signed with the controller are always met, and that obligations stated in GDPR are complied with.
• Data Protection Officer – A DPO is responsible for overseeing the data protection approach, strategy and its implementation. In short, the DPO is responsible for GDPR compliance. It is possible that certain organisations choose not to appoint a DPO, but assign the responsibility to an existing person in the organisation. Normally, the choice of appointing a DPO, or not, is based on the scale of personal data that is processed in a care setting.
• Supervisory Authority – A Supervisory Authority is a public authority responsible for monitoring compliance with GDPR. In the UK this is the Information Commissioner’s Office (ICO).

How to implement good practice in handling information

Care settings should consider appropriate GDPR and information handling training levels for particular staff and ensure that compliance with training is effectively monitored and documented.

Here are some good practice tips for information handling:

• Consider the appointment of a Data Protection Officer with responsibility for processes and monitoring compliance with GDPR and DPA.
• Review data security measures in place, assess if there are any areas for improvement and implement recommendations.
• Consider the need for contracts when sharing information with other data controllers or whether to add liability disclaimers.
• Confirm that any outside agencies that information is shared with are GDPR compliant.
• Ensure staff are aware of the security risks involved with information handling.
• Individuals should ensure that all passwords are specific and identifiable to only themselves. They should never share passwords with other people. They should never reuse a password for different accounts. Failure to do this means that, should that password become compromised, all their accounts are put at risk rather than just one.
• Always lock computers when they are left unattended and be aware of the direction it is facing to prevent someone viewing the screen content. Due to the confidential and sensitive nature of the information held in a care setting, an unlocked, unattended computer may call into question the credibility of the care setting in protecting information. Computer security is important in all locations, both within public areas and within staff offices or homes. Locking computers protects information against unauthorised disclosure and alteration.
• Always ensure computer equipment and confidential documents are stored within a locked boot when leaving them unattended in a car.
• Never use a free public Wi-Fi connection on work equipment. Hackers will often create fake hotspots for the purpose of unauthorised access to confidential information.
• Always dispose of confidential information securely and shred paper documents.
• Always use discretion when talking, particularly about confidential topics, both face-to-face and on the telephone, and take into consideration the environment you are in.
• Never include confidential or personal data in the body of an email, as email is an unsecure means of information transfer. Place the information you wish to send in a Word document and encrypt that Word document before attaching it to the email.
• Encourage people sending you personal information to encrypt it before sending it via email.
• Never register a care setting work email address with third party websites for personal or private reasons.
• Encrypt any equipment that contains personal or confidential information such as USB drives, and do not use an unauthorised USB drive.
• Be aware of the associated risks of receiving emails such as Phishing or Malware; don’t open suspect attachments or click on links from unknown senders.

Handling information incorrectly

If care settings accidentally or deliberately lose, alter, disclose or access information without permission, this may be considered as a data breach.

Common data breaches may include:

• Staff failing to keep sensitive personal information confidential.
• People leaving confidential written records lying about.
• Personal information being sent electronically to an unsecured machine.
• Personal information displayed on a computer screen where anybody can see it.
• Staff sharing email addresses or system logins so they can see information they do not have permission to see.
• Personal information being saved on to non-encrypted memory sticks.

In the social care sector, the Information Commissioner’s Office (ICO) dealt with a total of 63 incidents of data breaches in the 2^nd Quarter of Financial Year 2021/22, that is in a three-month period between 01/07/2021 and 30/09/2021.

Of these, 49 of the incidents were related to handling information:

• 12 cases were data emailed to the incorrect recipient.
• 1 case was data posted or faxed to the incorrect recipient.
• 2 cases were failure to redact information.
• 1 case of failure to use Bcc.
• 2 cases of incorrect disposal of paperwork.
• 1 case of loss or theft of a device containing personal data.
• 16 cases of loss or theft of paperwork or data left in an insecure location.
• 11 cases of unauthorised access (non-cyber).
• 3 cases of verbal disclosure of personal data.

Consequences of data breaches may include:

• A loss of sensitive information such as someone’s medical records – If these were deleted in a data breach it could have a serious knock-on effect on the person’s medical treatment and ultimately their life.
• A financial loss – This might be to a care service user, a staff member or the care setting itself.
• Operational disruptions – Care settings will need to contain the breach and conduct a thorough investigation into how it occurred, who was involved and what systems were accessed. This process can take days, or even weeks, depending on the severity of the breach.
• Reputational damage – News of a data breach can be devastating for a care setting. If they can’t demonstrate that they have taken all the necessary steps to protect this information, trust can be called into question.
• Legal consequences – Under data protection regulations, organisations are legally bound to demonstrate that they have taken all the necessary steps to protect personal information. If this information is compromised, whether it is intentional or not, individuals can seek legal action to claim compensation. Information supervisory authorities such as the Information Commissioner’s Office (ICO) can take a range of other actions, including:
  – Issuing warnings and reprimands.
  – Imposing a temporary or permanent ban on data processing.
  – Ordering the rectification, restriction or erasure of data.
  – Suspending data transfers.
  – Imposing fines – GDPR and DPA 2018 set a maximum fine of £17.5 million or 4% of annual global turnover, whichever is greater, for infringements.

In most cases, any member of staff found to be responsible for a data breach may be found to have committed misconduct or, in severe cases, gross misconduct and may face disciplinary action in conjunction with their organisation’s disciplinary policy and procedures. Should a breach take place, one of the first things the ICO will ask is whether staff undergo regular data protection training.

How to access guidance and advice about handling information

One of the main sources of guidance and advice of how to handle information in a care setting should come from your own organisation’s policies and procedures on:

• Information handling.
• GDPR and Data Protection.
• Confidentiality.
• Codes of practice.

All of the Acts and legislation detailed and hyperlinked above will provide you with guidance and advice.

The Information Commissioner’s Office (ICO) provides guides and advice on Data Protection, as does the Care Quality Commission (CQC).

Digital Social Care is a group of organisations that are working together to support adult social care providers and has advice on information handling.

The Caldicott Principles provides guidance and advice about sharing information within health and social care organisations and when such information is shared with other organisations and between individuals, both for individual care and for other purposes.

In conclusion

When handling information in a care setting, the most important security measure is to have effective policies and procedures, implement them consistently, ensure that staff are aware of their responsibilities and that they have received adequate training to be able to handle information efficiently and securely.