Worcestershire out-of-hours
Worcestershire out-of-hours

Care UK Healthcare and our preparations for GDPR

May 22 2018

You will have seen the mention of GDPR in some form, in one place or another, but do you really know what it means? Below we will outline what GDPR is and what Care UK is doing to get ready for the new legislation that is set to go live on the 25th May 2018.

Care UK GDPR Statement May 2018

What is GDPR?

The General Data Protection Regulation (GDPR) is an update to the existing Data Protection Act 1998 and aims to bring data protection regulations into the internet age. It aims to enable individuals to better control their personal data. It also encourages organisations to think harder and more carefully about how they handle and process personal data.

We already have strong Information Governance practices due to the nature of the services that we provide.  As such, the new legislation represents an evolution rather than a revolution. 

What is Care UK doing?

As an organisation we take issues of information governance and data privacy very seriously and already have them at the heart of what we do. We can confirm that we have had a project team working on a project plan for several months to ensure that we are ready for the new legislation.

We are happy to share with you the following high level overview of some of the steps we’re taking to address the forthcoming changes in data privacy law:

Raising awareness

We have been raising awareness of GDPR across our organisation through:

  • the delivery of bespoke training,
  • updating our corporate IG training modules,
  • publishing internal newsletters and blogs on our dedicated GDPR intranet pages,
  • publishing templates for GDPR artefacts (Privacy Notices, DPIA, Information Sharing agreements) on our intranet, and
  • completing the revised IG toolkit made available by NHS Digital.

We’re revisiting all our policies such as our Subject Access Request policy and our data breach management policy to ensure that they are compliant with the new GDPR requirements.

We have been engaging with sector specific bodies (e.g. Information Governance Alliance), to ensure that we are aware of any relevant industry codes of practice.

Data Processing Audits

We have been conducting an extensive audit of all our systems, and documenting the data we hold and how we process that data. We have been assessing these processes against the GDPR principles such as Data Protection Impact Assessments and Privacy by Design and Default.  These are now being embedded within our standard business operational procedures.

Review of Data Security

We recognise the need to meet the confidentiality, integrity, availability and resilience principles under GDPR. Therefore we have been reviewing and updating the below to ensure that they are fit for purpose:

  • Data security standards
  • Data breach, storage and destruction policies
  • Data security action plan
  • Business continuity plan.

Data Protection Officer

We have always recognised the importance of the Data Protection Officer (DPO) and under GDPR we have reinforced and expanded this role. Our DPO reports directly to our SIRO.

Policy and Contract Review

We’re reviewing and updating our policies to ensure that they meet the new GDPR requirements to adequately support our staff and business under the new regulations:

  • Data and privacy related policies and procedures
  • Data sharing agreements and process
  • Data processing and privacy notices
  • Cookie policies and website terms.

We are reviewing and revising our own contractual terms and conditions to align with the GDPR requirements.

We have reviewed contracts put forward by our partners to ensure that they meet these standards and reflect the requirements of GDPR.

Useful links

NHS Digital

IGA Guidance

ICO GDPR Guidance

EU Wp29 Group