Care Control and The GDPR
The European General Data Protection Regulation (EU GDPR) comes into force in May 2018. Under the new regulation, Care Control is defined primarily as a Data Processor and as such has some specific responsibilities. Most of our clients (Care Service Organisations) would be defined as Data Controllers.
According to Article 4 of the EU GDPR, different roles are identified as indicated below:
Controller – “means the natural or legal person, public authority, agency or other body which, alone
or jointly with others, determines the purposes and means of the processing of personal data.”
Processor – “means a natural or legal person, public authority, agency or other body which processes
personal data on behalf of the controller.”
The changes Care Control have made to ensure that we remain compliant to GDPR are as follows: –
|
Area |
Detail |
Compliant |
|
Consent |
Separate area on our agreement specifically covering GDPR. |
|
|
Ability for anyone using the Care Control Service to withdraw consent. |
|
|
|
Clear and concise language used on all documents when detailing our and your obligations with regards data protection. |
|
|
|
Breach Notification |
Access to our data services are monitored daily. Any breach in access will be notified to any affected parties within 72 hours. |
|
|
Right to Access |
Data subjects (staff, service users) under the new regulations have a “right to access”. Care Control will provide access to any data subject who’s data we store, as long as security verification checks have been completed. |
|
|
Data Controllers have the ability to extract data for data subjects if requested. |
|
|
|
Data is provided free of charge in a CSV format (which can be read by many electronic viewing systems). |
|
|
|
Right to be Forgotten |
The regulation provides clear instructions that if data is no longer relevant the data subject has the right to be forgotten. Care Control provides the ability for information to be removed. However, there is a specific area of exception covered within the GDPR regulations for Health Care data processing. Article 9, Section 2, Sub Section H allows Health Care data controllers to hold information. |
|
|
The regulation reads: – “processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3” What this means is that you must retain information which is specific to the health care that you may have provided to ensure that any investigation on the service that you have provided can still take place. |
|
|
|
Data Portability |
Care Control provides access to information in a CSV Extract. This includes if a data controller (Care Service) stops using Care Control. |
|
|
Privacy by Design |
All systems developed within Care Control now consider GDPR. By using encryption we can ensure that data stored locally or transmitted is always secure. Our systems require at least a two stage level of access with the ability for Data Controllers to “switch off” access immediately if required. |
|
|
Data Protection Officer |
Care Control has appointed a data protection officer to be a point of contact for any specific data protection issues. Please contact data@carecontrolsystems.co.uk for any data protection enquiries. |
|
