How to… keep service user data safe

Data protection expert David Taylor offers practical tips on keeping service users’ case files safe and protecting yourself from possible misconduct allegations

● Find out what data you have access to

All legal responsibility sits with the data controller, which in most cases is your employer. But this does not absolve social workers of personal responsibility, because you need to follow your employer’s definition as to which personal data you have access to, how you use it and for what purpose. Stray from these instructions and you will be guilty of the unauthorised processing of personal data. Self-employed social care workers and consultants are responsible for compliance with the Data Protection Act and must register with the Information Commissioner. Failure to do so is a criminal offence and carries a £5,000 fine.

● Record how you share data

All personal data can be shared, provided you have the authority to do so. If in doubt, obtain written authorisation from your employer specifying the data to be shared, the purpose and the recipient. When sharing personal data, make sure you keep a record of what was shared, why, with whom and how it was shared, for example by email. Avoid sharing data by telephone because the audit trail in the event of a data breach is more difficult to establish and may leave you exposed.

● Only remove from the office what you need

Ask yourself whether it is vital to take a case file with you. If it is, anonomyse the data or remove as much of the personal content as possible. The level of security you use should be proportionate to the consequences if that data is misplaced. If it is just your call sheet – a list of names and addresses – keep it in your pocket. A case file will require greater security. Take only the files you need and keep them locked in the boot of your car at all times. Only take out the specific file for the service user you are visiting and keep it in a locked bag.

● Use encryptions

When dealing with data stored on a portable electronic device, such as a laptop, smart phone or memory stick, ensure that the data is encrypted and that the device can be accessed by password only. Putting in place these security measures is your employer’s responsibility. If your mobile device fails to meet these criteria, insist that your employer rectifies this and, until it is done, leave it in the office. Your employer’s data security breach policy will tell you what to do when data are misplaced. As a general rule, make a written record, including times and dates, describing precisely what happened and how you responded. Sign and date the document and pass a copy to your line manager.

● Find further training opportunities

Make sure you have a thorough and practical understanding of the eight data protection principles and how they relate to social work. Your organisation’s data protection officer should provide updates when required. It is also vital that you are provided with a copy of your employer’s policies on information security, privacy, and data security breach management, and that you understand them. Most organisations employ a data protection specialist. This should be your first port of call when organising training. Failing that, there are private companies that can help. The Information Commissioner’s Office has more information.

David Taylor is the principal data protection act practitioner at Data Protection Consultancy

What do you think? Join the debate on CareSpace

Keep up to date with the latest developments in social care Sign up to our daily and weekly emails

Do you have a topic from your working life that you would like covered in How to? E-mail kirsty.mcgregor@rbi.co.uk

More How to… articles