The Data Protection Act (the Act)

The Data Protection Act (the Act) was introduced to provide protection to an individual’s information and it sets out eight principles which organisations must follow when handling personal data. This is regulated by the Information Commissioner, who can issue fines of up to £500,000 for serious breaches.

Last month the Information Commissioner’s Office (the ICO) published a report following visits during 2014 to eleven residential care homes to understand how the homes were processing personal data. Residential care homes not only have to deal with employee data, they also have to handle sensitive personal data relating to their residents.

The ICO found that the failing homes were: –

  • not processing data fairly and lawfully in accordance with conditions specified in the Act;
  • keeping personal data longer than is necessary for the purpose it was obtained; and
  • not maintaining appropriate technical and organisational measures to safeguard against unauthorised or unlawful processing of personal data.

The ICO made a number of recommendations including fair processing, data protection training for staff, use of encryption, computer system security and policies on data sharing.

Michelle Hetheridge, Director and Head of Thursfields’ Care Sector team, commented, “We recognise that residential care homes already have to adhere to CQC standards and a lot of focus is given to these standards because inspections can be carried out without prior notice with the results publicised. In light of the ICO findings and potential sanctions the same amount of attention needs to be given to the handling and storing of personal data.”

Thursfields’ care sector team carry out data protection audits for care homes and as well as other organisations. For further information contact

Get In touch