GDPR and home care management systems: How Birdie helps you meet data protection regulations
November 23, 2020
The General Data Protection Regulation (GDPR) is seen as the gold standard for data privacy and protection around the world. The regulation came into effect on May 25, 2018 and if breached, the enforcement can be harsh, to say the least. Just check out what happened to this pharmacy last year when it failed to correctly store over 50,000 documents containing care home patients’ names, addresses, dates of birth, NHS numbers, medical information and prescriptions.
In the UK, the GDPR is complemented by the Data Protection Act 2018, and it is important that you are aware of your obligations under both.
As a home care agency, you could have thousands of client records, all containing personal information. When you store these online, using a care management system, you need to make sure that you choose a provider that not only meets the legal requirements, but places great emphasis on the protection of data. As a care manager you have a responsibility to protect your clients' personal data and ensure that the care management system that you choose is secure.
Breaching GDPR as a home care agency can have serious repercussions, which is why we created this article - to explain how you can ensure you’re inline with the regulations when you switch to Birdie’s care management system. This blog covers just some of the most important initiatives we take - you can read the full statement on our website.
GDPR, data security and your care management software
If you’re making the switch to care management software, you might be wondering about the safety and security of storing everything online. The CQC states that when you use a digital records system (or a care management system) all records must comply with:
Regulation 17 Health and Social Care Act 2008 (Regulated Activities) Regulations 2014
How Birdie’s care management software helps you with compliance to data protection regulations
Data protection by design
Birdie’s care management system helps you to meet the requirements of the CQC, ICO, GDPR/DPA2018 and we have also achieved the Cyber Essentials Certification. We have a DPO (Data Protection Officer) to oversee and advise on our data management and we don’t ask for, or collect personal data unless it’s absolutely necessary and we also pseudonymise and anonymise when appropriate to protect your care recipients.
Data protection by design and default is built into all the work we do at Birdie. As a processor of your data we ensure that the functionality of our software is such that you only ever collect the amount of data that you need for a given purpose. All our capabilities that may give carers or other users access to personal data are defaulted to 'off', and only switched on by you, or upon your instruction.
Our highly qualified Data Protection Officer (DPO) is involved in all our development projects at an early stage and on hand to offer us advice and training when needed. She works to oversee our compliance with the GDPR/DPA2018 using the ICO Accountability framework.
We carry out Data Protection Impact Assessments on all projects likely to be considered high risk, and projects do not go into production until all risks have been mitigated.
Secure access and permissions
Logging in to Birdie is secured by a one-time authentication link. We enable permission levels within the app to be set for your staff so that only carers who've been invited by you can access a client’s information. These are defaulted to the most secure permission levels and can only be enabled by an affirmative action by you. To find out more about how we ensure safe third-party access (or professional access) click here.
All data sent to or from Birdie is encrypted in transit using 256-bit encryption. Our API and application endpoints are TLS/SSL only and score an “A” rating on Qualys SSL Labs' tests. We also encrypt data at rest using an industry-standard AES-256 encryption algorithm.
Penetration testing against cyber attacks
We have a dedicated infrastructure team, and it’s their job to make sure that the Birdie platform is secure and available at all times. Once a year we get third-party security experts to perform detailed penetration tests on the Birdie application and infrastructure. (The last penetration test was performed in November 2020 by KPMG).
Data hosting and storage
Birdie services and data are hosted in Amazon Web Services (AWS) facilities (eu-west-2) in the UK. All of our infrastructure and data are spread across 2 AWS availability zones and will continue to work should any one of those data centres fail.
Database backups of Birdie’s production system are taken regularly and prior to any major upgrade or configuration change to Birdie. These backups are stored in a different location to our data centre, which allows, in the event of a disaster, the creation of a replica environment within a minimal period of time.
24/7 incident response
We recognise that Birdie may be critical to the wellbeing of your customers and business. That's the reason why we have on-call engineers available at all times. Our team works to a defined protocol for handling security events and we operate a support ticketing system allowing administrators and users to report any issues or errors they encounter while using Birdie’s web-based solution.
Data Protection Impact Assessments (DPIA)
DPIAs are performed prior to any new project where data processing is “likely to result in a high risk to the rights and freedoms of data subjects”. We do this to make sure that we’re always in control of our risks and we have procedures in place to mitigate them. We are also on hand to support you with your DPIAs if needed.
We have a robust data anonymisation process
Research is hugely important to developing the Birdie care management system. If we intend to use any of our data for research purposes it will be on an anonymised basis.
Data sharing and transfers
Like most companies, we use a number of third parties as part of our data processing, for example cloud services and technology services. We have a due diligence process with all our vendors and all sub processors of personal data have a Data Processing Agreement in place. Those DPAs are scrutinized by our DPO and must be approved by the senior leadership team prior to signing. Where data is transferred outside of the EEA, we ensure that appropriate protection and mechanisms are in place, for example Standard Contractual Clause and associated due diligence. We do not sell your data to anybody.
I hope this blog has answered your questions about keeping your data safe when using Birdie’s care management system. If you have more questions, you can always email us at email@example.com.