General Data Protection Regulations (GDPR)

General Data Protection Regulations (GDPR)

How does the Data Protection Act 1998 and the General Data Protection Regulations (GDPR) apply to data collected via the Adult Social Care Workforce Data Set (ASC-WDS)?

Like the Data Protection Act (DPA), the General Data Protection Regulations (GDPR) that will be operative from May 2018 apply to 'personal data'.

The information about staff in the Adult Social Care Workforce Data Set is defined as personal data.

Under the DPA and GDPR the processing of data (e.g. uploading by employers, collection and analysis by Skills for Care) must be Fair and Lawful and the data used/processed only for its intended purpose.

Under what grounds of the Data Protection Act does Skills for Care collect staff data?

Under the DPA the grounds for lawful processing of personal data from ASC-WDS are that it is in the legitimate interests of the data controllers to do so and for sensitive personal data (DPA) i.e. ethnicity and disability, it is done so in order to "comply with legal obligations related to employment" and/or "equality and diversity monitoring". Skills for Care is funded by the Department of Health and Social Care (DHSC) to process the data. Employers receive a range of benefits from processing the data e.g access to dashboard reports, access to WDF etc. and hence it is in their legitimate interests to do so.

How did this change under the General Data Protection Regulations (from May 2018)?

Under GDPR Skills for Care rely on the condition that "processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller". Skills for Care is collecting the data on behalf of DHSC who have responsibilities for strategic workforce planning for health and social care.

For employers they can rely on lawful processing under GDPR where it is "necessary for the purposes of legitimate interests pursued by the controller or a third party, (except where such interests are overridden by the interests, rights or freedoms of the data subject)". Skills for Care can also rely on this ground in addition to the public interest ground.

What about special categories of data under GDPR (now termed sensitive personal data under the DPA)?

For special categories of data (ethnicity and disability) employers will be able to rely on the fact that "Processing is necessary for carrying out obligations under employment, social security or social protection law". Skills for Care will also be able to rely on this condition as the processing is necessary to assist in the monitoring of the fulfilment of obligations under employment law (i.e. equal opportunity and diversity monitoring).

Does Skills for Care or employers need consent from the workers (data subjects) whose personal information is being collected?

No. As can be seen above neither employers nor Skills for Care need to rely on consent of the data subjects i.e. for the processing of their data but they should be informed why and how their data is being processed by their employers. Skills for Care also has three privacy notices informing workers why and how their data is being processed by Skills for Care.

How does all of this affect Skills for Care's analysis of the data?

The data that Skills for Care analyse has been pseudonymised i.e. the individual cannot be identified in the output analysis files from the ASC-WDS data base. The date of birth and National Insurance number are used within the data base to produce a unique identifier (through an algorithm) for the worker record that means the worker cannot be identified. Any published analysis is aggregated data e.g. a data analysis across an Area. This means that no individual can be identified.

Can Skills for Care share the raw data sets with researchers or others with a legitimate interest?

If Skills for Care share data from the ASC-WDS for statistical research purposes i.e. pseudonymised data sets then it will be done so subject to a data sharing agreement (DSA) signed by both Skills for Care and the organisation it is being shared with. The DSA will cover the intended use of the data, how the anonymity of the data subjects will be safeguarded, destruction of the data when no longer needed, and publication of any further secondary analysis (i.e. Skills for Care's right to have sight prior to publication and to comment on whether the conclusions drawn are reasonable).

Is Workplace data (e.g. from a residential care home) derived from ASC-WDS such as average pay levels or number of actual occupants personal data?

No, but it is likely to be commercially sensitive and therefore will be strictly protected by Skills for Care.

What about Workplace contact details?

This is not personal data or commercially sensitive and is in the public domain e.g. through the Care Quality Commission register or advertisements.