End of Transition Period: Keeping data safe - CPA and Digital Social Care Briefing
15 January 2021
This information has been developed as part of the Care Provider Alliance guidance to adult social care providers on business continuity, including the end of the transition period. It was originally published in December 2020, and updated in January 2021.
On 31 December 2020, the UK government and the EU reached a Trade and Cooperation Agreement. The Agreement contains a bridging mechanism that allows the continued free flow of personal data from the EU/EEA to the UK after the transition period until adequacy decisions come into effect, for up to six months (i.e to end of June 2021). In practice, the Government does not envisage the bridging arrangements to be in place for more than four months.
EU adequacy decisions for the UK would allow for the ongoing free flow of data from the EEA to the UK.
As a sensible precaution, during the bridging mechanism, it is recommended that organisations work with EU/EEA organisations who transfer personal data to them to put in place alternative transfer mechanisms to safeguard against any interruption to the free flow of EU to UK personal data.
Data adequacy is a status granted by the European Commission to countries outside the European Economic Area (EEA) who provide a level of personal data protection comparable to that provided in European law. When a country has been awarded the status, information can pass freely between it and the EEA without further safeguards being required.
If the European Commission grants an adequacy decision, then no action will need to be taken by social care providers. However, this briefing will help you with contingency planning and with what to do if an adequacy decision is not reached after the six month bridging period (to end of June 2021).
This briefing is relevant to all adult social care providers in England.
If you have any questions or need support on the issue raised here, please contact firstname.lastname@example.org.
Actions to take§
There are three key actions that all adult social care providers should take to prepare for the possibility that a data adequacy agreement is not reached by the end of the bridging period (June 2021).
1. Ensure you are compliant with UK GDPR
If you are already compliant with the EU GDPR, you are unlikely to need to do more at this stage. This is a good time to review your GDPR work to make sure that you are still compliant. There is guidance on how to make sure you are compliant with GDPR on the Digital Social Care website.
2. Check if you transfer personal data in the EU/EEA
You need to understand if you transfer (i.e. send or receive) any personal data/information to or from the EU or EEA. We think it is unlikely that many care providers will be doing this routinely.
If you send data to the EU/EEA, the UK government has stated that this can continue post-transition. No new action needs to be taken.
If you receive data from the EU/EEA you will need to work with the individual or organisation in the EU/EEA to make sure that this can continue legally.
3. Check if any of the software companies you use store personal data in the EU/EEA.
- List all of the software companies you use which hold personal information. Think about whether you use any of the following: payroll software, case management software, care planning software, electronic rostering software, Cloud storage e.g. Dropbox, OneDrive or Google Drive, email, HR software, customer relationship management (CRM) software. There is a non-exhaustive list of social care software companies here.
You can use Digital Social Care’s template supplier list if this is helpful.
Or you may wish to review your information asset register or record of processing activities. You can also use Digital Social Care’s guidance on how to document your data processing.
- Ask all suppliers if they store personal data in the EU/EEA and record their answers. If they store personal data in the EU/EEA, then ask them to give you a statement on what they are doing to ensure data continuity in the event that a data adequacy agreement is not reached.
If you have services in the EU/EEA you should appoint a representative based in that country to act as your local point of contact with individuals and data protection authorities. This person cannot be your Data Protection Officer (DPO) or one of your processors.
If you have public liability or cyber insurance, you may wish to check to see if you are covered if you have a data breach caused by the lack of adequacy decision at the end of the transition period.
Areas where we are seeking additional guidance§
Some social care staff and those receiving care and support services are citizens of the EU/EEA. We have spoken to the Department of Health and Social Care about processing of their data and are waiting for their response.
Ask for help§
If you have any questions or need support on this issue, please contact email@example.com
Sign up for Digital Social Care’s e-newsletter to get regular updates on this, and related data and digital issues for the care sector. Sign up online.
The CPA and Digital Social Care assume no responsibility or liability for any errors or omissions in the publication of this communication. The information contained in this update is provided on an “as is” basis with no guarantees of completeness, accuracy, usefulness or timeliness.