Here is a short summary of what people said in their questionnaires. You can see more detail at the end of this report.
Many people’s responses to the questionnaire suggested that they did not know much about what information is kept about them, how it used and how it is looked after.
Older people (over 65) generally said they did not know what information their care services keep about them, or how it is used and looked after.
Younger adults and carers knew a bit more.
The people who said they knew most were those supported by Journey Enterprises.
“I believe they keep health information, care plans, medication details… Emergency contacts and records of any medications… Name, address, date of birth, contact number, email address, condition… Marital status.”
“I would be able to guess some things.”
“I know they keep some information, but I don’t know what that information is.”
Older people and carers mainly said that they had not been told what their care service uses their information for, or what they do to keep it safe.
Some younger adults said they had been told this.
More than half of the people supported by Journey Enterprises said they had been told this.
“Yes…to develop a personalised care plan… to provide support to service user… only certain people who need the info can access it… to inform staff and medical professionals…”
“Some, in letters, they quote the law, but I don’t always understand what it means.”
“Never explained to me but possibly to my mum.”
“They haven’t mentioned it.”
Most people, particularly older people and carers, said that they had not previously thought about or worried about the information their care service keeps about them. However, after thinking about the questions asked by the project, most people said that it was something that would influence their choice of care service in future.
Apart from older people, most people said that they would like guidance about how to check that their information is safe.
Apart from people supported by Journey Enterprises, most people said that they did not currently feel in control of their information.
“If information is lost, it makes you feel insecure.”
“I don’t feel in control of my information once it’s left me, I really don’t.”
“If you are in (desperate) need then cyber security may be the least of your concerns. Which provider provides the best care might be the critical factor.”
“Yes – was not aware until you have made me aware of it. I suppose we should be made aware and reassured by relevant service providers, especially as so many scamming techniques exist.”
“Never thought about information safety influencing my choice of care providers before now, but it is concerning because of cyber crimes, cloning of IDs, wars etc. It is something that I would now 100% take into account.”
A question was added about the value of having a quality mark for care services’ data protection and cyber security. This question was added to the survey halfway through. 30 of the 52 people who completed a questionnaire were asked this question and there was strong support for the idea from them. 26 out of 30 people who were asked said they would like there to be a quality marker, while 4 said no.
“That would be really useful.”
“I think that would help me make a decision.”
“Could be a great assistance in choosing care organisation.”
This section of the report gives a summary of some of the things people said to the project during discussion groups, training sessions and in one-to-one conversations.
People recognised that care and support records can include some of the most intimate details about their lives. For example, information about physical, emotional and mental health needs, and sometimes information about social behaviours, personal and family relationships.
Before these discussions, people had often been most worried about being scammed, or about losing information that could allow criminals to steal money from them. These discussions made people more aware of the need to also protect their sensitive personal information, such as health and care needs.
Many people said they were unfamiliar with data protection laws. After some people attended a training session with the project, they said that they felt that data protection laws should provide a reasonable level of protection for their personal information and for their privacy.
People recognised that data protection and cyber security are challenging issues for care services. This was made more difficult during the Covid-19 pandemic.
They understood that care services need to have a lot of different arrangements in place to ensure that information is kept safe. Examples mentioned included training for staff, procedures that are regularly tried and tested, and also technical defences such as: firewalls; regular software updates; strengthen security on Wi-Fi; and use of strong passwords.
There was a strong feeling that people who use care services, and their family carers, should be able to trust care services to protect their information. It was also felt that care services should be expected to keep up to date with best practice, and to ensure that all staff are appropriately trained in data protection and cyber security.
However, people also felt that, in practice, care services may not always protect people’s information as well as they could. Some people also felt that care services had not informed them well enough about the data they keep and how they share it.
There was also concern about the use of electronic records. Some people were concerned that sensitive personal information might be leaked, stolen or hacked because of weak cyber security.
However, people felt that it is not just about digital records and technology. There was also worry about how paper records are stored, and about how well staff understand their responsibilities.
There was often a low level of awareness of how a cyber crime could be committed. (An example of a cyber crime would be if someone tried to access your bank account electronically and to steal money from it.)
Many people said that they had done things such as: giving information over the phone or giving information they had been asked for by professionals without questioning what it was for.
Doing these things could put people’s information and privacy at risk. For example, one woman with learning disabilities is a keen cook and follows several celebrity chefs on social media. She was contacted by someone claiming to be one of her idols and who started an online “friendship” with her. The person asked her for a loan and sent some emails which she described as “not very nice.” Fortunately, at this point she made her father aware, and he prevented further contact.
The project talked to some people about the Data Security and Protection Toolkit, often called the DSPT. The DSPT is a self-assessment that all health and care organisations should complete each year to check their data protection and cyber security arrangements.
People thought that the DSPT sounded like a good thing to show that their care services are protecting their information and using it correctly.
There is a public website where it is possible for anyone to check whether a care service has completed the DSPT. However, it is not designed or promoted for use by members of the public.
At the time that the research was carried out, care services who have completed the DSPT did not receive any sort of badge or logo to show that they have done so.