Personal health budget holders: data protection advice
Introduction
A personal health budget is an amount of money to pay for your specific health needs. The NHS gives it to you or manages it for you. You (or a family member, or your personal representative) can spend it on therapies, personal care and equipment. You may use the money to get a personal assistant. This is someone you choose to provide the support you need, in the way that suits you best.
Using a personal assistant through an agency
You may choose to use a personal assistant via a third party (for example, a care agency). In this case the agency would be the legal employer. You would not be directly responsible for protecting the personal assistant’s personal information. However, information may need to be kept at your address. This is so you can manage the personal assistant and the package of care. The care agency will help you to understand what you need to do to look after this information.
Employing a personal assistant directly
You may choose to hire the personal assistant yourself. This may give you more choice over how you can use your personal assistant to help you lead your life fully. However, if you hire a personal assistant (not via a care agency) you are their employer. That means you need to protect the privacy of their personal information. It can feel daunting to have this responsibility. However, this guidance takes you through the steps you can take, as an employer, to use and protect people’s information properly.
Guidance for patients and service users
Step 1: List what information you will need
Write a list of the information you need about your personal assistant. Include why you need the information. The list might cover contact details such as:
- phone number - to contact the personal assistant about work
- address - to send them paperwork about their role
- email address - to send them work emails
- emergency contact information - to contact someone in case you need to
Financial information such as bank details and National Insurance number - to pay the personal assistant
Information about their employment such as:
- salary amount - to make sure they are paid the right amount
- interview notes - to be able to hire someone
- working hours - to record when they are working
- holiday hours - to make sure they can take holiday
- sickness records - to keep track of sickness and change their pay
- training certificates - to confirm that they are qualified for their work
- ID - to check their identity
- Disclosure and Barring Service (DBS) records and vaccination records
- references - any references you asked for whilst selecting your personal assistant
Health information - any health conditions the personal assistant has which you need to know about as an employer. Knowing these will help you keep the personal assistant safe. It could also help you to plan for any possible impact on the care they give you. For example, a personal assistant who has diabetes might suffer a diabetic seizure when you require urgent care.
You should also think about information you might need when the personal assistant is working for you. This could include:
- messages or emails between you and your personal assistant
- paperwork relating to the personal assistant. An example could be tax letters from HMRC about the personal assistant’s role
- CCTV footage (for example, if you have security cameras that record photos or videos of the personal assistant). Let your personal assistant know up front if they might be on CCTV footage
Step 2: Use the Information Commissioner’s Office (ICO) tool to help you select a lawful basis
You don’t need to ask for the personal assistant’s consent to use their personal information. However, you do need to have a ‘lawful basis’. This means a good reason, based in data protection law. Use the ICO’s interactive guidance tool to help you with this. Write the lawful basis down in the list you made in Step 1, putting a lawful basis next to each entry in your list. For the entries in your list, the lawful basis is most likely to be ‘contract’.
For example, phone number - collecting to contact the personal assistant about work. Lawful basis: contract.
You will also need to identify an extra lawful basis to use the personal assistant’s sickness and vaccination records. This is because those records are about the personal assistant’s health. The extra lawful basis will generally be ‘Employment, social security and social protection’. This allows information to be held by an employer to ensure the health, safety and welfare of employees.
Step 3: Check that you need all the information
Only keep information about a person if you really need it. Check the list you created in Step 1. Ask yourself: “Do I need this information to give this person a job or have them work for me?” If the answer is ‘no’, take this off your list and don’t ask for it.
Step 4: Be clear about what information you will collect
If you have a small care team or 1 personal assistant you can speak to each person. Tell them what information about them you will need to keep, and why you need it. A written list will help you and your personal assistant(s) to be clear about what has been agreed. If you have lots of personal assistants, you could create a privacy notice. This sets out the information you need to collect from them and why you need it.
Tell the personal assistant if you plan to share information with other people or organisations. Some examples of when you might need to share information are:
- you may need to share information about a personal assistant with a health and care professional, your insurance provider or a payroll provider
- if someone in your family is helping you to make payments to the personal assistant they will need to see the personal assistant’s bank details
- if you employ a team leader they will need to hold information about the people working in a team under them
- If you are using CCTV to capture seizures, you may need to share footage with a health professional. The personal assistant may be in this footage
Some information can be sensitive. For example, the personal assistant’s sickness records. If you have asked your personal assistant to share information about any health conditions (in order to plan for any potential impact on your care), other staff may also need to know this information so they know what to do if something happens. However, don’t share this information with other people if they do not need to know about it. For example, don’t talk about your personal assistant’s health conditions to your family or other personal assistants if it will not impact on your care.
When you talk to the personal assistant, you could also set out how the personal assistant should use information they may hold about you. For example, you may have a contract for your personal assistant which includes your information including details of your health conditions. You could let the personal assistant know that they should ask your consent before they share it with other people (for example, as proof of employment).
Step 5: Ask for the information
Ask your personal assistant for the information you need. Ask them to check that it is right, or ask them to complete paperwork themselves.
Ask them to let you know if any of their details change. Check every 6 months that the details you hold are still correct. Update any details as soon as possible if any of the information you hold is wrong or out-of-date.
Step 6: Keep the information safe
As an employer you should keep your personal assistant’s information safe. People outside the care team shouldn’t be able to see or use it. Don’t leave information lying around for others to view. This can cause what is known as a ‘personal data breach’ (see Step 9 for more information). For paper information, you could keep it in a locked cupboard that only you have the key to. On an electronic device (for example, a tablet or computer) make sure the device is locked with a password or code that only you know.
Step 7: Don’t use the information for any other reason
Only use the information you have collected for the reasons you wrote on your list. These will be the reasons you told the personal assistant about in Step 4. If you use information later for a different reason, this could be ‘unfair’. This is because the personal assistant might not have expected it. For example, if you needed your personal assistant’s postal address to complete their employment checks, don’t then use the address to send them a birthday card unless you have checked with them that it is OK. They didn’t give you the information for this reason.
Step 8: Make sure you can give copies of their information back
People have information rights under data protection law. This includes a right to ask for copies of the information you hold about them. This is known as a Subject Access Request. You should be able to provide the personal assistant with copies of all their information if they make a request like this.
This is the information you considered in Step 1. It includes text messages or emails between you and your personal assistant about their role, and also paperwork or messages you have sent to other people that relate to the personal assistant. For example, if you have made other staff aware of a personal assistant’s health conditions in writing this should be included because it is information about the personal assistant. You could print the information off, photocopy it or email it to them. Our guidance on Subject Access Requests tells you more, including how much time you have to give them the information they have asked for.
Step 9: What to do if there is something goes wrong
A personal data breach can happen if the personal assistant’s information is:
- stolen or lost
- changed so it becomes wrong. This is only a breach if you can’t fix it easily, or if it being wrong caused a problem for your personal assistant. For example, if you wrote the wrong number of hours worked and the personal assistant was underpaid that month
- seen or used by someone else who shouldn’t be using it
If this happens, you may need to:
- tell the personal assistant about what has happened and apologise
- ask the personal assistant to provide you with the information again
- consider changing the way you keep their information
The ICO provides further guidance about what to do when a breach happens.
Step 10: Keep records for the right amount of time
Record the date that your personal assistant stops working for you. Keep records about their work in a safe place for 6 years. After 6 years, destroy the information. If you have stored the information on paper, use a cross-cutting shredder (this cuts paper into much smaller pieces than the strips produced by a standard shredder). If your information is electronic, delete the files and make sure they are removed from your recycle bin.
How to get help with your data responsibilities
The ICO is the UK’s regulator for data protection and information rights. They have lots of guidance about data protection. They also have advice aimed at small and medium organisations that you may find helpful if you employ a large number of personal assistants.
They also provide support and advice directly to individuals through their advice line.
Getting help with your other duties as an employer
This guidance covers how you can keep your personal assistant’s data safe. There are lots of places where you can go to for more general information on what you need to do as an employer.
As a first step, your Employer’s Liability Insurance provider should provide support for any employment issues you encounter. They may also have their own templates and information sheets which you might find useful to read. You may also find the links below helpful.
Skills for Care have produced a toolkit to help you to think about your responsibilities as an employer.
Advisory, Conciliation and Arbitration Service (ACAS) provides impartial advice to employers and employees.
Pay & Employment Rights Service (PERS) is a registered charity and provides employment support.
MyCareBudget contains templates that support people to run their personal health budgets. They are written by people that run personal health budgets.