iCareHealth is committed to ensuring our compliance with Data Protection Act (1998) (DPA). Please read iCareHealth’s data protection guide below to understand the steps we take to ensure compliance.

iCareHealth Data Protection Guide

The primary legislation that protects individual’s rights in relation to how their personal information is used is the Data Protection Act (1998) (DPA). In DPA terms, care providers are ‘data controllers’ and iCareHealth are ‘data processors’. At iCareHealth we have taken a number of steps to ensure our compliance with the DPA, including:

  • Publication of the iCareHealth Privacy Notice (which describes the ways in which we use personal information); and
  • Registering with the Information Commissioners Office. Our register entry can be viewed at the Information Commissioners website by searching for ‘iCareHealth’ in the ‘name’ field.

As required by law, access to personal information can be requested by making a ‘subject access request’ to the data controller (usually the care provider). If required, iCareHealth can assist the data controller to provide this information, but this may come at a small cost.


Are you registered with the Information Commissioners Office (ICO)?

iCareHealth has registered with the Information Commissioners Office. Our register entry can be viewed at the ICO website by searching for ‘iCareHealth’ in the ‘name’ field.

Who owns resident data?

Issues of ‘data ownership’ are complex and the DPA instead talks about ‘controllers’ of data and ‘processors’ of data. iCareHealth is a service provider to the social care industry and, as such, processes data in accordance with the instructions of our clients who are the ‘data controllers’.

How can a resident see what information is held about them?

A resident can find out by law if a care provider holds any personal information about them by making a subject access request (SAR) to the care provider. The care provider can supply this information by using our systems. If a care provider has any difficulty responding to an SAR then iCareHealth can offer assistance. As data processors, iCareHealth will only access personal information under the instructions of the care provider (who is the controller of the data).

How will resident information be safe and secure?

iCareHealth takes personal information security very seriously. We are certified to ISO 27001 ‘Information Security Management’. Where we process personal information we do so in a number of ways and adopt a layered approach to security:

Physical security. Our buildings are accessible only by a keypad PIN system. PINS are only given out to iCareHealth employees and are changed frequently. All equipment containing personal data, including backups, are located in secure data centres that have been risk assessed and are compliant with both DPA and E.U Data Protection Directive (95/46/EC) guidelines.

Anti-virus and anti-malware. We use market leading products that regularly scan our networks to prevent and detect threats and are updated on a regular basis.

Intrusion defence. All of our systems are protected by a secure firewall.

Access controls. Each user has their own unique username and password to access the iCareHealth networks. Once on the networks, all access to personal data is restricted to those who need to access your data in order to fulfil our processing duties as part of our agreement with the data controller.

Employee awareness and training. All employees at iCareHealth who have access to personal data undertake information governance training supplied by the Health & Social Care Information Centre (HSCIC).

Segmentation. Web servers are held separate from file servers.

Policies. Policies are in place to ensure that risks are addressed in a consistent manner.

Device hardening. Unused software and services are regularly removed from internal iCareHealth systems and hardware to reduce any security vulnerabilities.

Transfer of data. Any data is transported and secured by AES 256bit encryption over SSL (HTTPS transmission).

It should be noted that the security of systems that are maintained by care providers on their own premises are the responsibility of the care provider.

How do iCareHealth protect resident confidentiality?

iCareHealth follow the principles of the DPA which governs how we use personal data, and is constantly updating and reviewing its procedures and practices around data and security.

Disclosure is when confidential information is released either directly or indirectly in breach of laws. Statistical disclosure control is how we reduce the risk of disclosure by suppressing, aggregating or modifying data before release. Our Statistical Disclosure Protocol is based on the guidance released by the Office of National Statistics.

Why is resident information collected?

iCareHealth collects information regarding the health of an individual for the primary purpose of providing improved health and care outcomes. iCareHealth processes this data to allow care providers to fulfil this purpose.

How is resident information processed?

All resident information is processed in accordance with the terms and conditions of our agreement with the care provider and this is carried out according to the principles of the DPA.

Where is personal information processed?

Where iCareHealth process personal data in the UK this is done within the European Union as per DPA and E.U Data Protection Directive (95/46/EC) guidelines. For cloud services we use Microsoft Azure, which has operational centres in Europe. For more information regarding the privacy of cloud services see the Microsoft Azure Trust Centre.

How long will resident information be kept?

The DPA does not stipulate a minimum or maximum length of time personal information should be retained for. We adhere to the Care Quality Commissions (CQC) recommendations that information should be held for a period of seven years for adults from date of last entry, and eighty years for children from date of last entry.