KCCs shocking failures in data protection and continued overcharging of clients receiving adult social care
Since Kent County Council employees have been working from home, there has been an sharp increase in the number of data breaches occurring. But it doesn’t stop there. They’ve lost data, breached their own records management policy, and the 30+ providers of Adult Social Care continue to overcharge the 18,000+ clients receiving care at home or in care homes, who are paying the bills themselves.
According to the most recent Governance & Audit report, the KCC Directorate most affected by data breaches is Adult Social Care and Health (ASCH), which receives 1% of Council Tax precept. The report released on the 25 Jan 2022, noted:
The uptake of mandatory data protection training (by employees) in ASCH was below KCCs target.
Some teams within ASCH repeatedly failed to report data breaches to the Information Resilience and Transparency Team, in a timely manner.
Internal Audit identified 5 out of 151 ASCH data security breach/incidents where the assessed risk to people’s rights and freedoms following the breach/incident had not been documented on the incident database.
But what is most shocking and worrying is the report to the G & A Committee in January, revealed:
The standard contractual terms and conditions for adult social care providers do not contain some specific terms or conditions that must be included as prescribed under section 3 of article 28 of the UK General Data Protection Regulation.
Now Article 28 s3(a)-(h) of the UK GDPR deals with processors of data, these being the Adult Social Care Providers. It states:
Processing by a processor shall be governed by a contract or other legal act under domestic law, that is binding on the processor with regard to the controller and that sets out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller. That contract or other legal act shall stipulate, in particular, that the processor:
So, it’s clear then that the providers contracts are defective and non-compliant. As such, the processing of data of those in receipt of home care or in care homes by Adult Social Care Providers, is more likely than not lawful, as the necessary lawful obligations are not being fulfilled, due the non compliance of the contracts.
Back in Oct 2021, we mentioned that Meritum, one of the many KCCs Adult Care Providers were having issues with Data Protection & GDPR. But we can’t single out Meritum, as KCC use other 33 other providers, who received £67m between 2019/20 and 2020/21.
The ASCH service looks after and bills more than 18,000+ clients who receive help at home or in care homes. ASCH share personal data and data concerning health which is special catergory data. All this is being done by the providers without a compliant contract to process the data being in place. This is truly shocking that such requirements have been flouted and leaves both KCC and the Providers open to data protection claims, which could cost them hundreds of thousands of pounds, if not more, if people or their families were to make such a claim.
In the same report, it came to light that provider invoicing of clients in receipt of Adult Social Care either at home or in care homes, or hospital, received a limited assurance.
A limited assurance means
Adequate controls are not in place to meet all the system/service objectives and/or controls are not being consistently applied. Certain weaknesses require immediate management attention as if unresolved they may result in system/ service objectives not being achieved.
Now for those of you who are not regular readers, we flagged the issue of overcharging by Adult Social Care providers back in Sept 2021, and made it clear this had been going on since Jan 2021, and perhaps even earlier.
Overcharging is not only isolated to KCC. Just last year [Sept 2021] it was discovered by the local government ombudsman that Bexley Council were overcharging people by as much as 200%.
And in Dorset and Bournemouth, overcharging was discovered. It is time there was an independent inquiry into the overcharging by KCC.
So, a year on the issues have not been resolved and people in receipt of Adult Social Care are still being overcharged. It’s nothing short of scandalous, that providers are receiving monies from the frail and infirm, the old and the young, without a compliant contract to process their data in place. Nor are they in most circumstances being billed the correct amount. It is not rocket science to get this right, given providers have received £67m.
How much of that £67m is a result of overcharging?
When will the providers return any monies overcharged to their clients they say they “care” for?
Why is this not being flagged by KCC as a safeguarding issue under financial abuse?
After all in KCCs own Financial-abuse-toolkit it does state that the types of financial abuse are:
Being deliberately overcharged for goods or services, or being asked to part with money under false pretences.
Carrying out unnecessary work and/or overcharging.
Again this leaves KCC, and the providers, open to potential legal claims and severe damage to their reputations.
It is huge failing by KCC and very shocking that the old and the young, the frail and infirm are being abused in this way. Again it leaves both KCC and providers open to potential legal claims which could cost hundreds of thousands, if not millions.
Also, in the same report KCCs record management gets a limited assurance. The objective of this policy is to define a framework for KCC to manage data, information and records in compliance with its Constitution and the statutory framework in which it is required to operate. The policy must fully reflect the statutory and regulatory environment within which the organization – KCC – is required to operate.
The audit opinion states:
There are three current cases of records required for a statutory request having gone missing and audit trails of their transmission have not been maintained.
An e-learning training module for Records Management is available to all staff; however, completion is not mandatory and is not monitored. The staff survey conducted as part of the audit identified a low level of completion, and a low level of awareness of the main components of the control framework.
The records management policy states:
Individual directorates must provide for the preservation and secure storage of all data, information and records regardless of the format in which they are stored in until they can be safely disposed of.
This clearly is not happening across all of KCCs various directorates as records have been lost leaving KCC open to legal claims; which could, if brought, cost them many thousands of pounds, and damage their reputation.
So, if you have a loved one in receipt of care at home, or in a care home, you can if you are minded bring a data protection claim against KCC, and/or the provider, as their processing data without a contract to do so, according to KCC.
We would advise you seek legal advice on this matter, if you choose to bring a claim, as it can be a difficult area of law to navigate.
Legal Aid and No Win No Fee Agreements are available
The Shepway Vox Team
Journalism for the People NOT the Powerful
I have been in receipt of ‘care’ from Meritum and been charged for 45 minutes when the carer did not stay beyond 20 minutes. This has occurred since January 21.
Like Gillian above, I’ve had another provider, who I’m lucky if they stay 10 minutes. They never do all the tasks and there is no GDPR info in my client pack whatsoever. For all this I pay a hefty whack of money, which is more than I should. I have raised the overcharging issue and been fobbed off time and again, by the provider and KCC staff over at Broadstairs.. Thanks for raising this.