New EU data protection regulations come into force this May covering all businesses, from multinationals to sole traders. This includes therapists like ourselves, many of whom work alone or within a clinic. The aim of the regulatuions is to strengthen and unify data protection rules and control the export of personal data outside the European Union.
This may not appear at the top of your ‘to do’ list, but with the clock ticking down to the deadline on 25th May, it should. Breaches of the new General Data Protection Regulations (GDPR) could lead to large fines and any therapy business holding data on clients should start preparing now.
Here are some key steps the Information Commissioner’s Office (ICO) says you should take before the deadline to avoid falling foul of the new regulations. More information is available in the links provided in this blog.
You (and anyone else in your business) must read and understand how the law is changing and what it means for your business. Ignorance will not be accepted as a defence, nor will being too busy to meet the deadline! This link will provide you with all the information you need.
2 AUDIT & REVIEW
Document all the personal data you hold, where it came from and who you share it with, such as client lists, mailing lists, consultation forms etc. If you hold a large amount of client information, it may be necessary to organise a full information audit by an outside company. Keep personal data only where it is necessary and securely dispose of or delete any which is out of date, or is no longer required. Hold regular reviews of files and discard unnecessary or obsolete ones. A DIY checklist from the ICO can be downloaded here https://ico.org.uk/for-organisations/resources-and-support/data-protection-self-assessment/
3 RIGHTS & ACCESS
Be open with clients about the information you hold on them. Ensure your procedures comply with their rights as set down in the new regulations. There is more detail on this here https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/principles/
Any clients can request a copy of information you hold about them. This is known as a subject access request. They can do this by making a request under the Data Protection Act to what it calls the ‘data controllers’ in your business. In most cases, the therapist will also be the data controller!
People can request copies of paper and computer records and any related information, subject to a fee of up to £10 (£2 if it is a request to a credit reference agency for information about their financial status). Special rules apply to fees for paper-based health and education records, with fees on a sliding scale from £1 to £50 depending on the number of pages provided.
However, not all personal information is covered and there are ‘exemptions’ within the Act which may allow you to refuse to comply with a subject access request. Full details can be found here https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-of-access/
4 CONSENT & DISCLOSURE
You must obtain consent wherever possible before acquiring, holding or using personal data. Any forms (paper or web-based) designed to gather personal data should contain a statement explaining what the information is to be used for and who it may be disclosed to. Review how you seek, record and manage consent and assess whether you need to make any changes. If existing consents do not meet the new GDPR standard, refresh them. Please note when seeking consent, the client must check a box to opt in, not uncheck one to opt out. For example: ‘I understand that you will use my data from time to time to keep me updated on your services and news and will not share it with any third parties. Tick here to confirm ’
5 STORAGE & BREACHES
All personal data must be stored securely. That means password protection for online records and lockable filing cabinets (or rooms) for paper ones. Do not leave records containing personal data unattended in areas accessible to the public and ensure that personal data is not displayed on computers screens visible to passers-by. These security precautions also apply to records taken away from your place of work, so you must comply even if you take work home or to a meeting offsite. Leaving records in a locked car does not qualify as secure!
ICO defines a breach of data security as ‘leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.’ This includes breaches that are accidental and deliberate. It also means that a breach is more than just about losing personal data. Breaches can occur in many ways; when accounts are hacked, or when information is sent to the wrong recipient are two examples.
If there is a data breach, you must know how to identify, report and correct them. ICO has detailed guidance here https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/personal-data-breaches/