How we should prepare for the GDPR deadline
New EU data protection regulations come into force this May covering all businesses, from multinationals to sole traders. This includes therapists like ourselves, many of whom work alone or within a clinic. The aim of the regulatuions is to strengthen and unify data protection rules and control the export of personal data outside the European Union.
This may not appear at the top of your ‘to do’ list, but with the clock ticking down to the deadline on 25th May, it should. Breaches of the new General Data Protection Regulations (GDPR) could lead to large fines and any therapy business holding data on clients should start preparing now.
Here are some key steps the Information Commissioner’s Office (ICO) says you should take before the deadline to avoid falling foul of the new regulations. More information is available in the links provided in this blog.
You (and anyone else in your business) must read and understand how the law is changing and what it means for your business. Ignorance will not be accepted as a defence, nor will being too busy to meet the deadline! This link will provide you with all the information you need.
2 AUDIT & REVIEW
Document all the personal data you hold, where it came from and who you share it with, such as client lists, mailing lists, consultation forms etc. If you hold a large amount of client information, it may be necessary to organise a full information audit by an outside company. Keep personal data only where it is necessary and securely dispose of or delete any which is out of date, or is no longer required. Hold regular reviews of files and discard unnecessary or obsolete ones. A DIY checklist from the ICO can be downloaded here https://ico.org.uk/for-organisations/resources-and-support/data-protection-self-assessment/
Examine all your current consultation forms and other correspondence to ensure that any privacy notices comply with the new regulations. Guidance on writing privacy notices can be found here https://ico.org.uk/for-organisations/guide-to-data-protection/privacy-notices-transparency-and-control/how-should-you-write-a-privacy-notice
An example of a privacy notice that you might include on a consultation form would be: ‘We take your privacy very seriously and will only use your personal information for our own use and will never share it with third parties. From time to time we would like to contact you to keep you up to date on our activities. Please tick below how you would like us to contact you.’ This should be accompanied by the relevant check boxes such as telephone, email, SMS etc.
3 RIGHTS & ACCESS
Be open with clients about the information you hold on them. Ensure your procedures comply with their rights as set down in the new regulations. There is more detail on this here https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/principles/
Bear in mind when writing consultation forms or notes that people have the right to see all personal data and that includes any 'informal' comments made about them on documents. This includes e-mails containing personal data, so exercise caution about any comments made!
Any clients can request a copy of information you hold about them. This is known as a subject access request. They can do this by making a request under the Data Protection Act to what it calls the ‘data controllers’ in your business. In most cases, the therapist will also be the data controller!
People can request copies of paper and computer records and any related information, subject to a fee of up to £10 (£2 if it is a request to a credit reference agency for information about their financial status). Special rules apply to fees for paper-based health and education records, with fees on a sliding scale from £1 to £50 depending on the number of pages provided.
However, not all personal information is covered and there are ‘exemptions’ within the Act which may allow you to refuse to comply with a subject access request. Full details can be found here https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-of-access/
Be aware that there is data and then there is sensitive personal data (i.e. relating to race, political opinion, physical or mental health, religious belief, sexuality, etc). It is wise to hold and use such information only where strictly necessary. You must always obtain the consent of the individual and notify them of the likely use(s) of such data.
4 CONSENT & DISCLOSURE
You must obtain consent wherever possible before acquiring, holding or using personal data. Any forms (paper or web-based) designed to gather personal data should contain a statement explaining what the information is to be used for and who it may be disclosed to. Review how you seek, record and manage consent and assess whether you need to make any changes. If existing consents do not meet the new GDPR standard, refresh them. Please note when seeking consent, the client must check a box to opt in, not uncheck one to opt out. For example: ‘I understand that you will use my data from time to time to keep me updated on your services and news and will not share it with any third parties. Tick here to confirm ’
Do not reveal personal data to third parties without the consent of the individual concerned. Even parents, guardians, relatives and friends of the person have no right to access without the consent of the individual. Remember too that you must also obtain the consent of parents or guardians for any data processing activity involving children.
5 STORAGE & BREACHES
All personal data must be stored securely. That means password protection for online records and lockable filing cabinets (or rooms) for paper ones. Do not leave records containing personal data unattended in areas accessible to the public and ensure that personal data is not displayed on computers screens visible to passers-by. These security precautions also apply to records taken away from your place of work, so you must comply even if you take work home or to a meeting offsite. Leaving records in a locked car does not qualify as secure!
ICO defines a breach of data security as ‘leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.’ This includes breaches that are accidental and deliberate. It also means that a breach is more than just about losing personal data. Breaches can occur in many ways; when accounts are hacked, or when information is sent to the wrong recipient are two examples.
If there is a data breach, you must know how to identify, report and correct them. ICO has detailed guidance here https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/personal-data-breaches/
You may wish to consider a public show of GDPR compliance by registering with the ICO here (£35 a year): https://ico.org.uk/for-organisations/register/
Good luck and happy GDPR day to all of you!