Bulletin: March 2018
This E-bulletin is being circulated for the specific purpose of bringing the forthcoming
General Data Protection Regulation to your attention
General Data Protection Regulation (GDPR) – Update
Practitioners need to be aware of the forthcoming European Union (EU) General Data Protection Regulation (see https://ico.org.uk/for-organisations/data-protection-reform/overview-of-the-gdpr/). The GDPR will apply in the UK from 25 May 2018 and the Government has confirmed that the UK’s decision to leave the EU will not affect the commencement of this regulation
The Information Commissioner’s Office (ICO) has published a document entitled
“Preparing for the General Data Protection Regulation (GDPR) – 12 steps to take now” (https://ico.org.uk/media/1624219/preparing-for-the-gdpr-12-steps.pdf) and we provide below an edited version of the first *9 steps (together with our own occasional notes) based upon what we feel will be of most relevance to GHR registered Practitioners.
Many of the GDPR’s main concepts and principles are much the same as those in the current Data Protection Act (DPA), so if you are complying properly with the current law then most of your approach to compliance will remain valid under the GDPR and can be the starting point to build from. However, there are new elements and significant enhancements, so you will have to do some things for the first time and some things differently. For example, the GDPR places greater emphasis on the documentation that data controllers must keep to demonstrate their accountability.
GHR Note: Under the GDPR, the data protection principles set out the main responsibilities for both data controllers and processors (who, in small businesses, are very often one and the same person) and whilst the principles are similar to those in the DPA, there is added detail at certain points and a new accountability requirement. Indeed, the most significant addition is the accountability principle. The GDPR requires you to show how you comply with the principles – for example by documenting the decisions you take about a processing activity.
N.B. The GDPR applies to ‘personal data’ meaning any information relating to an identifiable person who can be directly or indirectly identified in particular or by reference to an identifier. It applies to both automated personal data and to manual filing systems where personal data is accessible according to specific criteria. This is wider than the current DPA definition and could include chronologically ordered sets of manual records containing personal data.
2 Information you hold
You should document what personal data you hold, where it came from and who you share it with.
The GDPR requires you to maintain records of your processing activities.
GHR Note: Like the current DPA, the GDPR essentially applies to ‘personal data’. However, the GDPR’s definition of what constitutes personal data is more detailed and can include, for example, information such as a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address etc. However, for most individuals who keep client lists or contact/personal details etc, the change to the definition should not make too much difference.
N.B. There is also a category referred to as ‘sensitive personal information’, the collection and processing of which requires ‘explicit consent’ from the data subject (i.e. usually your client or student) and can include, for example, racial or ethnic origin; political opinion; religious or philosophical beliefs; trade union membership; genetic and biometric data; health data or data concerning sex life or sexual orientation, and which are subject to stricter rules than ‘personal data’ in respect of data security procedures.
3 Communicating privacy information
You should review your current privacy notices and put a plan in place for making any necessary changes in time for GDPR implementation.
When you collect personal data you currently have to give people certain information, such as your identity and how you intend to use their information. This is usually done through a Privacy Notice.
Under the GDPR there are some additional things you will have to tell people. For example, you will need to explain your lawful basis (see 6 below) for processing the data, your data retention periods and that individuals have a right to complain to the ICO if they think there is a problem with the way you are handling their data. Further, the GDPR requires the information to be provided in concise, easy to understand and clear language.
GHR Note: With respect to the destruction of personal data, we recommend that you maintain a log of both what records are destroyed and when they are destroyed.
View / download a GHR example of a PRIVACY NOTICE for Practitioners
N.B. The Privacy Notice available at the above link is a suggested example only and should be modified to meet each practitioner’s individual wording preference and/ or personal understanding of the GDPR requirements. However, your Privacy Notice should either be displayed prominently on your website or presented to each client prior to the commencement of therapy.
4 Individuals’ rights
You should check your procedures to ensure they cover all the rights individuals have, including how you would delete personal data or provide data electronically and in a commonly used format.
The GDPR includes the following rights for individuals:
the right of access;
the right to be informed;
the right to rectification;
the right to erasure;
the right to restrict processing;
the right to data portability;
the right to object; and
the right not to be subject to automated decision-making including profiling.
On the whole, the rights individuals will enjoy under the GDPR are the same as those under the DPA but with some significant enhancements.
For example, the right to data portability is new. However, it only applies:
to personal data an individual has provided to a controller;
where the processing is based on the individual’s consent or for the performance of a contract; and
when processing is carried out by automated means.
Consequently, you should consider whether you need to revise your procedures and make any changes.
N.B. You will need to provide the requested personal data in a structured, commonly used and machine readable form and provide the information free of charge.
5 Subject access requests
You should update your procedures and plan how you will handle requests to take account of the new rules, which are that:
In most cases you will not be able to charge for complying with a request.
You will have a month to comply, rather than the current 40 days.
You can refuse or charge for requests that are manifestly unfounded or excessive.
If you refuse a request, you must tell the individual why and that they have the right to complain to the supervisory authority and to a judicial remedy. You must do this without undue delay and at the latest, within one month.
6 Lawful basis for processing personal data
You should identify the lawful basis for your processing activity in the GDPR, document it and update your privacy notice to explain it.
Those collecting data should ensure that at the point of collection the following information is provided to the data subject:
the purpose for which the data is collected
the recipients or classes of recipients to whom the data may be disclosed
an indication of the period for which the data will be kept
and any other information that may be required to ensure that the processing is ‘fair’
You should review how you seek, record and manage consent and whether you need to make any changes and refresh existing consents now if they don’t meet the GDPR standard.
Clients must consent to their data being processed, to the extent to which it is used and have the right to modify or withdraw this consent easily.
Consent under GDPR requires some form of clear affirmative action. It must be freely given, specific, informed and unambiguous; silence, pre-ticked boxes or inactivity does not constitute consent. It must be clearly expressed and a record of how and when consent was gathered must be kept.
It must also be separate from other terms and conditions, and you will need to have simple ways for people to withdraw consent.
GHR Note: We recommend that you split your Client Intake/Consent Form into two sections and keep each section separately secure from each other in order that any breach of security leading to the theft of either form independently would not lead to the ability to identify named clients’ specific personal/health details or presenting problems. To facilitate this, the first form might then include the client’s name, date of birth, address, contact details and allotted Reference Number and the second form might include the client’s Reference Number, personal/ health details, background, presenting problem etc.
N.B. Whereas both sections of the form should include the provision for the client to confirm their acceptance of the Privacy Notice, (see 3 above), the first section should also include provision for the client to confirm their agreement to the ‘collection and processing of their name, date of birth, address and contact details’, and the second section should include provision for the client to confirm their agreement to the ‘collection and processing of any ssensitive personal information as defined under the GDPR and as required by the therapist for the pursuance of both the client’s and the therapist’s legitimate interests’, (see the N.B. in 2 above)
View / download a GHR example of a CLIENT INTAKE & CONSENT FORM
N.B. The Client Intake/Consent Form available at the above link is a suggested example only and should be modified to meet each practitioner’s individual wording preference and/ or personal understanding of the GDPR requirements. Whereas splitting it into two sections does not appear to be a GDPR requirement, we feel that this might nonetheless be a useful and relatively simple way of increasing your data security.
For the first time the GDPR will bring in special protection for children’s personal data. If you offer online services to children and rely on consent to collect information about them, then you may need a parent or guardian’s consent in order to process their personal data lawfully. The GDPR sets the age when a child can give their own consent to this processing at 16 (although this may be lowered to a minimum of 13 in the UK). If a child is younger then you will need to get consent from a person holding ‘parental responsibility’.
N.B. This could have significant implications if you offer online services to children and collect their personal data. Remember that consent has to be verifiable and that when collecting children’s data your privacy notice must be written in language that children will understand.
For further information, visit https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/applications/children/
9 Data breaches
The GDPR requires personal data to be processed in a manner that ensures its security. This includes protection against unauthorised or unlawful processing and against accidental loss, destruction or damage. It requires that appropriate technical or organisational measures are used.
You should make sure you have the right procedures in place to detect, report and investigate a personal data breach.
You only have to notify the ICO of a breach where it is likely to result in a risk to the rights and freedoms of individuals – if, for example, it could result in discrimination, damage to reputation, financial loss, loss of confidentiality or any other significant economic or social disadvantage.
Where a breach is likely to result in a high risk to the rights and freedoms of individuals, you will also have to notify those concerned directly in most cases.
Failure to report a breach when required to do so could result in a fine, as well as a fine for the breach itself.
*Steps 10, 11 and 12 do not appear to be particularly relevant for sole practitioners and very small businesses although you should nonetheless read them and determine their relevance or otherwise for yourself.
Whilst these new developments in data protection may at first glance appear to be yet further layers of confusing bureaucracy, we do not feel that they should necessarily cause those individuals affected any substantial compliancy problems. It seems rather like just more of the same with a requirement for greater diligence and an understanding that there can be significantly increased penalties for failure to comply. It would appear that those who will need to make the most changes and who would incur the greatest penalties for compliance failures or data security breaches are large corporations and public sector bodies, and it is likely that it is for these entities that the GDPR legislation has essentially been established. Notwithstanding this likelihood, the rest of us cannot be complacent about our data gathering activities and responsibilities, and we have therefore provided some further links that should provide you with additional information within areas that may be relevant to you:
Small Business – https://ico.org.uk/for-organisations/business/
Education – https://ico.org.uk/for-organisations/education/
Marketing – https://ico.org.uk/for-organisations/marketing/
The Information Commissioner’s Office (ICO) also offers an Advice Service for Small Organisations at https://ico.org.uk/global/contact-us/advice-service-for-small-organisations/ and a Live Chat Service at https://ico.org.uk/global/contact-us/live-chat/
Compliance Checklist – This short checklist for small organisations on the ICO website will help you comply with the GDPR – How to comply checklist.
N.B. Not all of the additional guidance that’s listed underneath the checklist will apply to you, but the Electronic Mail Marketing link will be relevant, if you text or email clients.
The GHR has no particular legal knowledge with respect to data protection issues and cannot be held responsible for any misinterpretation of (or relevant omissions from) the GDPR documentation. The above article has been included as a response to a number of GHR practitioners who have requested a simplified breakdown of the forthcoming regulation and is therefore an attempt to extract the salient points (that appear to specifically affect the sole practitioner and small business) from an otherwise complicated and convoluted series of documents. We cannot claim it to be as simplified as everyone would like but then that is the nature of this particular beast. Consequently, should you have any specific queries or concerns about how this new legislation might affect you (or what specific steps you might need to take to ensure compliance), we would advise that you contact the Information Commissioner’s Office (ICO), the body responsible for overseeing data protection in the UK, via their website at https://ico.org.uk/global/contact-us/
The Administration Team
Views expressed within GHR published material and any conclusions reached are those of the authors
and not necessarily shared by other individuals, organisations or agencies
©General Hypnotherapy Registerback