A complementary life extends into my working life, so for the non-therapists amongst you I must beg your forgiveness for a work related post. Many of the Facebook groups I belong to are closed groups and, therefore it makes it difficult to share content without me having to copy and paste it multiple times. So, to save myself some work and effort I’m going to put the information here so that whoever wants to can share it – with the proviso that I am not an expert in this and this does not constitute legal advice!
Before we continue what I should say is that the information I am sharing is based on me. I am a one man band. All my client records are kept on paper, in a locked filing cabinet, in a locked room, in a locked building. The only time I contact my clients via text or email is to respond to requests for appointments. And again, let me just reiterate, share this information if you want to, but remember I am not an expert and this does not constitute legal advice in any way shape or form.
So, the GDPR. Sigh. Never has one piece of legislation caused so much panic or created so many Facebook posts. I’d like to say ‘why’? Having read through it, it seems like a bit of a no brainer to me, and while I am no expert I do know that I don’t need to panic, I don’t need to join a special GDPR forum, and I certainly don’t need to attend a seminar, free or otherwise. BUT, I believe I need to register with the ICO.
So, why am I so sure?
The ICO have provided some decent information. Sure, there are a few vague spots, but these can pretty much be cleared up by making sure that you are sure of a few of their definitions. I’ve been helped hugely by advice and guidance which has been given by my professional organisation, the AoR – any membership organisation worth their salt should have, by now, spoken to the ICO on behalf of all of their members to get some clarity about what the GDPR means for them. I’ve also spoken to the ICO – twice.
So, here’s my advice:
READ: the advice from the ICO. They have got LOTS of information about what you need to do to be compliant, and lots of examples of privacy statements etc.
CONTACT: your professional organisation and read their advice. And if you’re not a member of your professional organisation then I suggest you join them now!
UNDERSTAND: that as a one man band you will be the data controller and the data processor for your organisation. It is essential you understand what what processing means in relation to the ICO, as it’s very different from what you might imagine:
“‘Processing’ means doing any of the following with the information:
- obtaining it;
- recording it;
- storing it;
- updating it; and
- sharing it.
‘Personal information’ means any detail about a living individual that can be used on its own, or with other data, to identify them.” ICO
It’s important to note that you don’t physically have to do anything with the data in order for you to be called a ‘processor’.
ACCEPT: That while you might keep all of your client information on paper, in a locked filing cabinet, at some point you are going to have a client, new or existing, that contacts you with some information about their health. Automatically you have obtained personal information in an electronic format and so I believe that, whether you like it or not, you need to register with the ICO.
However, the ICO does say:
“If you never process personal information on a computer or similar device, such as a smart phone, you are exempt from registering as a data controller with the ICO, but you are still required to abide by the legislation.”
So if with your hand on your heart you can definitely say that you never ever ever ever ever ever get any emails or texts from clients that have even the faintest whiff of personal information in, whether that’s medical or not, then you don’t have to register.
BE CAREFUL: Giving electronic information a code, e.g. 0089 is your secret code for Mrs Smith, DOES not necessarily exempt you from registering with the ICO:
“Personal data that has been pseudonymised – eg key-coded – can fall within the scope of the GDPR depending on how difficult it is to attribute the pseudonym to a particular individual.” ICO
So, if you are like me in that:
- you are a one man band
- you keep all client information on paper in a locked filing cabinet etc.
- new / existing clients contact you via text / email to arrange / change appointments and may occasionally provide you with some personal information, whether or not that is specifically related to the condition or situation that has encouraged them to seek your support
- you never send out newsletters / marketing materials
then I believe that you will have to register with the ICO under the new GDPR.
But the bottom line is that it’s your business and your decision as to whether or not you think you should register – either way you will still have to comply with the legislation (see below). Again, if you’re not sure what you should do then contact the ICO.
While I’m here, other questions that seem to have been getting people’s knickers in a twist are:
Can a client request for their data to be destroyed: NO if you have a legal obligation to hold that data which you will under the terms of your practitioner insurance, and because you need that information to provide your service. As an example, my insurer requires me to keep data for adults for 7 years – after this point I would automatically destroy the data, but I would be able to refuse destruction prior to this date if a request came from a client as I need to legally keep it.
Do I have to tell people I am keeping their data? YES, you must tell people the lawful basis for keeping the data you’ve got and how long you will keep it for. This should happen at your first consultation – the ICO (and hopefully your professional organisation) have provided some great examples that you can adapt on their website.
What about past clients – do I have to contact them and apply for consent again? YES & NO. For past clients although you are required to provide them (if possible) with updated details about why you are keeping their data and how long for, you are not required to renew their consent as you have a lawful basis for holding their data (i.e. legal obligation / legitimate interest). So, if you can’t get hold of old clients then just make a note of it on the record and file it until you are legally allowed to destroy it.
Is it enough to say I am complying with the GDPR?: NO. You must show how you comply with the new GDPR and so you need to keep a record of how you are complying, including:
- Define what information you intend to hold and why
- Determine your lawful basis for holding that information
- Document your processes for holding information (e.g. paper record, locked filing cabinet, locked room etc)
- Supply your clients with specific privacy information under their right to be informed
- Obtain a record (signed form) of the clients agreement to hold current and future data in line with the lawful basis for holding data and period of time
- Hold all data securely (e.g. appropriate software, passwords, filing cabinets must be lockable, etc.).
- Ensure that you have processes to comply, and show how you comply, with all the requirements of GDPR.
For more information: I strongly advise you again to contact the ICO if you are unsure about anything. Follow all the information – it really is just doing what you are doing already, but showing that you are by writing it all down on paper and registering with the ICO.
But, most of all DON’T PANIC!