What is GDPR?
GDPR was introduced to uphold the individual’s rights to ownership of their personal information. Under GDPR all personal data referring to an individual belongs to that person and not to the organisation holding it. The person has the right to know what is held, to make sure it is correct, not shared or sold, not used for any purposes except the ones they have agreed to, and not held at all without legal basis or personal agreement.
Mostly this was introduced to stop the buying and selling of huge amounts of data by giant organisations, and to stop us from being number-crunched, categorised and labelled from a distance. It introduced lawful penalties for the accidental loss of such data too. For example, prior to GDPR, there were increasing news articles about account managers losing entire databases of customer data on their way home.
The regulations (the R of GDPR – General Data Protection Regulations) are focused on the places where data held by a business of any size might go astray, i.e. the gaps in data handling as information leaves one company or storage medium or agreed purpose for another and where data could a) be handed out without the subject’s awareness and permission, or b) fall through the cracks and get picked up by some unknown third party – hackers, the email service, whoever got into the taxi after that account manager.
So, you can only collect data with a real purpose, you can only use it for the purpose you stated when you asked for it, and you can’t entrust it to another company, even your email provider without having the subject’s permission and being certain that the other company is GDPR compliant also. You also have to have a clear privacy notice where you explain all your rights and reasons, give your real contact details, your processes and complaint channels, so that your client knows how to access their rights if desired and how long you will take to action the request.
What is UK Data Protection?
UK Data Protection goes in a slightly different direction. Because GDPR focuses on the transfer of data, keeping anything on a computer just about guarantees you’ll need membership of ICO.org.uk (The UK’s Information Commissioner’s Office). However, the Data Protection Act 2018 also relates to anything you keep on a piece of paper, even behind two locks and inaccessible to anyone but you.
In fact, keeping things behind two locks is a requirement. If you have an office with a lockable door that nobody else ever goes in to, you just need a lockable filing cabinet. If someone can wander in then you need that filing cabinet to be behind two locks from the nearest a person can get to it. Anything held on a computer needs to be behind a password.
The Data Protection Act 2018 version is now described by Gov.uk as “The UK’s implementation of the General Data Protection Regulation”. Post Brexit the landscape continues to change. If in doubt, opt for the more stringent systems until you have clarity, on the basis of duty of care. ICO.org.uk was originally the home of Data Protection guidelines and assistance, with GDPR added as new information, in 2018. ICO is the final authority for advice on data protection law in the UK.
Remember: Trust your insurers in the information they give, eg whether to retain case notes for 5, 6 or 7 years. They have to be compliant with the law too.
The Internet and the Rest of the World
UK Data Protection and EU General Data Protection Regulations do differ in some tiny but crucial ways from, say the American HIPAA regulations or those in Australia. For example, if you conduct an internet search for how to complete case notes or session records, many websites from around the world will suggest systems that allow you to observe and summarise from a personal perspective. A search on Google for ‘how to record case notes’ will result in very professional-looking articles based on US or AU law which don’t match with the UK situation.
Here in the UK, healthcare providers may get away with being subjective in their notes because their opinion is officially qualified; we can not.
We can record statements made by the clients as direct quotes, and we can note changes in physiological state on to the record if that is our way of working and part of our duty of care. What we cannot do is make any assumptions or personal observations that may have any conjecture in them at all.
This is because the client can request a copy of their notes at any time. It is also because we are not doctors or in any way qualified to diagnose or to judge. Unconditional positive regard, and acceptance without judgement, is the baseline of our service.
Two Hot Tips
As an extension to this, it is also good practice to:
- Make a note of your client’s family members and relationships as they arise in session, adding them to the ‘relevant family history’, but keep any reference to them in the session notes to initials only. This is because anyone you discuss is just as able, under GDPR, to request the elements of your notes that refer to them personally.
- Only use client initials or a client reference number on session notes, and store them in a separate location and behind separate passwords or physical locks to the contracts and intake forms. This is to reduce any chance that a person’s name and address can be matched to their private story in the case of a breach.
The bottom line (and this was a bit of a head swivel for many organisations) is that under GDPR personal and sensitive data about an individual, whether true or false, belongs to that individual.
GDPR Privacy Notice
.Privacy Notice Checklist
What to provide or explain if you are a 1:1 practitioner or have a newsletter or website.
About you / your business:
☐ The name and contact details of your business.
☐ The name and contact details of anyone in your business that a customer may wish to deal with directly (e.g. a representative or if you have hired one, your data protection officer About the data you collect and why:
☐ What you are using the data for.
☐ The lawful basis you have for doing that.
☐ The legitimate interests (i.e. if one of your bases for keeping and/or using the data is ‘legitimate interests’ you also have to say what those are).
☐ Where else do you get their data from, and what that data is ☐ Exactly how long do you keep the data? About what you share and why:
☐ Who you send or may send their data out to (if you do) – naming the specific person or business, or naming the ‘type’ of the recipient such as ‘the police’
☐ The details of transfers of the personal data to any third countries or international organisations (if applicable).
Customer rights:
☐ All the rights your customer has*.
☐ The right to withdraw consent (if the data usage is based on consent).
☐ The right to lodge a complaint with a supervisory authority (Professional association, the ICO).
*There are eight rights. Not all of these may apply in your situation. The main seven are explained in the webinar and shown on the template privacy policy.
When your business gets bigger you may also need to declare these other details, for example, if you one day design an insurable practitioner training and are required to keep an active database of registered/qualified practitioners
☐ The details of whether individuals are under a statutory or contractual obligation to provide their personal data E.g. you may make it part of their contract as a qualified practitioner to keep you updated on current address, contact details, and insured status. This will allow you to respond if one of their clients contacts you as the ‘supervisory authority’ (to complain), and also allow you to see if someone has not been in practice for a year or more (e.g. if continuous practice and CPD are requirements to retain status)
☐ The details of the existence of automated decision-making, including profiling E.g. If there is a practitioner test that is run online and marked automatically – you may also want to give contact details for any ‘real person’ specifically dealing with that if it is not you.
When you are finally at this level, the eighth customer right will also come into force. That relates to their rights to do with automated decision-making and automated personal profiling (and when that method can and cannot be used)
Author: Cheryl White, EFT Test Manager