From 25th May 2018 the General Data Protection Regulation (GDPR) comes into force. This is a positive move as it is aimed at protecting the rights of the individual in the age of information.
With the explosion of technology and cloud data storage it has become evident that the old Data Protections Laws were not rigorous enough. Hacking and identity fraud have been on the increase. Your data as well as the data you keep on others may be targeted for criminal purposes.
To understand the importance of Personal and Sensitive Data, imagine how you would feel if your own personal or sensitive data, such as your health information was leaked or stolen and became public…not good!
Every business needs to comply with the GDPR, from the smallest sole trader to big multinationals. Don’t bury your head in the sand and ignore the new rules!
There are some basic steps you need to work through to help you comply.
- Consider what data you collect? Who do you collect from? Clients, students, enquirers? Data is any personal information, including name, age, address. email. Most of this data will be regarded as Personal Data, which should always be securely stored. However as a therapist or therapy school you almost certainly collect data on health; this will fall in to the new category of Sensitive Data. This information needs to be even more carefully stored as if there was a data breach and it leaked into the public domain it could potentially be very embarrassing or damaging for your clients. Think carefully about data you store on clients (for example records of initial enquiries, your treatment and consultation records) and, if you teach within an ACHO School, on students (for example enrolment forms, personal experiences submitted in course work, case studies). Make a list of what data you ask for. Check sure you are not collecting ‘data for data’s sake’. All the data you collect should be necessary for the records you keep. You should be able to state why you need to collect this information and how you use it.
- Remember people have a right to enquire about the information you hold on them. They should be told why you are collecting their information in the first place and how long you will be keeping their information on file. Produce a printed statement regarding Data Protection for clients and students, ensure they have read it and sign and date to say they understand and agree to the conditions. This is called a ‘Data Retention Policy.’ Check with your insurance company how long they require you to keep client information for. Seven years is quite standard but this can vary from insurer to insurer. Be aware that clients, students and anyone else you hold data on also now have the right to request complete erasure of their data, the ‘right to be forgotten’. This is unlikely to be a common request but do notify your insurer if it happens to you. A ‘Subject Access Request’ must be responded to by 30 calendar days irrespective of holidays and weekends.
- Keep the information you hold as securely as possible. A lot of therapists still collect their clients’ data on paper and then store it under lock and key. This old fashioned filing system is hard to ‘hack’! If you store data electronically you need to look carefully at your security arrangements. You may need to consider encrypted email for example and make sure you password protect your mobile phones, laptops, tablets, USB sticks, disks as well as all email accounts, social media, cloud, one-drive, google-drive, dropbox and so on. Think smart and never leave these ‘open’ on any device. Be particularly aware of securing devices that you carry out and about. Be aware of the potential for ‘shoulder surfing’ when in public spaces. Can anyone see the personal data on your mobile device? Get IT advice on securing the data you collect.
- Look carefully at any data you collect for marketing purposes, such as newsletters. Newsletters should always be ‘opted into’ and clear and simple to unsubscribe from. Never share or sell the information of people on your list and make your policy clear in your sign up statement.
- It is recommended that you create a ‘Data Breach Policy’ should your Data Protection be compromised. This should list all possible failings and give a step by step process of what you would need to do. You are most likely a ‘Data Controller’ for your business, but you may have individuals linked to your main business that are ‘Data Processors’. A Data Processor processes data on behalf of the Data Controller. These might be staff, book-keepers, admin support and so on. Do they have legitimate access to any personal data? If so what exactly? Your Data Protection Records should be reviewed regularly. Ask yourself, ‘Is the data explicitly specific for a legitimate purpose.
- Each business is subtly different so it is impossible for us to put out one set of guidelines to cover everyone. Some of your businesses will need to formally register with the Information Commissioner’s Office whereas others will be exempt, but may choose to register voluntarily:
There is a self-assessment on the ICO site for you to work through which will help you determine whether you need to register and a wealth of more detailed information for you to look at. The ICO say they want to help businesses to comply with the new Regulation so if you are unsure of what to do then please contact them.
Copyright Lauren D’Silva and Kelly Peacey