The new General Data Protection Regulations and what they mean for our members

  Published to Latest News on Jun 06, 2018

Many of you would have seen some information regarding the General Data Protection Regulations (GDPR) which came into force on 25th May 2018. Most processing of personal data by organisations and sole traders (including practitioners) will have to comply with the General Data Protection Regulation.

The guidance and resources provided by the ICO to help you get prepared can be accessed online https://ico.org.uk/media/1624219/preparing-for-the-gdpr-12-steps.pdf

plus a comprehensive guide to the GDPR https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/

ICO guide for small businesses https://ico.org.uk/for-organisations/business/

Do you need to register with the Information Commissioners Office (ICO)? Currently the Data Protection Act 1998 requires every data controller (e.g. organisation or sole trader) who is processing personal information to register with the ICO, unless they are exempt. If you are collecting data, from or about clients, and/or sending advice, newsletters or blogs by email then you probably need to register especially due to the nature of the information that you are collecting. You definitely need to register if you store personal data on a computer. There are some self-assessment questions that you can answer to confirm your need to register https://ico.org.uk/for-organisations/register/self-assessment/

Have you got a privacy policy? A privacy policy tells people how you might use their information. If you don’t yet have a privacy policy it is important that you make preparations to have one. As a practitioner you are collecting sensitive information about an individual so your paper or electronic forms must direct those individuals to where your privacy policy is held, most likely your website, so they can read it if they want to. The ICO have provided guidelines that include what you should include in a privacy policy:

https://ico.org.uk/for-organisations/guide-to-data-protection/privacy-notices-transparency-and-control/what-should-you-include-in-your-privacy-notice/

How to write a privacy policy https://ico.org.uk/for-organisations/guide-to-data-protection/privacy-notices-transparency-and-control/how-should-you-write-a-privacy-notice/

As an NNA member you are invited to read the NNA Privacy Policy which can be found on http://www.nna-uk.com/privacy-policy

Have you got permission (consent)?  One of the biggest changes to the regulations is having consent to send someone information including information by emails and blogs. Many companies have already deleted the data they currently hold as it is not deemed cost effective to ask for re-permission to send them information about their organisation. Others are asking for re-permission in writing or by email. The new regulations mean that before you send any information to anyone by any means ensure you have their permission to do so. This includes people you have been emailing in the past – you must either not email them in the future or get their permission (consent) to keep emailing them. Please see below our recommendations for obtaining consent.

Are your security settings adequate enough? Healthcare data is some of the most sensitive personal information that exists today and is classed as a ‘special category’. It is also one of the most sought after, and most frequently breached, data types. For organisations across the healthcare industry, protecting health data is proving to be increasingly challenging.

Healthcare providers and their business partners must balance protecting patient privacy while delivering quality patient care and meeting the strict regulatory requirements set forth by the EU’s General Data Protection Regulation (GDPR). Because protected health information (PHI) is among an individual’s most sensitive (and for criminals, valuable) private data, the guidelines for healthcare providers and other organisations that handle, use, or transmit patient information include strict data protection requirements that may incur penalties if they’re not met. Devices that hold data should be password protected and any device which holds sensitive data or personal information on a hard drive should be protected with up to date internet security. More information regarding use of personal data which is classed as being in a special category can be found https://ico.org.uk/for-organisations/health/

Data Collection and Processing for Children. The ICO also have updated guidance with regard to the collection of processing and personal data for children, which you can read more about on the ICO website https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/applications/children/

For children under 16, parents must be informed and give consent to use any children’s data. Please refer to the NNA Code of Conduct (under resources) on your NNA account for more information.

What you may need to action. There may be some actions that you will need to take to check that as a data controller you are complying with the new guidelines:

Have you got a privacy policy? Add it to your website so clients are aware of how you might use the data that you hold about them.

Do you have clear consent? Ensure that your case history forms (paper and electronic) tell people where to find your privacy policy. The following is a brief summary of the type of words You may like to add to your client consent form:-

The information you have given will be used for the sole purpose of [your company name] in accordance with the guidelines set by the Information Commissioners Office. Privacy policy is available at [your website address]. From time to time we may contact you with information about our services or offers (such as email or blog). I consent for you to contact me in this way: Yes | No

Ask for re-permission (consent) to send anyone on your current database information. You are using their data and under the new regulations you must have permission even if you have emailed them in the past.

Register with the ICO if you have not already done so – the data you collect (process) comes under a special category.

If a client asks you for a copy of the data you are holding (subject access request) you must give it to them. However you must also have proof that they are who they say they are before you do so.

Install up to date internet security so that your device(s) is protected from phishing or virus.