How does the General Data Protection Reform affect Complementary Therapists?
So are we all ready for this?
Yes, I hear you all cry but just in case you are one of the few who were unable to answer yes, I thought I would share my experience after participating in an Information Commissioners Office (ICO) webinar a few weeks ago. So here is my take on what it is all about and how any changes will affect us as therapists moving forward.
The GDPR has been set up as a result of an EU Directive and will take place on 25th May 2018. It replaces the Data Protection Act 1998, which is a law designed to protect personal data whether stored on a computer or in an organised filing system.
Noncompliance of this law could result in penalty notices and fines of up to £500,000! The Data Protection 2018 will take over from GDPR when Brexit occurs.
Reasons for GDPR
The main reason for this reform is as a result of the huge amount of personal information that is now regularly processed on a daily basis. The amount of information available, and often accessible, regarding individuals today has increased by 90% since the Data Protection Act (DPA) originally was launched in 1998.
The DPA came into being seven years before Facebook and all the other various forms of Social Media existed. Smartphones were unheard of back then and very fewer people had internet access or even owned a personal computer at that time. The general public now have access to amazing technological advances including drones that are able to potentially capture unwelcomed images. Also, there are so many everyday remote internet connections now, including those in children’s toys. This is apart from the information gleaned from the likes of supermarkets, mobile phone companies, rewards cards, online shopping and Amazon which can give an amazing insight into the lifestyle and habits of us all as individuals. This information is worth an awful lot of money to some people so it is important that this personal information is not open to being captured and used by unscrupulous organisations. A recent survey showed that only 20% of people in the UK have confidence in how their personal information was used, and this is clear evidence that something has to be done.
The GDPR (the reform) aims to rectify this situation by giving people control of their information and how it is used by building privacy into services and thereby build public confidence. This will be done in an attempt to enhance current practice rather than revolutionise the systems already in place. The Information Commissioner’s Office (ICO) is ‘the UK's independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals’ (ico.org.uk)
What do you need to do as a therapist?
You need to think about what personal information you hold as a practitioner about your clients and mitigate any risks in the usual way, ensuring you are allowing your clients, where appropriate the following:
To be informed – tell your clients why you need the information you are asking for, how long you will hold this information and explain confidentiality and privacy in plain language. Most insurance companies require you to store client information for around 6 years. All client record cards should state that they are confidential and you will have been trained about confidentiality when you did your original course. If you are not sure, please get in touch with us as your professional association. When you explain that the reason you need to take a detailed medical history to a new client in order to give them the very best tailored, safe and effective treatment they usually are satisfied that they are in safe hands and are happy to give the information you need
Right of subject access – clients have a right to see what information is being held about them, be given copies of this information if requested by the client, which should not incur a fee. This should be given in an envelope marked "Private and Confidential" with the client's name clearly displayed
Right to rectification – inaccurate or incomplete data can be amended at a later date. For us as therapists this means making adjustments by adding information and noting details of the date the information has been amended, asking the client to sign for accuracy and consent (do not go back and change any paperwork that has been completed at a previous session!)
Right to erasure – clients have a right to request deletion of data, although this can be overridden in the interest of the client especially regarding medical matters
Right to restrict processing – if erasure has been requested information must not be processed until the issue at hand has been resolved
Right to data portability – this applies mainly to utilities
Right to object – to direct marketing research and statistics
Right to decisions – any decisions made without human intervention allows for the decision to be redressed
So, a few of the points do not apply to us as therapists and the rest should not mean any
great changes to what we are currently doing in our practices. The biggest impact of this Directive will be to organisational policies and procedures that will need to be updated as well as toughened IT security with appropriate training and awareness to all relevant managers.
The key points I picked up as being applicable to us as practitioners are that we should know what information we process, identify and mitigate risks and ensure we embed privacy and transparency into our processes.
At the end of the ICO presentation there was a "Question and Answer" session and I asked about the implications of GDPR on a therapist sole trader who would be holding information regarding their clients so that I was absolutely clear. The response was that apart from what has been stated as a requirement by the DPA, any information held should not be linked to further details of our clients, not contain any images of our clients, information should not be shared with others (which we know) and finally I was told that although therapists do not show on an individual exemptions list the ICO presenter likened the information we have on our records to the information anyone might have in an address book and so he assured me that we as therapists would not need to register.
Being an untrusting individual and being conscious that therapists and practitioners were not mentioned on an exemption list, I started the process of registering for self assessment for myself! The outcome is based on the fact that I would not have CCTV on my premises, which would not be very appropriate for a therapist anyway, and I was given the results as listed below:
When all the information is held on paper (us old school therapists) there is no requirement to register with the GDPR.
For those that hold information on a computer there is still no need to register as long as any profit is not used to enrich others and:
Only process information necessary to establish or maintain support
Only share client information with client consent
Only keep the information as long as necessary
Therefore, at present it looks like we are safe to continue as we are, with our lockable cabinet for paperwork and our password controlled laptops and computers for electronic client record data but please be aware that changes happen all the time. Even now the processing of documentation and information is still happening creating more of a living document that will change and grow as key areas are highlighted. So, rest easy today but watch this space! As your professional association we are committed to keeping our members up to date with changes in our industry.
Please find below the link for ‘Preparing for the General Data Protection Regulation (GDPR) 12 steps to take now’ for your information:
For further information regarding changes and updates please contact:
T: 0303 123 1113