As members will be aware new General Data Protection Regulations (GDPR) come into effect on May 25 th this year.

Transcription

1 GDPR As members will be aware new General Data Protection Regulations (GDPR) come into effect on May 25 th this year. These new regulations apply to all businesses and organisations. Controller vs Processor If you are a controller, you are someone in your business who determines the purpose and means of personal data held. For chiropractors, this will most likely be the clinic owner/principal, sole trader or, in other words, the lead figure at the clinic. You are probably already the data controller for the purposes of data protection. If you are a processor, you are responsible for processing personal data on behalf of a controller. So, as a clinic owner, you could be a controller and a processor, or a processor could be someone who works for you and handles the marketing or patient communications: a receptionist, practice manager, marketing coordinator, junior associate etc. This would also include associate chiropractors at your practice who is seeing patients at your clinic. It could also refer to someone external, a marketing consultant for example. Changes Previously, the onus of responsibility regarding data protection fell more squarely on the shoulders of the data controller, now these responsibilities are spread over both controllers and processors. Under GDPR, processors must have records to show what and how they are using personal data as processors will now have a legal liability if there is a data breach, for example. Controllers are not relieved of these obligations though as they must ensure that anyone processing the data on their behalf is compliant. Controllers and Processors both need policies that cover the data and how it is used, stored, protected and processed. What is personal data? Any information relating to an identifiable individual. Do the new regulations apply only to online data? No, it applies to paper and electronic files.

2 Basic requirements of GDPR GDPR requires that personal data should be: 1. Processed lawfully and in a transparent manner. 2. Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes. 3. Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed. 4. Accurate and, where necessary, kept up to date. Every reasonable step must be taken to ensure that personal data that are inaccurate are rectified or erased without delay. 5. Kept in a form that permits the identification of the individual for no longer than is necessary. 6. Processed in a manner that ensures security against damage, destruction, accidental loss or unauthorised access or usage. Lawful bases for processing are: (a) Consent: the individual has given clear consent for you to process their personal data for a specific purpose. (for chiropractors this would be marketing communications, for example). (b) Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract. (for chiropractors, this would cover the contract a patient enters with you when they request to become a patient. This would only cover the processing of their data as it related to their treatment as a chiropractic patient). (c) Legal obligation: the processing is necessary for you to comply with the law, not including contractual obligations. (for chiropractors this would cover your processing data for matters relating to their chiropractic treatment or for keeping their data for the period required by the GCC after they cease to be your patient). (d) Vital interests: the processing is necessary to protect someone s life. (e) Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law. (f) Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks).

3 What does this mean for chiropractors? Check the data you have (give it a lot of thought, as you may hold data for a variety of reasons) and how you obtain it You are lawfully processing data for the purposes of your patient being your patient. You must ensure that the data you collect from patients is only what is necessary though. New patient forms should be analysed to check whether all information on there is strictly necessary. If you find anything that is superfluous then you should amend the form and, if possible remove this superfluous data for existing patients. A good example of this might be time at current address. Who manages how the data is used and who uses the data? The person deemed to be the controller of the patient data must have a data handling policy in place which includes how they monitor and supervise those processing the data on their behalf. The people who process (use) the patient data on your behalf must have a policy and process in place that is clear on how they use the data and specify how they ensure that the data is not misused or accidentally put at risk. It might be that you have several people at your clinic who could be classed as a processor and so each should have a policy which could be the same or subtly different, depending on the situation. Of course, you could be both the controller and processor if you are in a small or one-person clinic set up. You would also need to ensure anyone external, handling data on your behalf had a policy in place and it is both their and your responsibilities to make sure this data is lawfully processed. Lawful reasons to retain data Lawful requirements of the regulator, the GCC, will still override the GDPR in terms of how long you keep data for. I.e. a legal obligation takes precedent. This would only be in terms of processing data for the purposes of chiropractic care (for other purposes see below). Documents needed Aside from the clear policies for controllers and processors mentioned above, you will need to have an up to date privacy notice that outlines the lawful reasons for processing personal data. Marketing communications In terms of marketing communications to your patient base, you will be required to show you had specific consent to communicate in this way. It will not be acceptable if you gave

4 patients the option to opt out of marketing communications or implied their consent by their becoming your patient. Therefore, you should ensure that any new patients are given information about how you will use their data and, if you plan to use the data for marketing purposes, you must specify this and give them the option to consent to doing this. IT MUST BE AFFIRMATIVE CONSENT i.e. Tick if you do want to receive and not Tick if you do not want to receive. If you want to contact some or part of your patient list for marketing purposes, then you will need to ensure that you have the correct consents in place. This would involve telling people the way you may process their data and getting their specific consent to communication for marketing purposes (electronic or non-electronic). You will also have to make sure that each communication contains clear information as to how someone can withdraw their consent (or unsubscribe).

5 What to do now Review your data handling and processing at your practice. You can find a lot of information on the Office of the Information Commissioner (ICO) website. A good place to start is 12-steps.pdf The ICO has an entire section on their website: If you have specific queries you can call the Croner helpline and speak to a commercial legal expert. NB Croner cannot write or check policies/documents for you but can advise on specific queries relating to GDPR scheme number You may want to retain a GDPR specialist but be sure they are someone with the relevant knowledge and don t be drawn into spending large sums on consultancy. The BCA will be retaining a specialist advisor to assist with clarifying the position of GDPR for chiropractors. The aim will be to produce further, specific guidance and, hopefully, some pro-forma documents for some of the policies and procedures required. We will update members on this shortly. This document is designed to provide guidance only. Whilst the BCA takes the best steps to provide accurate and useful information, it cannot replace legal advice or advice taken direct from the Office of the Information Commissioner. The BCA will be taking further advice and updating and expanding information for members over the coming weeks.