New General Data Protection Regulation (GDPR) came into effect in May 2018. This is the data protection legislation concerned with protecting the rights and privacy of an individual’s data and is overseen by the Information Commissioners Office (ICO).
The GDPR operate under 5 principles concerning people’s data, these are that data is:
- Processed lawfully and transparently
- Collected for specified, explicit purposes
- Accurate – kept up to date
- Presented in an identifiable form and kept for no longer than is necessary
- Appropriately secure.
As therapists we hold sensitive, personal data, in terms of intake/assessment information and our client session notes. Anything which identifies an individual is classed as personal data.
In terms of specific actions for GDPR compliance of your practice, the following steps may give some guidance:
- Familiarise yourself with GDPR – the ICO website holds a wealth of information. https://ico.org.uk/
- Check to see whether you need to register with the ICO. There is a self-assessment tool on the website as well as costs.
- Carry out an audit of the data you hold, why you hold it, how it is stored, how long you keep it etc
- Develop or update client consent forms. You may wish to create a Privacy Notice or Policy informing clients of the data you keep and their rights. This should be an explicit opt-in of the client.
- Check and if necessary update your digital security. This may involve ensuring that personal data is password protected or encrypted.
Privacy notices are the main way that we are able to evidence compliance with GDPR. They not only inform the client of what happens to their data but also their rights and procedures related to holding their data. Suggested information to include is:
- A statement of who the data controller and data processors are (in most cases this will only be you)
- A statement concerning the lawful basis on which the data is gathered. In most cases this will be consent, however there other lawful bases on which data can be gathered (see ICO website for further information).
- A clear process that allows for the withdrawal of consent.
- A statement regarding the individual’s rights regarding privacy.
- Details of what data is stored, the purposes for which it is stored, how it is stored and used, with whom this data may be shared and why it is shared. This would include intake/assessment information and client notes. You may want to include: how information may be used in supervision, limits in confidentiality, information in a professional will, what occurs if a request is made by the police or a solicitor.
- Outline where and how information is stored. This might include information held on a computer, in a filing cabinet, on a phone or in a diary.
- Information concerning what security measures you have in place to avoid a data breach. This would include physical security as well as using password protection and digital security software.
- A statement concerning the length of time information is stored. You may also outline how the data is destroyed at the end of this period.
- A process for how information requests will be handled and the timescales for complying with them.
- A procedure for managing data breaches and their investigation including timescales and who will be informed.
- A process for the individual to lodge a concern should they be unhappy with how their data is treated. This would include contact details for the ICO.
- A sign-off with a date to say that the individual consents to their data being held in this way.
Further information and reading on GDPR
The ICO website contains a vast amount for information which goes into more depth than these guidelines allow.
BACP, UKATA and UKCP websites all offer guidance on GDPR compliance as well as access to their own Privacy Policies which may be adapted for your own use.