- GDPR Video – the facts and how it may affect your business
ICO Help & Checklists
The ICO (Information Commissioners Office) have published a number of really helpful guides, and checklists.
Guide to the GPDR for Organisations:
Data protection self-assessment toolkit:
Lawful Basis for Processing Data
Data can only be processed if there is at least one lawful basis to do so. The lawful basis for processing data are:
- Consent: the individual has given clear consent for you to process their personal data for a specific purpose.
- Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.
- Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).
- Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party, unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests.
- Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
- Vital interests: the processing is necessary to protect someone’s life.
Balens process client’s data under the Lawful Basis of Contract for our Insurance and Financial Services, and under Legitimate Interest for marketing purposes.
Special Category Data – for Lawful basis of processing Health related information regarding clients.
Marketing – ‘Opt in’ vs ‘Opt out’, for further information regarding Lawful basis of processing data for marketing purposes.
Special Category Data
Anyone who processes Special Category data, which for many of Balens' clients would include their clients ‘Health’ data, must also have a Lawful basis for processing this information. The GDPR allowed for individual EU member states to adapt certain areas as required for their own county’s needs. Following consultation the UK 2018 Data Protection Act has included the processing of this special category data under ‘processing in the substantial public interest for Counselling etc.’ and ‘insurance’. This information should be noted in the Privacy Notice where applicable.
Individual’s rights to their data under GDPR
Data Subject, i.e. any living or natural person for whom an organisation or individual holds data for business or similar purposes, have rights with regards to how their data is processed. Full details may be found on the ICO website at:
In summary these rights are:
- The right to be informed – Data Subjects have a right to be informed as to how their data will be processed. This information must be given in a Privacy Notice, which must be passed to the Data Subject within strict time scales. Therapists will need to provide their clients with a copy of their Privacy Notice. This may either be as a hard copy or e-mail / online version.
- The right of access – Data subjects (e.g. clients of a therapists), have a right of access to the records that are held about them. Where a Right of Access is made, the Data Controller (e.g. the therapists) must provide the information they hold about their client, free of charge, in a suitable format and within 30 days of the request. Note: The day of the request is considered to be the first day of the 30-day time limit. There are some exemptions, for example if the request is excessive or manifestly unfound.
- The right to rectification – Personal Data must be checked at least annually and must be corrected where it is found to be inaccurate.
- The right of erasure – Data Subjects may request that the data that is held about them is deleted. However, this right is not absolute. There are provisions within the Data Protection Legislation for records to be kept to for ‘defence of a legal claim’, allowing therapist to retain their records in line with their data deletion policy and to comply with Insurance terms and conditions regarding record keeping.
See also ‘A client has requested their records be destroyed – what should I do?’ - for further details regarding the Right or Erasure, and when this does not apply.
- The right to restrict processing – Data subjects have a right to restrict the processing of their data, particularly where data is believed to be inaccurate.
- The right to data portability – Data subjects have a right to have their data provided to them in a format that can easily be transferred to another provider. Would more typically be of use for larger organisations e.g. financial services, where a client may have a portfolio of investments.
- The right to object – Data Subjects have a right to object to the processing of their data under certain circumstances, including for Direct Marketing.
- Rights in relation to automated decision making and profiling – Data Subjects have rights where their data is being processed, or decisions are being made regarding this, through automated means i.e. without human involvement.
Can Balens provide a template for a Privacy Notice?
Unfortunately we are unable to provide a standard Privacy Notice for you to adapt, as requirements will vary dependent upon the individual business, their complexity and needs.
Details of what is required in a Privacy Notice are available on the Information Commissioners Office website at https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-to-be-informed/?q=privacy+notices.
Do I need to contact all of my past clients with my new Privacy Notice?
In essence you should be providing updated privacy information to past, as well as current clients, and past employees if applicable, where you continue to hold their data. However, the GDPR does allow a caveat for this to not happen ‘where the effort is disproportionate’.
The ICO web page states:
There are a few circumstances when you do not need to provide people with privacy information, such as if an individual already has the information or if it would involve a disproportionate effort to provide it to them.
Where we at Balens would encourage you to contact all current clients as a minimum, notifying them how you will be handling their data after 25th May 2018, it is for individual practitioners and businesses to determine if the effort is disproportionate or not regarding past clients. If you decide this is the case, as soon as past customers contact you, you will need to provide them with a copy of your Privacy Notice. Where you have a website, ideally the Privacy Notice would be displayed here also.
Record Keeping - Article
Your records are your first line of defence if a client makes a complaint or claim against you and are therefore of utmost importance. Please report everything relevant that happened in the therapy session and relevant comments from the client, both positive and negative.
Before you carry out the treatment you must also ensure that you check what medication your client may be on, any prescriptions they are taking and any medical conditions they may have, as there may be conditions which preclude the therapy. This information falls under special category data under the General Data Protection Regulation (GDPR), and may be retained under the lawful basis of processing in the substantial public interest for Counselling etc. and insurance.
We are often asked ‘how long should I keep my notes? What happens if I work in a clinic who owns the notes?’ or ‘What happens if I leave a clinic or stop practicing?’ and ‘What about Data Protection legislation?’
The reality is that there may be overlaps or contradictions according to the different types of law. Data Protection legislation, Contract Law, the Criminal Law and Human Rights legislation are there to protect the public and prevent abuse. However they can cause confusion, especially with regard to what you should do as part of your contract with your insurance company in complying with policy terms and conditions.
The Data Protection Act 2018 and GDPR says you should keep records for no longer than necessary (although they don’t define how long that is!). The core purpose of the Act was to stop people abusing data held and using it for unethical purposes. There is a proviso though that records may be kept for the establishment, exercise or defence of legal claims, allowing them to be retained should a client request to exercise their Right of Erasure.
You have a human right (protected by law), to maintain your livelihood. In order to defend you, it is usually a condition of your Insurance policy (Contract Law) that records be kept for at least 7 years, or for 7 years after the client reaches the age of majority when treating minors. It is important to check your insurance policy conditions, to ensure you retain your records in accordance with these.
Although in most cases the Statute of Limitation (Under Civil Law or Tort), that applies for late discovered situations leading to an allegation of negligence, is 3 or 6 years from the date that the patient discovers a problem, there are certain situations where the limitation period could be much longer. In the case of minors, this is 3 or 6 years (according to the type of claim) from the date that they turn 18. In the case of people with learning difficulties and in certain other situations, there is no Statute of Limitation and the Courts can overturn limitation periods, so there is rationale for record retention beyond those imposed by your insurance policy if you are treating clients that fall under the category of ‘vulnerable adults’.
Your patient’s case notes and records are your property, and you must retain them even if you have referred the client on or move to another practice. If, as a clinical supervisor, you oversee a student’s work under your professional practitioner insurance, the patient’s records are yours. Although a patient can, by written application, seek access to notes they have no legal rights of ownership. However, if a patient requests a copy of their notes, under their ‘Right of Access’ you must follow the procedure laid out in the Data Protection Act and provide a copy of the notes unless there are exceptions, the request is manifestly unfound or excessive. Please keep a record of this on the client’s file.
As your Insurance policy may need to defend an allegation against you in the future it is important that you know where your records are at any time. There is no legal requirement regarding the format of records. These may be stored in either a paper or electronic format, however under Data Protection you are responsible for the security of your client’s personal information, and therefore consideration must be taken with regards to record storage regardless of whether you choose a paper, PC or Cloud based system. There are pro’s and con’s with each method; Paper records can be stored in a locked cabinet giving security, however they will take up far more space that electronic storage. PC based systems can have the benefit of reducing storage, but if the computer itself is lost or stolen, and there are no copies of the notes, these too are lost, resulting in a client data breach, and potentially no method of defending yourself in any claims situation. Also, if the PC is used for internet access it can be vulnerable to cyber-attack which may again result in a client data breach and/or no access to the data. Cloud based systems can provide the benefit of reducing storage and ability to access the notes wherever you are, but security is then placed in the hands of the cloud provider, and it will be your responsibility under Data Protection law, to ensure that you have made adequate checks regarding their security capabilities.
Think ahead, you may want to appoint someone in your Will or any Power of Attorney arrangement you may have set up to be able to have access to the records in the event of a claims situation if you are too ill, disabled or incapable of accessing them. Your Will should include such information so that if your Estate was challenged after your death, the policy would be called upon to defend it and would be able to do so.
On selling or otherwise transferring your practice, you may pass on the original records if (a) the new owner will be subject to the same or similar rules to those referring to Case Notes above and (b) the patient is informed in writing in advance of the transfer and given the opportunity to object, in which event you must retain the original records.
How long should I keep my client records?
We have received a number of requests from clients regarding record keeping in light of GDPR, and how long they should keep their client consultation notes / record cards for given the regulation notes that personal data should be kept for ‘no longer than is necessary’.
If you currently have a Balens Health Professionals Policy with us, underwritten by Zurich Insurance plc, in the UK, or XL Insurance Company SE (ROI) in the Republic of Ireland (ROI) it is a condition of your Insurance Policy to take and retain client records. The policy wording notes:
The records shall be kept for at least 7 years following the last occasion on which treatment was given. In the case of treatment to minors, it is advisable that records should be kept for at least 7 years after they reach the age of majority (18).
Record Keeping - Condition 2, on page 35 Balens Health Professionals Scheme – UK – underwritten by Zurich Insurance plc
Record Keeping – Condition 7c, on page 24 Balens Irish Health Professionals Scheme – ROI – underwritten by XL Insurance Company SE
The Statute of Limitations in the UK (i.e. time when an individual is able to bring a claim) is 3 years for injury claims and 6 years for negligence claims, or 3 / 6 years after the individual reaches the age of majority in the case of minors. However, these periods start from the date that the injury was discovered, not from the time that the alleged incident that caused it occurred. There are also instances, for example if treating a vulnerable client, where the statute may be overturned.
Your records are your best line of defence in any claim situation hence the need to keep these for at least 7 years. It will be for you to determine, in view of your own client base, whether you choose to keep the records for longer than the 7 years noted in the policy wording or not. Should you choose a longer period, this will need to be noted in your Privacy Notice for your clients.
A client has requested their records be destroyed under their ‘Rights of Erasure’ – what should you do?
We have had a number of therapists contacting us to say that their clients have requested their notes be destroyed, under their clients Right of Erasure. Whilst clients do have the right to request this, there is no absolute right for this to be granted.
There are provisions under the GDPR with regards to keeping records to defend yourself in a claim situation (When can I refuse to comply with the right of erasure - https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-to-erasure/ -), which clearly give you the right to retain your client records to comply with your insurance policy Terms and Conditions. For Balens Health Professionals Scheme this would be 7 years after the last occasion when treatment was given, or 7 years after they reach the age of majority, if treating a minor.
Record retention periods should be noted in your Privacy Notice.
Record Keeping – Article – for further information regarding record retention, the legal and insurance requirements for retention.
I have received a Right of Access request – also known as a Subject Access Request – what should I do?
The Right of Access – Data subjects (e.g. clients of a therapists), have a right of access to the records that are held about them. Where a Right of Access is made, the Data Controller (e.g. the therapists) must provide the information they hold about their client, free of charge, in a suitable, secure format and within 30 days of the request. Note: The day of the request is considered to be the first day of the 30-day time limit. There are some exemptions, for example if the request is excessive or manifestly unfound.
Whilst we not able to give advice regarding Data Protection, if you have received a legitimate Right of Access request from a Solicitor with signed consent form from your client for the solicitor to act on their behalf, then you would need to release the notes to the Solicitor as the third party making the request.
If you have concerns that the request is not legitimate, you may have cause to check it’s validity with your client direct, and depending upon the circumstances, to confirm what information the client authorises you to release, i.e. details of any confidential information that you may have discussed that would not be relevant for the Solicitor to see.
Full details and further information may be found on the Information Commissioner’s Office (ICO) website at: Right of access | ICO
It will not be necessary for you to advise Balens of any Right of Access requests that you receive, unless you have concerns that this may lead to a specific complaint or claim against yourself.