On 25 May 2018, the General Data Protection Regulation (GDPR) will come into effect. This replaces the existing Data Protection Act. The GDPR brings with it greater accountability for those that handle personal data.
Many of the GDPR’s main concepts and principles are much the same as those in the current Data Protection Act (DPA), so if you are complying with the current law then most of your approach to compliance will remain valid under the GDPR and can be the starting point to build from.
Quick overview of what has changed
Although it is essentially based on the same principles as the current Act, some areas have been enhanced
- There is greater accountability for the data holder – if you hold personal data about individuals, you need to be as transparent as possible about how you use it, where you keep it and what you do with it. You could address this using privacy notices or by making it clear in your contracts with clients.
- There are new rights, and strengthening of existing rights of individuals to give them better control over how their personal data is held by organisations. For example, there is more emphasis on making it easier for them to have their personal data erased.
- You must ensure that you have a robust process in place for investigating and reporting breaches of personal data. Your employer may already have a policy or a process in place. If they do, you must ensure that you are aware of it and that it is up to date. If you are an organisational member or an individual working in private practice then you may want to have a procedure in place which outlines how you will report a data breach to the ICO. UKCP is in the process of creating a Data Breach Policy and we will publish this when complete. In the meantime the best place to get advice on this is the ICO website
- It is easier for individuals to access their personal data. For example, under the GDPR, Subject Access Requests will usually need to be responded to within one calendar month, this is irrespective of any national holidays or holidays you may have planned. There is also no longer a fee attached to a subject access request.
- There are higher penalties for non-compliance of the GDPR.
As with the current Act, the GDPR cannot and does not offer definitive answers for every situation as these may vary depending on circumstances. The GDPR, like the present Act, requires data holders to exercise judgement in making decisions and to be able to justify any decisions they make.
Frequently Asked Questions
- Can UKCP tell me what I need to do to comply with GDPR?
- Do I need to register with the ICO?
- What is personal data?
- How do I obtain consent to use the personal data?
- How long should I keep records for?
- Receiving a request for your client notes
- What can I do to prepare for the GDPR?
- What happens if I lose a laptop/ USB that has sensitive data on it?
- What is data processing?
- What is a Data Controller and Data Processor?
UKCP is a diverse organisation and we are very fortunate to include psychotherapists and psychotherapeutic counsellors from many different modalities.
As an organisation, we recognise that everybody is different and that is also reflected in the ways our members carry out their work. Some of our members work in the NHS, some privately, some offer short-term therapy and some long term therapy. Our organisational members are also very different in terms of their size and functions.
This means that while we can provide guidance about the GDPR, we cannot give definitive advice. Under the GDPR, everyone is accountable for the data that they hold so it is important that you make your own assessment. UKCP is not responsible for the personal data you hold.
Under the GDPR there will no longer be a requirement to register with the ICO but some data controllers will need to pay a data protection fee.
The fee structure has now been agreed and more information can be found on the ICO website.
Most people or organisations that process personal data in a professional capacity will need to pay a fee to the ICO. However, not all controllers have to pay a fee. There are exemptions to paying the fee and the ICO provides full guidance for this.
The fees themselves are minimal and the ICO breaks this down into different 3 categories:
- If you have a maximum turnover of £632,000 for your financial year or no more than 10 members of staff, the fee will be £40.
- If you have a maximum turnover of £36 million for your financial year or no more than 250 members of staff, the fee is £60.
- If you do not meet the criteria for the first 2 categories, the fee is £2,900.
The ICO’s guide to the fee structure also includes a questionnaire which you can use to find out whether you need to pay a fee or not. The entire guide is very useful but you might find these particular sections the most useful:
Personal data is any information that can be used to identify a living person either directly or indirectly. This includes names, addresses, contact details but also includes things like IP addresses and acronyms. It doesn’t matter whether you keep the data electronically or in paper form, it is still covered by the GDPR. For example, you might keep electronic information of bank details, phone numbers, email addresses and you might keep hand written notes of your therapy sessions. All this falls under GDPR.
The GDPR outlines clearly that anyone processing data should be able to demonstrate how and when consent was obtained and that is was obtained for specific, explicit and legitimate purposes. You might find it useful to review how you currently obtain consent. Explicit consent requires a very clear and specific statement of consent – don’t use pre-ticked boxes or any other method of default consent. You should try to keep your method of consent under periodical review and refresh if anything changes.
For an example please see the extract of UKCP’s membership application form below:
UKCP’s Data Protection Policy gives details about how data is handled. It includes details on how sensitive information will be protected and used (further details of UKCP’s Data Policy is available on the UKCP website).
If consent is withdrawn, you will have to take the necessary steps to assess, and if appropriate to delete and erase any personal information you may have on the individual. This is because in certain circumstances individuals will have the right to have their personal data permanently erased also known as the right to be forgotten. A full explanation of this including obligations and exemptions is available on the ICO’s website.
UKCP is not able to provide a policy on this for our members because everyone’s circumstances will be different, but generally records should not be kept for longer than is necessary.
We can’t offer detailed advice on how long individuals and organisations should keep data for because the types of data held and the reasons for holding the data will vary. The key things to think about are what data you have, and why you have it. Asking these questions will help you to decide how long to keep the data.
You will also need to think about whether the type of data you keep is covered by any legal or regulatory requirements. For example, the Financial Conduct Authority advises retaining financial records for at least five years.
Certain types of records, such as NHS records are classed as ‘public records’, with specified periods for retention. For other types of records, including client records there is no set time limit, so individuals and organisations need to decide an appropriate time limit for keeping records before destruction. These might be set to accord with the relevant time limits for responding to a complaint against a therapist or the organisation or to comply with the time limits for legal actions. For example complaints made against our members under UKCP’s Complaints and Conduct Process normally have to be made within three years of the alleged conduct.
It is important to advise individuals from the outset about your retention policy including what you are keeping, why you are keeping it and how long you will keep it for. At the end of the agreed retention period, the information should be reviewed and deleted unless there is some special reason for keeping it. If this is the case, you must record your reasons for keeping the information and let the individual(s) affected know why.
You may be asked by the police or solicitors to assist them in a case by releasing your client notes. After receiving such a request you should first seek advice from your professional indemnity insurance provider, as they will normally have a legal advice help line. If you decide you want to release this information you should seek the consent from the individual to pass on the information, and even if you have this, you should remove any information relating to third parties before releasing the information.
As previously, individuals will still be able to request copies of all of the data you hold on them via a subject access request. If you want to refuse a request, you must demonstrate that you have met the criteria for doing so.
Currently, you can charge £10 to the individual making a subject access request. Under the new GDPR, this has been scrapped.
The timescale for responding to a subject access request has been reduced from 40 calendar days to one calendar month. In exceptional circumstances, this period can be extended but you must explain from the outset why.
- Review your current processes, and the wordings in your contracts about how you handle individuals’ personal data
- Carry out an exercise to see where you keep the information on clients’ personal data and consider whether you need to store it in a more secure manner.
- Consider whether you actually need some of the personal information you currently have and collect from your clients
- The ICO website and Checklist is a great start to assess how you store information currently and what you might need to do to comply with the new GDPR.
- Check with your employer or organisation if appropriate to ensure you are complying with their guidelines and polices
- Keep an eye on our website. We will continue to update this area with any further information we think may be useful to you.
If there is a risk to the rights and freedoms of individuals because of a breach of sensitive personal data, you must:
- notify the ICO no later than 72 hours
- notify the person(s) whose personal data is affected by the breach
If the breach is unlikely to result in a risk to the rights and freedoms of individuals, then you do not need to report it to the ICO. Regardless, you should document any breach and detail any remedial actions taken to ensure the breach does not happen again.
‘Processing’ means obtaining, recording or holding the information or data or carrying out any operation or set of operations on the information or data
- Data controller: a person (or group of people) who decides on the way in which any personal data is to be processed
- Data processor: any person who processes personal data on behalf of the data controller
- You can be a data controller as well as a data processer at the same time
Resources to help members
- The best source of information for members is the Information Commissioner’s Office (ICO). They have a helpline and live chat services, including an advice service for small organisations. If appropriate please also check your employer’s guidelines.
- The ICO will be providing monthly updates to highlight and link to what’s new in our Guide of the GDPR. More information can be found here
- A useful piece of guidance that we are using is the ICO’s 12 Steps to Take Now in preparation for the GDPR, and this can be found here
- The ICO have produced a guide specifically for micro business owners and sole traders
- There are several checklists available which have been produced by the ICO which are very useful when preparing for the GDPR, these are:
Privacy Notice checklist – this is very important, especially for those with business websites
If after reading this information and the ICO guidance you have further questions on the GDPR please contact us at firstname.lastname@example.org.