On 25 May 2018, the General Data Protection Regulation (GDPR) will come into effect. This replaces the existing Data Protection Act. The GDPR brings with it greater accountability for those that handle personal data.
Quick overview of what has changed
Although it is essentially based on the same principles as the current Act, some areas have been enhanced
- There is greater accountability for the data holder – if you hold personal data about individuals, you need to be as transparent as possible about how you use it, where you keep it and what you do with it. You could address this using privacy notices or by making it clear in your contracts with clients.
- There are new rights, and strengthening of existing rights of individuals to give them better control over how their personal data is held by organisations. For example, there is more emphasis on making it easier for them to have their personal data erased.
- You must ensure that you have a robust process in place for investigating and reporting breaches of personal data. Your employer may already have a policy or a process in place. If they do, you must ensure that you are aware of it and that it is up to date. If you are an organisational member or an individual working in private practice then you may want to have a procedure in place which outlines how you will report a data breach to the ICO. UKCP is in the process of creating a Data Breach Policy and we will publish this when complete. In the meantime the best place to get advice on this is the ICO website
- It is easier for individuals to access their personal data. For example, under the GDPR, Subject Access Requests will usually need to be responded to within 30 calendar days, this is irrespective of any national holidays or holidays you may have planned. There is also no longer a fee attached to a subject access request.
- There are higher penalties for non-compliance of the GDPR.
As with the current Act, the GDPR cannot and does not offer definitive answers for every situation as these may vary depending on circumstances. The GDPR, like the present Act, requires data holders to exercise judgement in making decisions and to be able to justify any decisions they make.
Frequently Asked Questions
Do I need to register with the ICO?
Under the GDPR there will no longer be a requirement to register with the ICO but all data controllers will need to pay a data protection fee.
The fee structure is still being developed and more information can be found here
What is data processing?
‘Processing’ means obtaining, recording or holding the information or data or carrying out any operation or set of operations on the information or data
What is a Data Controller and Data Processor?
- Data controller: a person (or group of people) who decides on the way in which any personal data is to be processed
- Data processor: any person who processes personal data on behalf of the data controller
- You can be a data controller as well as a data processer at the same time
What is personal data?
Personal data is any information that can be used to identify a person either directly or indirectly. This includes names, addresses, contact details but also includes IP addresses, acronyms etc. Personal data should be:
- Processed lawfully, fairly and in a transparent manner
- Collected for only specified, explicit and legitimate purposes
- Accurate and where necessary, kept up to date
- Processed in a manner that ensures appropriate security of the personal data.
Personal data should NOT be :
- kept longer than necessary
How do I obtain consent to use the personal data?
The GDPR outlines clearly that anyone processing data should be able to demonstrate how and when consent was obtained and that is was obtained for specific, explicit and legitimate purposes. You might find it useful to review how you currently obtain consent. Explicit consent requires a very clear and specific statement of consent – don’t use pre-ticked boxes or any other method of default consent. You should try to keep your method of consent under periodical review and refresh if anything changes. For an example please see the consent section of UKCP’s membership
If consent is withdrawn, you will have to take the necessary steps to assess, and if appropriate to delete and erase any personal information you may have on the individual. This is because in certain circumstances individuals will have the right to have their personal data permanently erased also known as the right to be forgotten. A full explanation of this including obligations and exemptions is available on the ICO’s website.
How long should I keep records for?
UKCP does not a have a policy on this, but generally records should not be kept for longer than is necessary.
Certain types of records, such as NHS records are classed as ‘public records’, with specified periods for retention. For other types of records, including client records there is no set time limit, so individuals and organisations need to decide an appropriate time limit for keeping records before destruction. These might be set to accord with the relevant time limits for responding to a complaint against a therapist or the organisation or to comply with the time limits for legal actions.
It is important to advise individuals from the outset about your retention policy including what you are keeping, why you are keeping it and how long you will keep it for. At the end of the agreed retention period, the information should be reviewed and deleted unless there is some special reason for keeping it. If this is the case, you must record your reasons for keeping the information and let the individual know why.
What are the changes to accessing data?
As previously, individuals will still be able to request copies of all of the data you hold on them via a subject access request. If you want to refuse a request, you must demonstrate that you have met the criteria for doing so.
Currently, you can charge £10 to the individual making a subject access request. Under the new GDPR, this has been scrapped.
The timescale for responding to a subject access request has been reduced from 40 calendar days to 30. In exceptional circumstances, this period can be extended but you must explain from the outset why.
Receiving a request for your notes
From time to time, members are asked by the police or solicitors (for example) to assist them in a case by asking them to hand over their notes. The general principles remain the same. Remember that you must have consent from the individual to pass on the information and even if you have this, you may want to carry out a redaction exercise.
What can I do to prepare for the GDPR?
- Review your current processes, and the wordings in your contracts about how you handle individuals’ personal data
- Carry out an exercise to see where you keep the information on clients’ personal data and consider whether you need to store it in a more secure manner.
- Consider whether you actually need some of the personal information you currently have and collect from your clients
- The ICO website and Checklist is a great start to assess how you store information currently and what you might need to do to comply with the new GDPR.
- Check with your employer or organisation if appropriate to ensure you are complying with their guidelines and polices
- Keep an eye on our website. We will continue to update this area with any further information we think may be useful to you.
Resources to help members
- The best source of information for members is the Information Commissioner’s Office (ICO). They have a helpline and live chat services, including an advice service for small organisations. If appropriate please also check your employer’s guidelines.
- The ICO will be providing monthly updates to highlight and link to what’s new in our Guide of the GDPR. More information can be found here
- A useful piece of guidance that we are using is the ICO’s 12 Steps to Take Now in preparation for the GDPR, and this can be found here
- There are several checklists available which have been produced by the ICO which are very useful when preparing for the GDPR, these are:
Privacy Notice checklist – this is very important, especially for those with business websites