On 25 May 2018, the General Data Protection Regulation (GDPR) came into effect. This replaces the Data Protection Act. The GDPR brings greater accountability for those that handle personal data.
Many of the GDPR main concepts and principles are much the same as those in the current Data Protection Act (DPA), so if you are complying with the current law then most of your approach to compliance will remain valid under the GDPR and can be the starting point to build from.
Although it is essentially based on the same principles as the current Act, some areas have been enhanced
As with the current Act, the GDPR cannot and does not offer definitive answers for every situation as these may vary depending on circumstances. The GDPR, like the present Act, requires data holders to exercise judgement in making decisions and to be able to justify any decisions they make.
UKCP is a diverse organisation and we are very fortunate to include psychotherapists and psychotherapeutic counsellors from many different modalities.
As an organisation, we recognise that everybody is different and that is also reflected in the ways our members carry out their work. Some of our members work in the NHS, some privately, some offer short-term therapy and some long term therapy. Our organisational members are also very different in terms of their size and functions.
This means that while we can provide guidance about the GDPR, we cannot give definitive advice. Under the GDPR, everyone is accountable for the data that they hold so it is important that you make your own assessment. UKCP is not responsible for the personal data you hold.
Under the GDPR there will no longer be a requirement to register with the ICO but some data controllers will need to pay a data protection fee.
The fee structure has now been agreed and more information can be found on the ICO website.
Most people or organisations that process personal data in a professional capacity will need to pay a fee to the ICO. However, not all controllers have to pay a fee. There are exemptions to paying the fee and the ICO provides full guidance for this.
The fees themselves are minimal and the ICO breaks this down into different 3 categories:
The ICO’s guide to the fee structure also includes a questionnaire which you can use to find out whether you need to pay a fee or not. The entire guide is very useful but you might find these particular sections the most useful:
Personal data is any information that can be used to identify a living person either directly or indirectly. This includes names, addresses, contact details but also includes things like IP addresses and acronyms. It doesn’t matter whether you keep the data electronically or in paper form, it is still covered by the GDPR. For example, you might keep electronic information of bank details, phone numbers, email addresses and you might keep hand written notes of your therapy sessions. All this falls under GDPR.
The GDPR outlines clearly that anyone processing data should be able to demonstrate how and when consent was obtained and that is was obtained for specific, explicit and legitimate purposes. You might find it useful to review how you currently obtain consent. Explicit consent requires a very clear and specific statement of consent – don’t use pre-ticked boxes or any other method of default consent. You should try to keep your method of consent under periodical review and refresh if anything changes.
For an example please see the extract of UKCP’s membership application form below:
UKCP’s Data Protection Policy gives details about how data is handled. It includes details on how sensitive information will be protected and used (further details of UKCP’s Data Policy is available on the UKCP website).
I understand that my email address will be used for sending UKCP information. I understand that in pursuit of the provision of a regulatory framework for the profession of psychotherapy, UKCP will hold and process the information that I have provided in accordance with their policies and procedures (further details of UKCP’s Data Policy is available on the UKCP website).
If consent is withdrawn, you will have to take the necessary steps to assess, and if appropriate to delete and erase any personal information you may have on the individual. This is because in certain circumstances individuals will have the right to have their personal data permanently erased also known as the right to be forgotten. A full explanation of this including obligations and exemptions is available on the ICO’s website.
UKCP is not able to provide a policy on this for our members because everyone’s circumstances will be different, but generally records should not be kept for longer than is necessary.
We can’t offer detailed advice on how long individuals and organisations should keep data for because the types of data held and the reasons for holding the data will vary. The key things to think about are what data you have, and why you have it. Asking these questions will help you to decide how long to keep the data.
You will also need to think about whether the type of data you keep is covered by any legal or regulatory requirements. For example, the Financial Conduct Authority advises retaining financial records for at least five years.
Certain types of records, such as NHS records are classed as ‘public records’, with specified periods for retention. For other types of records, including client records there is no set time limit, so individuals and organisations need to decide an appropriate time limit for keeping records before destruction. These might be set to accord with the relevant time limits for responding to a complaint against a therapist or the organisation or to comply with the time limits for legal actions. For example complaints made against our members under UKCP’s Complaints and Conduct Process normally have to be made within three years of the alleged conduct.
It is important to advise individuals from the outset about your retention policy including what you are keeping, why you are keeping it and how long you will keep it for. At the end of the agreed retention period, the information should be reviewed and deleted unless there is some special reason for keeping it. If this is the case, you must record your reasons for keeping the information and let the individual(s) affected know why.
You may be asked by the police or solicitors to assist them in a case by releasing your client notes. After receiving such a request you should first seek advice from your professional indemnity insurance provider, as they will normally have a legal advice help line. If you decide you want to release this information you should seek the consent from the individual to pass on the information, and even if you have this, you should remove any information relating to third parties before releasing the information.
As previously, individuals will still be able to request copies of all of the data you hold on them via a subject access request. If you want to refuse a request, you must demonstrate that you have met the criteria for doing so.
Previously, you could charge £10 to the individual making a subject access request. Under the GDPR, this has been scrapped.
The timescale for responding to a subject access request has been reduced from 40 calendar days to one calendar month. In exceptional circumstances, this period can be extended but you must explain from the outset why.
If there is a risk to the rights and freedoms of individuals because of a breach of sensitive personal data, you must:
If the breach is unlikely to result in a risk to the rights and freedoms of individuals, then you do not need to report it to the ICO. Regardless, you should document any breach and detail any remedial actions taken to ensure the breach does not happen again.
‘Processing’ means obtaining, recording or holding the information or data or carrying out any operation or set of operations on the information or data
If after reading this information and the ICO guidance you have further questions on the GDPR please email our data protection team.