If I read another scaremongering article about GDPR (General Data Protection Regulation) I think I’m going to flip!
Every man and his dog seems to be taking the “shock and awe” approach to GDPR and for the life of me I’m not sure why. Possibly, because it’s a change or its EU legislation or perhaps this is the way big business like to motivate us – all stick, no carrot!
I for one, disagree wholeheartedly.
GDPR should be positively embraced and I’d like to illustrate this by considering it from personal and practical perspective.
Let’s say I visit my local physio and she asks me to complete a very typical pre-treatment questionnaire where I provide personal information like:
- contact details
- next of kin
- pre-existing medical conditions
When GDPR comes into effect in May 2018 I will have the right to:
- Access any of this information plus any other content that forms part of my patient record, including notes and expect to be able to read them and understand what they mean without expert medical knowledge.
- Know if my personal information has been forwarded to a third-party (like a fellow healthcare professional, consultant, insurer or school).
- Have any invalid information about me corrected. So say I accidentally stated that I was on Statins on my questionnaire and this information was passed on to an Acupuncturist that my physio works with. If I then informed my physio of the error she would have to notify the Acupuncturist (and anyone else that received the incorrect information) and make sure that it was corrected.
- Have my personal data deleted by my current physio if I decide to switch to another physio. All I would need to do is demonstrate that my current physio no longer needs my information (because she isn’t treating me) or withdraw my consent. My physio then needs to prove (if challenged) that she has deleted my data regardless of whether it is in electronic form or on paper. She would also need to let any third-parties (that have received information about me from her) know that she has deleted my data.
- Prevent further use (or processing) of my information. I could do this if wanted to get a second opinion on some personal information that my physio held about me which I thought was inaccurate or if I wished to pursue a legal claim against my physio.
- Ask my physio to send me (or my new physio) my personal information in an open electronic format like a .csv file or text file.
- Request my physio to stop sending me marketing information.
- Ensure that any profiling that is undertaken using my personal information is fair, appropriate, statistically valid and transparent.
- Expect my physio to take appropriate measures to protect my data.
- Be notified if critical information about me was inappropriately accessed. So, for example if my physio held my NHS Number, Hospital Number, NI Number, DoB, Address and this was accessed by an unauthorised person this would in all probability be deemed to be a critical breach and I would need to be notified (along with the appropriate regulatory body).
- Not have my personal information transferred outside of the EU.
- Know how my personal information is being used by my physio but to all intents and purposes this doesn’t represent much of a change from the current DPA.
In my humble opinion if we think of GDPR in this way it should help us all to:
- Put the legislation into context
- Clearly see the relevance and the need for the legislation
- Incentivise us to embrace it as a positive development
Ideas on Tackling GDPR
- Start from a positive place. Yes, it’s extra work that you could probably do without but this is a good thing that will help to protect us, our kids and future generations as our “digital footprint” expands.
- Familiarise yourself with the legislation; but my advice would be to avoid getting bogged down in the detail.
- Start with the Information Commissioner’s Office (ICO) overview, which you can find here -> Overview of the General Data Protection Regulation and work through each of the “rights” and think logically about how each one might be applied in your practice. Keep in mind that GDPR is a one-size fits all piece of legislation (covering everyone from Banks and social media giants like Facebook to sole traders) so portions of it may not be necessary or appropriate for a small business.
- That said, as a healthcare professional you are the guardian of some of the most sensitive information that an organisation can possess so it does need to be taken seriously.
- Be pragmatic, be thorough and avoid the scaremongers. For example, on numerous occasions I have heard organisations talk about the need for a Data Protection Officer. You don’t – there are very specific circumstances when a DPO is required and I would be gobsmacked if any practices meet those conditions.
- Don’t assume that GDPR is all about security. Yes, this forms a part of GDPR, but in many respects it’s not hugely different from the current DPA or standards of professional conduct that you are required to uphold as a healthcare professional. In reality much of it relates to “process”. For example, how do you demonstrate/log that you have deleted a record? How do you keep track of which third-parties you have sent a record to?
- Be more selective about the information that you hold on your clients/patients. You might find that a broad dataset may cause you issues from a couple of perspectives a) if you don’t need it you shouldn’t have it b) if you have it and there’s some kind of breach the consequences are likely to be more severe as the loss may pose a significant threat to the individual’s security/privacy.
- Formulate a view and plan about what you need to do as the “data controller” (i.e. the person that is responsible for the data). The points I listed above should be a good starting point and I’d encourage you to try and think about each of your client’s “rights” in this way as it should make it easier to formulate an action plan.
- As part of your plan I would do a simple “gap analysis” to work out where the GDPR holes are in your current processes and/or systems. If you’re using a system to manage your practice, talk to your provider to find out how they (as your “data processor”) will be able to help you fill the gaps.
- If you’re not using an electronic system there will be elements of GDPR that will need some creative thinking and/or admin diligence but don’t let anyone tell you it’s not possible. For example, if you send information to third-parties you are going to need to maintain a paper log of who received the information, when and via what channel. It’s certainly do-able if you’re a paper-fan but it will require discipline.
- Do your own research and take advice from trusted sources like ICO and your professional body. Lots of organisations are jumping on the GDPR bandwagon and it has a faint whiff of Y2K for those of you that can remember that! Yes, it’s a milestone event and yes you need to think about it and yes you will need to take some action but it’s not an impending disaster either.
- Lastly, take your time. I’d start thinking/researching now and plan on getting any changes that you are going to make around Christmas. This should give you 4-5 months for things to bed down ready for the deadline on 25th May 2018
In conclusion, this article is intended to be a counterbalance to the slew of negative stories that I’ve read about GDPR. We and I are not experts in GDPR. We have researched it in detail so that we are well placed to provide our users with the tools that you to comply with GDPR.
If you have any questions about GDPR please feel free to send them through to us at firstname.lastname@example.org and we’ll do our best to provide you with a considered perspective, however if you want a professional opinion I would strongly recommend you to contact ICO or a data protection specialist.
WriteUpp is a beautifully simple cloud-based and mobile practice management system. You can try out WriteUpp any time by taking a free 30 day trial or have a look at what our users say about us on our Facebook Review page. We cut our teeth working with AHP’s in the NHS and still work with a number of large Trusts in England & Wales. Our “HQ” is in the delightful City of Chester but the rest of the team are distributed across Yorkshire, Scotland and Denmark.