Unless you’ve been under a rock for the past few months, you’ll be aware that changes are afoot in the data protection world. Your inbox is probably full of emails from organisations using various catchy phrases to get you to “opt in” to receiving communications (my favourite was headed “darling you’ve got to let me know, will you stay or will you go?” – who said data protection couldn’t be fun?!). But what is GDPR and what does all this mean for you as a therapist?
What is GDPR and does it apply to me?
The General Data Protection Regulation (GDPR) comes into force on 25 May, and applies to individuals and organisations within the EU which process (collect and use) personal data. Personal data is very broadly defined, even including a person’s name. There are extra safeguards for sensitive personal data (known as special category data), such as information about a person’s health, sex life, sexual orientation, politics, religion etc.
In short, assuming you have (or have ever had) clients and have recorded anything which can identify them, the GDPR will apply to the way you use and store this data.
Following the steps below should help you to ensure you’re compliant with the GDPR and minimise the risk of a data breach (such as an accidental loss or disclosure of personal data). Clearly such breaches are potentially devastating to clients and can undermine the trust in your therapeutic relationship. As if that’s not incentive enough to get your house in order, under the GDPR, certain types of data breach must be reported within 72 hours and could result in a hefty fine from the Information Commissioner’s Office.
What should I do?
1. Audit: before you run for the shredder, you should carry out an exercise to see what data you hold and where you keep it. Notes from therapy sessions may be the most obvious example of client data, but many other documents you create from day to day in your practice may also include personal data of your clients, such as invoices, diary appointments and supervision notes.
2. Categorise: In order to collect and use personal data, you must have a lawful basis to do so. The relevant lawful basis will depend on the type of data. The legal basis for recording and storing client notes and related information is likely to be “legitimate interests”. This is the most flexible lawful basis, and applies where you are using client’s data in a way they would reasonably expect and there is a minimal privacy impact. When a client registers with you and attends treatment sessions, they will expect you to keep a record of their contact details so you can contact them to arrange and discuss treatment. They will also expect you to keep some sort of record of your sessions with them, to assist in their ongoing therapy. If you wish to use the data they have provided for another purpose, which they may not anticipate, you are likely to need another lawful basis for this.
Notes of treatment sessions with clients (as opposed to client contact details or other, less sensitive information) are likely to fall within the definition of special category data. This means you will need an additional condition for using and storing this data, such as where processing is necessary for the provision of health care or is necessary for reasons of substantial public interest (the provision of confidential counselling where it is unreasonable to seek consent could fall within this condition).
Once you have a clear picture of the data you have, how old it is and where it’s stored, it’s time for some housekeeping.
3. Delete and protect: you should ensure personal data is up to date and that you only keep it for as long as necessary. The length of time you can justifiably keep personal data depends on the context. For example, you are likely to be able to justify keeping notes of therapy sessions with clients for longer than names and contact details of prospective clients who did not attend for therapy.
You should also ensure the data you hold is kept securely to minimise the risk of a data breach. Do you have measures in place to protect against accidental loss, destruction or damage, and to ensure that the data is only accessible to those who need to see it?
4. Draft - when you’re happy that you have a lawful basis for storing and using all of the personal data you hold, that it’s securely stored and that you have destroyed any unnecessary or out of date data, you’ll want to make sure you stay this way. Ensure you have appropriate policies and procedures in place, and that all staff members read and understand them.
This may all seem like an administrative nightmare. However, if you take this as an opportunity to finally unclog your inbox and clear some space on your shelves, you may find complying with the GDPR to be surprisingly therapeutic (see what I did there?!).
This article first appeared in the Holistic Therapist.