The GDPR deadline is just days away and in all likelyhood there is going to be a lot of clinicians feeling rather underprepared and some other clinicians feeling REALLY rather underprepared. If you are one of them, you need to prioritise the steps you are going to take in the next few days to ensure that you do not miss the GDPR boat.
GDPR is not like Y2K, as it doesn’t mean that if you survive the date passing by, that you are in the clear. You have to make sure you are GDPR compliant going forward. Don’t stick your head in the sand about this. You might be convincing yourself that the ICO initially will be going after the bigger fish, and you will probably be right, but never the less it only takes one disgruntled patient to throw you into a bit of a tail-spin because you haven’t got your documentation in order.
This Ninja blog is about Privacy Notices.
The ICO makes recommendations about the kind of stuff you need to be putting into your privacy notice, but it doesn’t mandate what has to be in it, and it doesn’t give you a template (isn’t that inconvenient). Nevertheless, if you follow some basic principles it’s not too difficult to write your own Privacy Notice, but you literally need to give yourself a whole day to do this.
Your Privacy Notice should contain the following 8 items…
The name and contact details of your organisation (in other words your private practice) and the contact details of your data controller. The data controller is you if you are an individual private practice clinician and if you are not already registered with the ICO, get on over to their website and sign up asap. It’s a good idea to put in the email address that the person, whom the data subject i.e the patient can contact you via, if they have questions.
Declare your lawful basis or bases for processing personal data. Many people have quite rightly got very confused about this, there are various categories that you can use to legitimise your processing of personal data. For us clinicians, that probably looks like using the law for your lawful basis because we are required by law to keep medical notes as part of our patients care.
You can quote a whole load of stuff from Caldicott guardians various health and social care acts in your privacy notice to back this up. You may also want to say that you are processing data through legitimate interests when you are doing marketing. More of that later.
State the categories of personal data that you are processing and this is known as Standard personal data so things like the person’s name, email address, date of birth etc and also Special Category data which includes things like medical history, sexual orientation, race and genetic history. You need to explain how you collect it.
This requires a little bit of storytelling.
For example: “If you get in touch with us via the telephone to make an appointment, we will collect your personal data, such as your name, email address data of birth etc and we will collect special category data face to face during consultations but also the data may come in the form of MRI reports blood test reports etc”.
Record how long that information (data) will be retained. Trying to remember how long all the different categories of medical data need to be retained for is a bit tricky, there are far more variations of this than you would believe.
On the whole children’s data needs to be kept for a whole lot longer and if the patient has had cancer, it needs to be kept for a lot longer even still. One of the best ways to handle this, rather than having to print out a massive excel sheet and pop it into your website, is to put a URL link to the NHS records management code for retention summary the reason is we use the NHS guidelines is because it is a gold standard for our industry so even if you are in private practice , it makes sense to use this .
A list of the 8 patient’s rights.
What the heck does that mean? Well, you might want to consider putting the following…
The right to be informed, which basically means to understand how we as clinicians use and collect data.
The right of access. This means the patient has the right to ask us for the data that we keep on them and this is known as subject to an access request.
The right to rectification. This is where patients can ask to have their data altered. This right isn’t absolute, and you need to explain this.
For example: You can’t change a person’s data, just because they don’t like the diagnosis. You can, however, correct the data if there is a glaring inaccuracy and you have called them Mr and they are in fact Mrs.
The right to erasure. While patients have the absolute right to be erased from your marketing systems but they don’t have the absolute right for you to dispose of their medical history, because we are bound by legal obligation to keep their medical data. You need to explain it this way. Make sure you explain they still have the right to object.
The right to restrict processing. Which means that a patient can ask you to stop processing their , which is a bit like putting their data on ice. You have to then tell them that if they want you to do that you cannot then add to it. In other words, your medical care of them ends there.
The right to data portability. Because we legally have to keep patients notes and we are not using consent as our lawful basis as our way of working with the data. Patients don’t have the right to data portability, but they might have the right to data portability for standard personal information that you are using if you are marketing to them, using consent as a lawful basis.
The right to object. If their data is being used under illegitimate interests or being used for direct marketing. The right to object to data being used in an automated decision making and profiling way. Think of all that tacky stuff that Facebook has been doing and then it will make sense.
The right to lodge a complaint with a supervisory authority such as the ICO.
A description about the people who the data may be shared with, in other words, the recipients of personal data. You might want to phrase this along the lines of…” We share personal/special category data with other clinicians involved in your care such as surgeons, physiotherapists etc. We also share your personal/special data if we are advised by law such as in the case a public health issue such as smallpox” – you get the jist.
Explain the way our data is stored and the safeguards if data is transported outside the Economic Union. This mean describing that you have had a good check through where your data is being stored and that you are confident that the people who are storing the data such as places where data is backed up, or practice management software data storage, is legit.
A description of your tech, and the organisational security. We use laptops which are encrypted everyone knows to lock their screen when they are away from their desk and use encrypted email for sending around your personal/special data.
You are now the proud owner of a beautiful bouncing
All of the contents of your Privacy Notice – once checked – needs to then go up onto your website.
Put it onto a page which is ‘visible’ – in other words not hidden behind a link. State that ‘this is a Privacy Notice’ and it needs to be easy to read, so think about the design of your web page.
If you have time, try to put it into little collapsible boxes so that it makes it easier to chug through for somebody who is reading it or at the very least use large fonts for headings, try using different colours to high light areas of text, to make it much more scan-able.
Now some of you may be thinking …
” Yay-hey I don’t need to be thinking about any of this because I don’t have a website” xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx …You would be wrong.
WARNING: If you are a data controller, you need to have a data Privacy Notice.
(This is probably one of the best reasons to get a website if you don’t already have one.)
In the meantime ,if you don’t have a website and given that GDPR deadline is almost upon us. What you can do is use a quick and dirty hack to be able to store and access your data privacy notice in a digital filing system.
This is the one time ever that you will hear me suggest Dropbox, because generally speaking, I think we need to move away from Dropbox (nice as it is) it’s definitely not a place for storing personal or special patient data but it is a place that you can store a Privacy Notice if you are caught in a bind .
Here are the steps to make a Dropbox hack:
Go to: www.dropbox.com make a ‘new account’ and sign into it. You will see within the Dropbox filing system there is something called a ‘public folder’ right click on the public folder, then create a new folder, renaming it ‘privacy notice’. What you then need to do is pop a PDF of your Privacy Notice into the folder. Then, right click on the file containing the privacy notice and it will give you an option that says ‘copy Dropbox link’. Copy that link! This is the URL link which you can then store in your email signature and it will point patients to the Dropbox folder, where they can open and read your Privacy Notice.
The one problem with this is that GDPR wants everybody to have easy access to your Privacy Notice and not everybody will have a PDF reader on their device or laptop, never the less if you are caught in a fix we would much rather you did this than you didn’t.
Get going with your privacy notice as soon as you can and if you need any help please do not hesitate to conatact us firstname.lastname@example.org
We’re actively working with Private Practices and Clinicians to provide a consultancy service to assist with the Privacy Notice and the other GDPR documentation you are legally required to have in place.
If you feel like your Private Practice needs help with gaining referrals, effective ways to work within social media,
Together we can grow your Private Practice.
email or call us 0207 993 6425