The deadline for the introduction of GDPR (General Data Protection Regulation) is fast approaching so we thought it was time to provide an insight into what Rushcliff has been working on, what you can expect to see over the new few months and our take on the legislation in general.
What is this post? (And what is it not?)
By now most of you will have heard about GDPR and I imagine most of you are considering the ways in which it will affect you and how you are going to ensure you comply with the regulations. If you haven’t already, now is the time to start!
PPS can help you meet your obligations under GDPR, however, your responsibilities extend beyond any systems that you use and no software package will be able to provide a ‘one-stop’ solution for ensuring that you comply with all aspects of the requirements of GDPR. In this article, I am going to highlight some of the most significant aspects of GDPR that will likely affect all of our clients and, where appropriate, discuss how PPS can help you meet these obligations. This is not an exhaustive list of your obligations under GDPR and whilst I hope that this post is useful, provides answers to some of your questions and even helps direct your own research please keep in mind that the information in this post does not constitute legal advice. We have spent a significant amount of time researching GDPR and have taken the appropriate legal advice to ensure that both the products and services that we offer and our own internal working policies are fully compliant with the regulations, however, it is important to state that we are not data security or GDPR consultants and are not the organisation to turn to for formal or legal advice.
If you are unsure about GDPR or have questions relating to your responsibilities under the new regulations you should seek professional advice.
Your professional society and the Information Commissioner’s Office (ICO) are great places to start and, of course, employing the services of a data protection or GDPR specialist will help you ensure that you are doing everything you need to comply with the regulations.
What, exactly, is GDPR?
GDPR is the new regulations governing the collection, storage and use of personal information. It aims to ensure that personal data about individuals is only collected when it is needed and when it is collected, that it is used and stored in a way that provides protection, security and control to the individual that the data concerns.
One of the first points you will often see when looking into GDPR is the potential fines for non-compliance. The reason for this prominence is the how large the maximum potential fines are; up to €20,000,000 or 4% of the company’s annual global turnover, whichever is greater, for the most serious infringements.
Who does this apply to?
GDPR applies to all businesses that collect, store or use personal data on EU subjects, regardless of whether the business is based within the EU or not.
Organisations that process personal data are categorised into two groups which are defined as:
- Data controllers are “the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data“.
- Data Processors are “a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller“.
In our context, you, the clinic and its members of staff, are the data controller and we, Rushcliff and its team, are the data processor.
Both data controllers and data processors have their own responsibilities under GDPR and I will discuss some of these in more detail later in this article but, in general terms, you, as the data controller, are responsible for deciding what personal information you are processing, why it is being processed, observing individual’s rights in relation to their data being processed and ensuring that the data is processed securely. Rushcliff, as a data processor, is responsible for ensuring that data we process on your behalf is done so securely, on your instruction and in line with the regulations set out under GDPR.
What information does GDPR Cover?
GDPR applies to ‘personal data’ that is ‘processed’ by organisations.
Personal data is “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”.
Basically, any information about a particular individual, where the individual can be identified, either directly or indirectly, is subject to the rules of GDPR.
Processing is “any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction”.
This definition broadly covers all aspects of data collection, modification, use and storage.
The regulations cover both electronic and paper records, therefore, in addition to any electronic systems that you use you will also need to consider any paper records that you keep when planning your preparations to ensure you comply with GDPR.
The GDPR comes into force in full across the EU on the 25th May 2018.
The regulations currently governing the collection, use and protection of personal data in the UK are set out by the Data Protection Act 1998 (DPA).
The Data Protection Act intends to ensure that individuals have rights over data held about them and can expect that the data is handled appropriately, however, since 1998 the number of online services that we all use on a day to day basis, the way in which we use these services and the amount of personal information that we share with them has increased dramatically. GDPR is, in my opinion, an overdue modernisation and enhancement to the current data protection regulations that provides protection and rights to individuals that are appropriate and proportional for the way in which information is collected, used and stored.
What are the regulations?
GDPR covers all aspects of data capture, storage and use. There are definitely some new regulations, some of which may seem quite daunting at first glance, but many of the regulations are not new to organisations in the UK or other EU countries and we should not be alarmed by the introduction of the GDPR. We all want to know that organisations that hold personal information about us are handling the data appropriately, that we have the ability to make sure that it is accurate and that we can request this data is removed if we no longer want an organisation to hold information on us and GDPR affords us these rights.
There are too many regulations for me to list them all here and whilst most apply to all organisations some will be more relevant than others to your clinic. Below I have highlighted some of the important items that most of our clients will need to be aware of. This is by no means an exhaustive list of your obligations under GDPR and should not be seen as your only guide in ensuring that you comply with the regulations, I do hope, however, that it will be helpful in identifying some of your key responsibilities and will clarify how PPS can help you manage these as you consider your obligations.
A major aspect of data protection is ensuring the security of data that is held. This can be separated into two main areas, the technical methods used to keep data secure and the working practices of organisations.
Article 32 of GDPR addresses the technical requirements for data processing. There are no specific regulations or requirements in terms of technical measures that must be employed to secure data that is being processed; instead, this article states that the security measures being used must be appropriate to the data that is being processed.
There is no “one size fits all” approach here, the security measures employed need to take into account the type of data that they are intended to secure, the types of technologies available and in use, the cost and difficulty of implementing such measures and their benefits.
We know that clinics are likely to hold a large amount of information about individuals and much of this data may be sensitive in nature which is why we take data security so seriously here at Rushcliff. We invest a large amount of time into both ensuring that our products are secure in their design and providing our users with the tools they need to secure their data.
If you use our cloud-based products, including PPS Hosted, PPS Express, PPS Remote and PPS Online Booking then we host your data. This means that your data is held in state-of-the-art secure UK data centres managed by iomart, one of the UK’s leading data centre providers. Our supplier is ISO 27001 certified and employs an array of methods to ensure that your data is kept safe, secure and accessible including:
- An Enterprise class firewall system that prevents unauthorised access to the servers and data.
- Redundant hardware ensures that failure of a component piece of hardware does not cause loss of access to systems or loss of data.
- Physical security is provided through 24/7/365 data centre staffing and with CCTV cameras, motion detectors and a secure key fob access system.
Whenever you connect to any of our cloud-based systems SSL is used to encrypt the connection, ensuring that your data remains safe and secure. If you have multiple PPS systems that synchronise, TLS is used to encrypt your data whilst it is being synchronised between your systems.
If you use PPS Local then you store and manage your data. You need to make sure that your data is secure in this situation. There are many aspects to consider and ways to achieve this and the right solution will vary depending on your situation. These may include local encryption of folders or whole drives on your machines, the physical security of devices that have information stored on them and the access controls for the devices themselves, such as passwords or smart cards. An IT or data security consultant can help you make sure you are meeting your data security obligations in this regard.
Keeping your IT systems up to date and keeping on top of security updates and patches is also very important. When security vulnerabilities in systems are discovered and resolved or security enhancements are developed, patches or updates are made available by the manufacturers of the systems. It is important to apply these in a timely manner to ensure the security of your systems.
If you are unsure what type of PPS systems you currently use please refer to your latest invoice or contact us, quoting your registration number, and we will be happy to clarify this.
In addition to technical measures, it is important to understand the role that an organisation’s working practices play in ensuring data is secure. The need to assess the risk of accidental or unlawful access to, use of and destruction of personal data is also described in GDPR Article 32.
Again, I cannot list everything that should be considered in this article and any working policies need to be reviewed in the context of your organisation so please do not take this as a definitive list. I will, however, briefly discuss some important working practices in relation to data security and, where applicable, how PPS can help you achieve these.
Data Access Controls
Organisations can hold a large amount of information on individuals and it is unlikely that all members of staff will need all levels of access to all information. Controlling which personnel have access to different types of information and what types of activities they can perform with this data is an easy and effective method to reduce the risk of both accidental and intentional misuse of data.
PPS provides extensive options allowing you to control what information within your PPS system each user can process. For each user in your PPS system, you can set exactly what types of information you would like them to be able to view, add to, edit, delete or export, where relevant.
The right settings to use here will depend on the way in which your clinic works, the first step is to assess what data each member of staff requires access to and how they need to use it, you can then apply these controls in PPS. For example, does your reception team need access to the clinical notes of patients? Do practitioners need to be able to edit accounts records? If not, remove the ability to view these areas or perform these actions from each user that does not need it.
One change that we often recommend implementing is to prevent all users except the system administrator or senior management from deleting records of all kinds to protect against the loss of information either maliciously or, more commonly, accidentally. You can then set your own internal procedures for how requests to delete information should be escalated and PPS can help here too. Creating a personal action within PPS, associated to the patient and assigned to the user or group that is responsible for the deletion of information is a quick way to process these requests and allows the individual responsible for completing them to easily and quickly ensure they are looking at the right patient’s record.
Passwords play an important part in the security of almost all systems that we use but they can only be effective if used correctly. The most secure of systems can be easily compromised by bad password practices. Some simple tips to ensure that password use is secure include:
- Choose a strong password that is not easy to guess.
- Do not write passwords down.
- Do not repeat passwords across multiple sites, services or programs.
- Do not share your password with anyone else.
- Don’t require users to regularly change their passwords.
- Ensure that your password policies also apply to access to devices.
Legal Basis of Processing – What data is being processed and why?
All information processing must be done under a ‘lawful basis of processing’. There are six separate lawful bases of processing set out under GDPR Article 6. I have listed and summarised each of these below:
- Consent – The individual has provided clear consent to their data being used for the specific purpose it is being used. This is not a ‘one-off’ event but instead is continual, when information is processed based on consent the individual can withdraw their consent whenever they please and you must comply with this. It is your responsibility to prove that you have obtained consent from the individual and demonstrate that you have complied with the regulations in order to make this consent valid.
- Contract – The processing is required to allow you to fulfil your contractual obligations to the individual or because they have asked you to do something before entering into a contract, such as providing a quote. This does not need to be a formal written contract, provided the exchange meets the requirements of contract law.
- Legal Obligation – You need to process the data to comply with a legal obligation that you are subject to. This could include, for example, legal requirements relating to clinical oversight or accounting regulations.
- Vital Interests – If you need to process the data to protect an interest vital to the life of any individual then you can rely on this basis of processing.
- Public Task – The information processing is required for the completion of a task in the public interest or for the exercise of official duties. This will generally apply to public authorities but may also apply to some organisations that perform these tasks.
- Legitimate Interests – If you have a legitimate interest in using the information then you may be able to rely on this basis of processing. This is the most flexible reason for processing but comes with some additional responsibilities to you, the controller, including evaluating if the processing is necessary for the specific interest, if the individual could reasonably expect you to use their data in this way and if it can be achieved by another means. In order to process data under the legitimate interests basis, you will need to perform a balancing test to ensure that the interests of your organisation in using the data for this purpose are not outweighed by the individual’s rights and freedoms.
As a data controller is it your responsibility to identify what personal data you are processing, why you are processing it and what legal basis applies to each processing activity. Any personal information that you process must be done so under one of the reasons above, if you cannot process the data under one of these reasons then you have no legal basis to allow you to process the data.
These basis of processing are largely the same as the ‘conditions for processing’ set out under the DPA, therefore, if you are already set up to comply with the existing regulations there may not be a significant change in the basis that you use for the processing of different types of personal information. This is, however, a good time to review the information that you are collecting from clients and the basis under which you are processing it.
It is important to ensure that you select the right basis of processing from the outset as this cannot later be changed for data that you have already collected. For example, if you ask patients for their consent to process their personal information they are free to withdraw this consent at any time and you cannot refuse this request. If the processing of the personal information is essential to your business activities, such as information that you have a legal obligation to record, this could put you in a difficult position as you cannot simply continue processing the information and change the basis on which it is processed but would, instead, need to capture this information again from the patient under the newly established basis of processing – something the patient may not necessarily agree to. Furthermore, some of the rights that GDPR provides to data subjects depend upon the basis of processing. For example, the right to erasure does not apply to data processed under the legal obligation basis of processing.
There is additional protection provided to ‘special categories of personal data’, data that may be particularly sensitive, including information on racial or ethnic origins, data concerning a person’s sexual orientation and, importantly here, information on the data subject’s health, that prohibits their use in most cases. In order to process special data you must identify a condition of processing under Article 9 in addition to the legal basis of processing of the data. In the case of clinics providing healthcare services, this will be Point 2) h), processing is necessary for the provision of health or social care.
It is also important to consider that it is very unlikely that many organisations can rely on a single legal basis of processing for all of their data processing activities. Different types of information are likely to have different legal bases of processing and you will need to ensure that you are clearly communicating to your clients the various bases under which you are processing their personal information. You should clearly record what information you are collecting on individuals and the bases of processing that you are using in your internal working policy and procedure documentation.
The majority of the personal information that you process is likely to be related to clients but it is important not to overlook any personal information that you hold on other individuals, such as employees, as they have the same rights as any other individuals under GDPR.
Both the official GDPR documentation and the ICO’s guidelines are good resources for more information on the different legal basis of processing. If you are a member of any official societies these may also have their own recommendations on selecting the correct basis of processing for the personal information that you process.
You must inform data subjects who you are as an organisation, provide your contact details, detail what personal information you collect and how you process it and inform individuals of their rights in relation to the data you process, among other items. This is done through privacy notices and is detailed in Article 13. GDPR includes more detailed requirements for privacy notices than the DPA that are largely intended to make the notices more accessible and understandable, therefore you may need to review your current privacy notices to ensure that they meet the updated regulations.
Article 12 of GDPR states that privacy notices must be:
- Concise, transparent, intelligible and easily accessible.
- Written in clear and plain language.
- Made available free of charge.
The time at which this information should be made available to the individual varies on the circumstances but in general if you are collecting the information directly then it should be at the point of collection of the data, if the data has been passed to you by another controller then it should be ‘without undue delay’ and at most within 30 days of receiving the information.
You still have the flexibility to decide on how best to present your privacy notices to your clients and you do not need to rely on a single method. Using a ‘layered’ approach can be effective, presenting a concise summary of the most important points with the option for individuals to see more information if they wish. The medium by which you display your privacy notices will also depend on what is most appropriate for your organisation. If you are collecting personal information verbally from patients whilst they are booking their appointment, for example, it may be most appropriate to display a prominent notice of the important points at the reception desk with more information available either in written form or hosted on your website that you direct individuals to.
For clinics that use the PPS Online Booking system to allow their patients to book appointments online, we will be releasing an update that will enable you to easily include your privacy notice within the booking process. This will allow you to make your patients aware of your data processing policies before you ask them to submit this information as part of the appointment booking process.
PPS also allows you to import or create email templates to send to patients, you could include your privacy notice, or a link to it, within your appointment booking confirmation or reminder emails or create a dedicated email template for this purpose that you can send to clients that request more information.
The ICO provides, on their website, more details on exactly what information should be present within privacy notices.
The right to access (Article 15)
Individuals have the right to access their personal data that you hold on them and receive an explanation of how you are processing this data in clear, understandable terms. This applies to all personal information that you hold on an individual, not just information contained in any practice management system that you use, therefore, you will need to assess if you also hold personal information on the individual in other systems, such as email or marketing systems. Keep in mind this does also extend to paper records if kept in a filing system therefore if you use paper for some or all of your records you will also need to supply copies of this information.
We will be releasing updates to both PPS and PPS Express that will allow you to export all personal information that you hold on a client which you will then be able to supply, along with your explanation of how you use this data, to the individual.
You will need to identify anywhere that you store personal data on individuals in order to plan how you will comply with these requests and should document this somewhere that any members of staff that are expected to handle these requests can access it. Except in some special circumstances, you must provide this free of charge.
The right to rectification (Article 16)
You must allow clients to amend any personal information that you hold about them that is either incorrect or incomplete. Additionally, if you have shared their personal information with any third parties it is your responsibility to also inform these third parties of this rectification. If it would be unreasonably difficult to notify third parties of this change then you may not need to do this, however, you should document the request and why you were unable to comply with the requirement to notify the third parties and will need to notify the individual of this decision.
The right to erasure (’right to be forgotten’) (Article 17)
The right to erasure provides individuals with the right to have their personal data removed from a data controller. The implications of this particular right have caused concern to some organisations however it is important to note that this is not an unequivocal right and only applies in certain circumstances which include:
- The data no longer being necessary for the purpose for which it was collected.
- The data subject objects to the data being processed with no overriding legitimate grounds to continue the processing.
- The data processing is based upon consent and the individual withdraws their consent.
A large amount of the data that clinics collect is likely to be done so under either legal obligation or contractual bases of processing and, as such, will likely fall outside the scope of this right. If you also collect additional information from individuals for different purposes, such as marketing, this right may apply to that information.
If a request is received from an individual to remove their personal information and you do not intend to comply with the request then you must inform the individual of this without undue delay and, at the latest, within 30 days of the original request being received. If you hold multiple types of information on an individual you may want to consider if you can remove some of their personal information, even if you cannot fully remove their information.
In cases where there are no overriding legitimate grounds to continue processing an individual’s data you must remove all of their personal data that you hold without undue delay, at the latest within 30 days of receiving the request. PPS maintains a database audit that allows you to view all changes and actions performed within PPS that inherently contains personal information on individuals which is why we will be releasing an update to PPS and PPS Express that will allow you to complete a ‘hard deletion’ of a client. This will differ from the current deletion facility as it will also anonymise any information relating to the individual within the database audit. We understand that if used incorrectly this could have serious consequences, therefore, we will also be introducing an access control for this functionality to allow you to set exactly which PPS users can perform this action. You will also need to consider other systems you use that may hold the client’s data, such as your email system, and ensure that you also remove their data from these systems.
This right may also have implications on the backup strategy that you employ as it will not be permissible to retain an individual’s personal data within a backup if you have been required to remove this data. The backup section later in this article will discuss this in more detail and provides more information on backups for the different systems that Rushcliff offers.
The right to restrict processing (Article 18)
In some circumstances, you may need to restrict processing of an individual’s data to prevent use, modification or removal of their data either temporarily or permanently.
Recital 67 states that “in automated filling systems, the restriction of processing should in principle be ensured by technical means in such a manner that the personal data are not subject to further processing operations and cannot be changed. The fact that the processing of personal data is restricted should be clearly indicated by the system.”
We will also be releasing additional functionality for PPS and PPS Express that will allow you to restrict the full client record and will clearly indicate to others trying to access the record that it is currently restricted.
The right to data portability (Article 20)
To facilitate individuals being able to move their data to a different data controller they have the right to receive a copy of their personal information that you hold in a commonly-used machine-readable format. This is not an all-encompassing right but instead applies when the processing of the data is either based on consent or contractual requirement and to data that the client provided to you.
In PPS terms this means that if you are processing a client’s data on the contract basis of processing then information such as their client details would be within the scope of the request but accounts information for your billing of the client would not.
The ability to create a single client export in a machine-readable format for data that may fall within the scope of this right will be included in updates to PPS and PPS Express.
The right to object (Article 21)
Individuals have the right to object to their data being processed when the processing is on the grounds of legitimate interest or a public task. Whilst this right applies to any personal information being processed under these bases, specific reference is also made in this article to data that is used for direct marketing purposes.
This article does contain a balancing clause that allows you to continue to process a client’s data even after an objection if you can demonstrate compelling grounds on which you need to continue the processing, provided the client’s rights do not outweigh this. If you do deny a client’s request to stop processing their data then you must inform them of your decision and the reason why.
An update to PPS and PPS Express will allow you to record a client’s objection to their data being processed under this right.
The right not to be subject to automated decision making (Article 22)
In general, individuals have the right to not to be subject to decision making about them solely by automated means that may legally or significantly affect them. There are some circumstances under which you may be able to continue to perform solely automated decision making, these circumstances depend on the type of data that you are processing.
If you do undertake any automated decision making on individuals you may wish to review this to establish if you will be able to continue this processing once GDPR is in force. Keep in mind when reviewing automated processing that this, as with the other rights under GDPR, is not limited to patients but extends to all individuals therefore if, for example, you have recruitment aptitude tests that are completely automated these could be considered to fall under this regulation.
On Receiving and Handling Requests
The DPA allows you to require individuals to submit all requests in writing to a postal address, this will no longer be permissible under GDPR. You will need to assess the ways in which you will allow clients to submit requests but these should not make the task of submitting a request unreasonably difficult. You will need to balance the ease of requests for clients with the need to verify that individual is who they say they are.
On Data Retention Periods
GDPR stipulates in Article 5 that data should only be retained for as long as it is necessary for the purpose for which it was originally processed. There are a number of potential issues that can result from unnecessary retention of personal information including increased risk that the data will become out of date or inaccurate, additional work reviewing and maintaining the stored data and additional work in the form of data access or rectification requests for data that you are still processing. It also unnecessarily increases the total amount of information that could be compromised in the event of a personal data breach.
Once personal data is no longer required it should be removed, in order to facilitate this task you should consider reviewing the categories of personal data that you hold on individuals and setting retention periods for each.
For clinics, this will mainly affect clinical notes. You will need to consider how long you need to maintain clinical notes records. The retention period for clinical information will likely depend on the types of services that your clinic offers; if you are unsure how long you should be retaining clinical records then you may wish to consult your governing body or official society for advice. The NHS also has its own guidelines, published under the Records Management Code of Practice, that details retention periods for different types of medical records for those that work with or in the NHS.
The retention period of the client record as a whole is something that you may also need to review. This is likely to depend on your situation and the type of data that you process; if you are no longer completing any processing activities relating to the individual then you should review if you need to continue to hold the client record as a whole or if this should be removed.
PPS makes reviewing client records easy, the powerful reporting capabilities available allow you to identify client records to review based on the retention periods or other criteria that you set. There is no “one-size-fits-all” report that we can recommend as the exact criteria required will vary from one organisation to the next depending on their own policies but a good place to start is likely to be the client list reports. These reports will allow you to highlight clients that have not been seen in your clinic for a particular period of time or clients that have no appointment, accounts or clinical records, for example.
We will be introducing a new feature to allow you to remove all clinical records for a selected client in one action to allow you to implement your data retention policy. This feature will also come with its own access control to allow you to choose which system users can remove clinical records in this manner.
We have recently had several requests to completely automate this process, therefore, I would like take this opportunity to state that we will not be fully automating the process of removing either clinical notes from a client’s account or the client’s account as a whole. We intend to make this as quick and easy as we can but there are many elements that determine if a record needs to be removed, a task that will need to be conducted by a qualified individual. Additionally, as this could relate to healthcare information this could be deemed to have a significant impact on the individual and as such it would not be permissible, under Article 22, ‘the right not to be subject to automated decision making’, to fully automate this task without human intervention.
Email is a very widely used communication medium but can present its own challenges in relation to data protection and GDPR. I have listed some of the primary concerns with the use of email below.
- Human error – one of the biggest causes of data breaches is human error. Accidentally sending any personal information, but particularly sensitive information such as healthcare records, to the wrong recipient can have serious consequences. When email is used, consider ways to minimise the risk of error. PPS users could require all emails to patients be sent exclusively from your PPS system. This will allow you to ensure that you have the correct recipient address selected and you can introduce other working policies to require users to confirm that they have the correct client record selected. It also avoids the issue of your email client auto-completing the wrong email address when you are entering it!
- Email encryption – I have seen many articles stating that when GDPR comes into force all emails will need to be encrypted, this is simply not true. Encryption is a great way to ensure that the contents of an email are protected and if you are often sending emails to other businesses, such as insurance companies or CCG’s then it may be an appropriate way to protect information that needs to be transmitted. The primary issue with encrypted email is that it generally relies on either proprietary email clients, where the recipient has to have a particular program or app to open the email with, or on having exchanged ‘private keys’ in advance that are used to encrypt emails. Both of these options are likely too high a barrier to sending encrypted emails directly to patients.
- Data access requests – If a client exercises their data access right you may be obliged to provide personal information that is contained in email exchanges, however, the right to their personal data does not give individuals the right to the emails themselves and, depending on their nature, they could contain personal information on other individuals or information private to the organisation. Policies on the way in which email is used as a communication medium, such as ensuring where possible that separate email exchanges are maintained for different clients, can help minimise the potential issues and administration work that this can cause.
On Direct Marketing
Many of the regulations under GDPR are intended to give individuals more and clearer control of the type and quantity of direct marketing that they receive however this is not, as some organisations have suggested, the “end of email marketing”.
The current regulations under the DPA already contain a large portion of those within GDPR so if you are compliant with the existing regulations then your marketing strategy may already be largely ready for GDPR.
I will not be listing all of the considerations to direct marketing under the GDPR, (that could be an entire article on its own!) but there are some key points to the direct marketing regulations, a few of which I will highlight below:
- Direct marketing applies to all marketing activities directed at individuals and is not limited solely to marketing via email or SMS, you will need to ensure that any postal or other direct marketing that you undertake also meets the regulations.
- Whenever you are processing data for marketing purposes based on the individual’s consent you must require the individual to explicitly opt-in to this processing. GDPR specifically states that for consent to be valid tick-boxes cannot be ‘pre-ticked’. Using a ‘double opt-in’ system, where the individual initially opts-in to receive marketing communications and is then required to confirm this choice, is being recommended by the ICO but is not essential to comply with GDPR.
- There is no legal basis of processing under which clients will be unable to ‘opt-out’ of receiving marketing materials. Whether the basis of the marketing is consent, where the individual will always be able to opt-out at any time, or the basis is legitimate interest, in which case the individual can object to the processing.
- The definition of personal data has been modernised to include online information that could be used to identify an individual such as IP addresses, mobile device IDs and encrypted data. You may need to review anywhere you collect information of this nature, such as analytics built into your website.
- There are new controls in place to protect the processing of data relating to children, including introducing a minimum age at which an individual can give valid consent to their personal data being processed. We will look at the new rights and protections for children’s data in more detail later in this article as they do not exclusively relate to marketing activities, however, they are important to consider in your marketing strategies. As most clinics are unlikely to have marketing campaigns targeted directly at children complying with this regulation can be achieved fairly simply by excluding any records that you hold on children from your marketing activities. When running reports within PPS for marketing purposes you can use the age criteria to exclude children from the results.
- Use of a dedicated direct marketing system can simplify the processes of managing your marketing activities, provide you with new tools to enhance the recipient’s experience and help protect you by ensuring you are compliant with the regulations. There are many systems available and you can take full advantage of these by using the PPS reporting system to export your client records to the system you use.
- GDPR replaces the DPA but it does not replace the UK’s ‘Privacy and Electronic Communications Regulations’ (PERC). You will still need to ensure that any direct marketing that you are conducting complies with PERC in addition to GDPR.
Based upon GDPR the ICO has updated some of its guidance, including on sharing personal information for marketing purposes with third parties. If you share personal information for marketing purposes with third parties or use mailing lists from third parties then you may need to review your procedures in relation to these activities. The ICO has stated that indirect consent will, in general, only be valid when the individual has consented to their details being shared with third parties and they could “reasonably foresee the types of companies that they would receive marketing from, how they would receive that marketing and what that marketing would be”. The ICO is also advising that indirect consent should not be considered to be indefinite but should only last for six months.
Keep in mind that the regulations discussed in this section relate purely to marketing activities and not to communications with clients in general. Transactional messages such as emailed invoices or appointment confirmations are not subject to the specific rules on direct marketing under GDPR, though they will still be subject to other areas of GDPR.
On Children and Consent
Children have more access to digital services than ever before and the need to protect children is addressed under GDPR by two main principles:
- The introduction of a minimum age in order for individuals to be able to provide valid consent. The regulations put this age at 16 but allow EU member states to lower this if they wish, down to a minimum of 13. The UK government has taken the decision to enact this clause and has lowered the age to 13. You will need to be aware of the minimum age at which individuals can provide valid consent in any EU countries that you operate in. Valid consent to process the data of a child under the minimum age can only be provided by a parent or guardian, though consent from a parent or guardian is not required in the context of providing preventative or counselling services to a child.
- When information is being provided to a child, whether related to processing their personal data on the basis of consent or other bases, the information must be tailored in order to be suitable to the understanding of the child. The ICO has recommended that in situations where you are required to provide this type of information to a child that you also provide more detailed information to the parent or guardian that explains the nature of the data processing in full, as would be the case with your standard privacy notices.
It should be noted that whilst Article 6 that defines some of these rules specifically mentions consent in relation to ‘information society services’ other elements of these regulations are detailed elsewhere so they should not be considered to be limited in scope solely to online services offered to children. If you do offer any services to children you should review the processes that you have in place and the information that you provide to children on these processes to ensure that these are still suitable under the new GDPR.
There are many ways PPS can help in this scenario depending upon your specific needs as a clinic, for example, it could be as simple as using custom profile fields or a dedicated custom form to record that parental consent has been gained.
The ICO has issued guidance on the processing of children’s data based upon the requirements of the GDPR.
On the Data Processing Agreement
GDPR makes it mandatory that all data controllers have in place a data processing agreement in the form of a contract with any data processors that they use and the minimum required elements of this agreement are set out within the regulations.
Rushcliff and the PPS products will be fully compliant with GDPR and we will be updating our terms and conditions and data processing agreement in light of these changes in the regulations. We will provide more information on this via email in the coming months.
Remember that we will likely not be the only data processor that you have a relationship with and you will need a similar agreement from each data processor. Most data processors will be proactive about making sure their contracts and terms and conditions are updated as required but it is ultimately your responsibility to ensure that you have the agreements signed and in place.
On Data Protection Officers
The appointment of a Data Protection Officer (DPO) is now mandatory in some circumstances under GDPR, which also sets out the responsibilities of the DPO and of the organisation in respect of the DPO.
You must appoint a Data Protection Office if you:
- Are a public authority
- Carry out large-scale processing of special categories of data, which includes health information (as detailed in Article 9).
- Carry out large-scale, regular and systematic monitoring of data subjects.
As they are handling health information most clinics will be required to appoint a Data Protection Officer. It is the responsibility of the DPO to inform and advise the organisation and its employees about their obligations in respect of data protection, to monitor compliance with the regulations, conduct internal audits and to be the primary point of contact for both regulators and individuals whose data the organisation is processing in respect of that processing. These responsibilities are in line with your obligations as an organisation under GDPR, therefore, the appointment of a DPO can be seen as a way to ensure you are complying with the regulations in general, as such you may wish to prioritise this item. Appointing a DPO early in your preparations for GDPR will give you a single person to be responsible for the identification and implementation of any changes and policies that you will be making and allow you to rely on their expertise to meet your obligations.
The requirement to appoint a DPO applies to organisations of almost any size, however, Recital 91 does state: ‘The processing of personal data should not be considered to be on a large scale if the processing concerns personal data from patients or clients by an individual physician, other health care professional or lawyer.‘ This could be interpreted to mean that practitioners operating independently are not required to appoint a DPO but any larger organisations than a single practitioner will need to. It is, however, recommend that all organisations consider the appointment of a DPO as good practice, even if not specifically required under the regulations.
If you do need to appoint a Data Protection Officer this does not have to be a new dedicated role. You can appoint an existing member of staff as your DPO if their other responsibilities do not conflict with the responsibilities and requirements of being a DPO, such as being suitably qualified in the field of data protection. You can also subcontract the role of DPO out to an external consultant or organisation which may be the most effective and cost-efficient way for many small and medium-sized organisations to comply with this regulation.
If you are unsure if you need to appoint a DPO you should consult your professional body or seek legal advice to clarify your position.
On Data Protection Impact Assessments
A ‘Data Protection Impact Assessment’ (DPIA) is a tool used to assess the risks in processing personal information and to identify the best way to comply with the data protection obligations.
There are some circumstances in which a full DPIA must be completed, including when you are using new technologies and the processing is likely to result in high risk to the rights and freedoms of individuals. The ICO provides advice on assessing if you need to complete a full DPIA and a framework to complete the assessment itself.
Regularly backing up important data is an essential part of your data security and disaster recovery strategy that would enable you to recover a system or its data in the event of data loss, whether this was accidental or malicious removal by an individual, was caused by a virus or malware or as the result of hardware failure.
If you use any cloud-based PPS products, such as PPS Hosted or PPS Express, then we manage the backing up of your data through our secure, automated backup solution and retain a copy of the backup data from each day. If you are a PPS local user and do not have any cloud-based PPS products then it is your responsibility to ensure that you have appropriate data backup procedures in place for your PPS database.
We are regularly asked “how often should I be backing up my data?” and my answer is always “as frequently as the amount of data that you would be happy to lose in the case of something going wrong”. Realistically it is unlikely to be practical to start enforcing downtime during the day to complete backups but for the vast majority of clinics backing up data each evening is essential.
Your PPS system may not be the only place where you process and store important information. You will need to review any systems in which you store information and evaluate the need for a backup strategy for each or if you have many local data sources that you need to backup, an overall backup strategy.
The traditional backup strategy of many businesses has been to create, store and then archive a backup each day, these backups would then be kept for an extended or even indefinite period of time. The introduction of the right to erasure for individuals means that it is now time to review these practices. As discussed previously, if an individual exercises their right to erasure you must remove the individual’s personal information in full. Backups are not exempt from this right and you must, therefore, ensure that their personal information is not retained in any backups that you hold.
For the vast majority of backup systems it would be either impracticable or technically impossible to remove a single individual’s record from any single backup, never mind removing it from all the backups that you have. The most obvious solution to this problem is to ensure that all of your important data is being backed up each day but then limit the retention period of these backups. A balance needs to be struck between giving yourself adequate time to comply with data removal requests and maximising the period that you keep backups for.
For users of cloud-based PPS systems, we will be limiting the backups that we maintain to a maximum of 14 days, this will give you 14 days to assess and, if required, comply with data removal requests under the right to be forgotten. Provided you action any approved requests within this time period their personal data will naturally ‘expire’ from the backup system as older backups are automatically removed.
On Personal Data Breaches
A personal data breach is a breach of security that results in either accidental or unlawful use, change, modification or removal of personal data. Examples of personal data breaches include access by an authorised third party, sending personal data to the incorrect recipient, loss of availability of personal data or devices storing, or with access to, personal data being lost or stolen.
GDPR makes it mandatory to report certain types of data breaches to the relevant authorities, particularly if the breach is likely to result in risk to individual’s rights and freedoms. If a data breach occurs but you decide not to report this you should document the breach and the reasons for not reporting it as you will need to be able to justify this decision if questioned. If a data breach does occur and it involves healthcare information then, as a special category of data, this should be considered to be high risk and you will likely need to notify the authorities. Notification to the authorities must be done within 72 hours of becoming aware of the breach, if there is any delay past this period then you will also need to detail the reason for the delay.
In addition to notifying the relevant authorities of the occurrence of a personal data breach, you must also inform the data subject or subjects the information concerns of the breach and detail the data that has potentially been affected, this must also occur within a maximum of 72 hours.
Keep in mind that data breaches are not limited to systems being ‘hacked’ but also include other events such as access by an unauthorised 3rd party, sending personal information to an incorrect recipient, altering of personal information without permission and loss of availability of personal data. I would consider the loss of availability of data to only require notification where there is not a timely resolution to the issue, such as restoring from a backup, available.
We invest a large amount of resource into ensuring the security of our products but in the unlikely event of any personal data breach occurring in systems that we maintain then, as your data processor, we also have an obligation under GDPR to notify you.
On Records of Processing
A new requirement under GDPR is the documentation of your processing activities. The level of documentation that you are required to maintain depends on multiple factors including the type of data that you process and the size of your organisation. Generally, the documentation will need to detail what types of personal information you process, why it is processed and the basis of processing, in addition to other items such as your data retention policy. You will need to ensure that this information is kept up to date and may be required, if requested, to provide this information to the relevant regulatory body.
On Transferring Data Outside the EU
Personal data may only be transferred outside the EU when the commission has determined that the third country or specific sector or organisation within the third country provides an adequate level of protection for the individuals’ data. In addition to the obvious transfer of data if you are sending data to another controller outside the EU you also need to think of this in terms of the systems that you use.
Any system that you store data in must keep that data within the EU or countries, sectors or organisations that have been determined in advance to offer adequate protection of the personal data.
All cloud-based PPS systems are hosted fully within the UK, with all data and backups stored in our UK data centre. You will also need to assess any other systems that you store data in to ensure that data is kept within the EU or an approved location, these systems may include email, cloud storage or online backup services.
The transfer of personal information outside the EU is allowed when this is not a regular occurrence and only relates to the records of a limited number of individuals. This means that if, for example, a client contacts you to request their records whilst outside the EU then you can comply, taking into account other requirements such as providing this information in a secure manner.
As GDPR is an EU directive there has been some discussion on how the regulations will affect UK businesses. GDPR comes into force on the 25th May 2018, well before the process of the UK leaving the EU will be complete, therefore, all UK businesses will need to prepare for and comply with the regulations.
The UK government has already stated its intention to bring GDPR into UK law and whilst the UK government will be free at that point to make amendments to these laws, it is likely that they will be kept largely in line with the EU’s GDPR in order to facilitate UK businesses operating in EU countries.
For the reassurance of our customers that are based or operate within the EU, if there is not an agreement reached between the UK government and the EU to allow the transfer of data from the EU to the UK following the completion of Brexit then Rushcliff will ensure that we offer services that comply with the regulations. Our system architecture will allow us to also host our systems on servers that reside within the EU and so comply with the regulations.
On Legacy Data
During my research into GDPR, I saw the question of the applicability of the regulations to legacy data raised several times. The regulations apply to all data, regardless of when it was collected, you will, therefore, need to ensure that continuing to process the data is permissible under GDPR. If the records are healthcare records then you should be able to demonstrate that there is a legitimate reason to continue storing these records and at your next contact with the client you can offer them the required information on how and why you are processing their data. If, however, you have personal information that you are using for marketing purposes and you cannot demonstrate either, that you have valid consent or that you can process the information based upon legitimate interests then you must stop processing this data. You may be able to take the opportunity to contact individuals and invite them to join your mailing list or opt-in to receiving your newsletter before the regulations come into effect, if done in a way compatible with the new regulations this would then allow you to continue to process the information once GDPR is in force.
Plan of action
If you have not already started your preparations for GDPR or you have done some research but do not yet have a plan in place to ensure your compliance, then now is the time to start!
It is important that you do your own research to ensure you understand your obligations under GDPR and there are a wealth of resources available to help you plan your preparations for compliance with the requirements. I have mentioned the ICO many times in this article, they have detailed, helpful, accessible and, importantly, unbiased advice available and I would strongly recommend taking a look at the documentation that they provide. Below are two resources from the ICO that you may find useful:
The data protection network also has many resources available to view relating to GDPR and data protection in general. You need to join in order to view many of the resources but they do offer a free membership.
Finally, thanks for taking the time to read this article, I hope it has answered your questions on what Rushcliff is doing in preparation for GDPR and has been of some help in highlighting what you are going to need to consider in order to ensure that you are ready for GDPR by May 25th. Be on the lookout for future emails from us in the run-up to May as we release updates to PPS and PPS Express to provide you with the tools you will need to comply with the regulations.