General Data Protection Regulation (GDPR)
2018 Data Protection Act.
New Data Protection Legislation is coming into force in the UK on 25th May 2018. The General Data Protection Regulation (GDPR), is EU wide legislation, and is currently being enacted into UK law and will become the 2018 Data Protection Act.
This legislation will affect every business that handles personal data for clients or staff. Personal data has been defined by the act as ‘any information relating to an identifiable person who can be directly or indirectly identified’, this will include such data as name and contact details, but may also include information such as IP Addresses.
What information is an individual entitled to under the GDPR?
Individuals have the right to be informed about the collection and use of their personal data. This is a key transparency requirement under the GDPR.
Under the GDPR, individuals will have the right to obtain:
confirmation that their data is being processed;
access to their personal data; and
other supplementary information – this largely corresponds to the information that would be provided in a privacy notice (an example can be downloaded at: https://ico.org.uk/media/for-organisations/documents/1625126/privacy-notice-checklist.pdf).
West Berkshire Kinesiology is covered by a Balens Health Professionals Policy which is underwritten by Zurich Insurance plc. It is a condition of this Insurance Policy to take and retain client records. The policy wording notes:
The records shall be kept for at least 8 years following the last occasion on which treatment was given. In the case of treatment to minors, it is advisable that records should be kept for at least 7 years after they reach the age of majority (18).
Record Keeping - Condition 14 c, on page 35
Under Article 17 of the GDPR individuals have the right to have personal data erased. This is also known as the ‘right to be forgotten’. The right is NOT absolute and only applies in certain circumstances. As is noted above, West Berkshire Kinesiology is required to keep client records for at least 8 years after the last treatment/session as a condition of it's insurance policy.
The Information Commissions Office guidelines state that 'the right to erasure does not apply if processing is necessary for one of the following reasons' :
to exercise the right of freedom of expression and information;
to comply with a legal obligation;
for the performance of a task carried out in the public interest or in the exercise of official authority;
for archiving purposes in the public interest, scientific research historical research or statistical purposes where erasure is likely to render impossible or seriously impair the achievement of that processing; or
for the establishment, exercise or defence of legal claims.
More information can be found at: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-to-erasure/
West Berkshire Kinesiology Data Protection policies
West Berkshire Kinesiology complies with the requirements of the EU General Data Protection Regulations (GDPR) - effective 25th May 2018.
To enable compliance West Berkshire Kinesiology has introduced technical and organisational measures to ensure patient record confidentiality, integrity and availability. Paper records are held in a secure cabinet with the keys held offsite and electronic records are password protected and automatically encrypted. Computers that hold this information are up to date with the latest software patches, and security passwords are changed regularly.
Personal Identified Information stored by West Berkshire Kinesiology that complies with GDPR include:
Names and address
Personal Information, including health conditions
Information that is used to contact clients is stored on computer systems operated only by West Berkshire Kinesiology on secure cloud-based systems protected by complex passwords.
Clients personal information and case files
Client personal histories and case files are not stored in electronic form, EVER. If these personal histories are required for case history work required by a governing body, then permission will always be asked. If word processed documents are necessary then they will be printed and the original computer based files will be destroyed. As client confidentiality is paramount, psuedonyms are used in ALL case history work.
Requests for contact details of my clients by any outside agency will always be refused, and I will not pass them on to any other enterprise for any other purpose. However, if these details are required by law then permission will be sought from the client BEFORE being passed to the relevant authority, and ONLY if permission is granted.
Deleting your data
As stated above:
Records shall be kept for at least 8 years following the last occasion on which treatment was given. In the case of treatment to minors, records are to be kept for at least 7 years after they reach the age of majority (18).
A record of financial transactions needs to be kept for legal and accounting reasons and cannot be deleted.