The GDPR: what it is and what it means for Freelance Dietitians

Transcription

1 The GDPR: what it is and what it means for Freelance Dietitians Nan Millette, MEd, RD Panellists: Mariette Abrahams Rebecca McManamon Tracey Clarke

2 Overview Disclaimer What is GDPR? BDA Data Protection for Volunteers FDSG; your freelance business

3 GDPR EU law Will replace current Data Protection Act New requirements as to how organisations process personal data After Brexit, all businesses and charities will have to comply, so we will most likely adopt all or most of GDPR as domestic legislation

4 Under GDPR, UK citizens will benefit from new or stronger rights: to be informed about how their data is used; around data portability across service providers; to erase or delete their personal information; over access to the personal data an organisation holds about them; to correct inaccurate or incomplete information; and over automated decisions and profiling.

5 How do we begin? Adopt a whole organisational approach This impacts campaigning, marketing, managing volunteers and recording information about service users processing personal data Audit the personal data you hold, where it came from and who you share it with

6 Review how you ask for consent Explain clearly why you are collecting personal data and how you intend to use it Get explicit consent to provide date to third party users Consent needs to be freely given

7 Opt in v Opt out Big debate Best practice is a separate issue Key: meet a set of lawful conditions to process data for direct marketing Balancing act Individual s choice to say no is paramount. silence, pre-ticked boxes or inactivity should not constitute consent

8 Provide user access to personal data User s rights to access their own personal data Subject access requests at any time to check the data you hold and what you do with it You need to plan how you will handle requests within the new timescales so that it is not too onerous and time-consuming

9 Manage the data you hold properly right to be forgotten Up to date data; what to do with old data? Clear Privacy Policy Find out what information we hold on you Remove all information about me sections

10 Beware of data breaches Increased fines by ICO (Information Commissioner s Office) Ensure you have procedures in place to detect, report and investigate a personal data breach Review ICO updates regularly

11 Don t panic, but be prepared GDPR an evolution DPA already requires data to be processed fairly and lawfully Opportunity to review how you process data already Plans in place to make any changes to be ready for May 2018 ENCOURAGEMENT AND EDUCATION BEFORE ENFORCEMENT

12 12 Steps: GDPR guidance from ICO 1. Awareness 2. Information you hold 3. Communicating privacy information 4. Individuals rights 5. Subject access requests 6. Lawful basis for processing personal data 7. Consent 8. Children 9. Data breaches 10. Data protection by design/impact assessments 11. Data protection officers 12. International

13 BDA process (1) The BDA are unable to assist with any professional practice guidelines for Freelance Group members Beccie is not qualified or experienced within a clinical setting. Her professional focus is to ensure that the BDA is compliant with the requirements of the GDPR, which is a very different context to dietetic practitioners. Beccie is not able to commit the BDA to providing any specialist advice to the FDG. -Rebecca Jeffries, BDA Data Development Officer (27 Feb 2018)

14 BDA process (2) The Education & Professional Development team : guidance in the March edition of Dietetics Today. any specific guidance on this matter will come from them however, it is a complex area and any practitioners with specific concerns or a need for legal guidance should seek that from a qualified expert or legal advisor. The ICO is the only recommended source of information as they are the body responsible for enforcing the regulations. They are the BDA s only source of information and guidance, so we are not able to provide anything other than what they produce. For any other queries speak to Kiri or Najia in Education & Professional Development.

15 BDA Data Protection for Volunteers Draft guidelines for groups, 2017 Sensitive personal data Guidelines are the minimum requirements BDA cannot share data if you do not meet the minimum requirements

16 What groups need to do Appoint one member as Data Contact Requests for data Do not share data, unless agreed with BDA Storage of data: computers or servers with virus and hacking protection, not accessible to others No hard copy member details Inform BDA if data has been lost or accessed Profile updates on MyBDA, or BDA office

17 Communications Use newsletter function on BDA website Do not store contact lists between communications; request a contact list each and every time (accuracy) Do not use BDA data to advertise or campaign without BDA agreement

18 How can you use data? Valuable resource; tight controls required Third parties need to speak directly to BDA central team Do not undersell or undervalue membership data; penalty under GDPR and PECR

19 What data can you access? Live data Common request: names & addresses Some demographic and geographic data Professional interests and expertise Low completion rate for non-compulsory data Timescale: when, how long, when destroyed

20 Where to find more details? ICO guides and good practise documents Helplines for smaller businesses Chat box on ICO website Currently developing guidelines around new legislation (May 2018) BDA contacts: Kiri or Najia in Education & Professional Development

21 Implications for BDA specialist groups Summary: groups and branches FDG can no longer hold membership data FDG must request each and every time from BDA FDG must use the newsletter function on BDA website, TBA

22 Privacy Policies BDA: FDG: Johanna Heath, Baobab Solutions

23 FDG Website As a minimum, update all forms to include a mandatory tick box to grant explicit permission for the data to be collected. Given that dietitian enquiries are being sent to individual dietitians, the responsibility for the safe-keeping of the information is theirs. Extend the form descriptions, where appropriate, to explain why the information is required. For any data being recorded, we need to specify who will have access to it, how long it will be kept for, give the individual the option of updating their information and also having their information completely deleted, including user accounts. FDG are required to run regular security audits and have a mechanism for reporting security breaches to affected individuals.

24 For enquiry forms Every enquiry is currently recorded in the database, primarily as a fallback in the event of notification failure. This is default behaviour for the software. Under GDPR, this becomes a liability. Functionality can be added to stop these entries from being created (so we lose the backup), or a manual process can be put in place for the information to be deleted periodically.

25 For Freelance Dietitians The information you supply is public domain anyway, but you still need to have the explicit consent of clients. option to have their information removed altogether (including the user account) and not just from the public domain blog and product submissions. The FDG website should either add a manual process to delete these, or add functionality for the user to do so themselves

26 Other Functionality such as spam detection also comes under scrutiny. By default, all communications from visitors are logged. There is an option to restrict this to suspected spam only. Even so, this will have to be covered by the privacy policy. The same applies to any security monitoring software used as IP addresses are being recorded as a minimum, and potentially form details as well. Does the BDA set out requirements for security monitoring on the website itself? Also to consider, there are the usual website access and error logs, as well as Google analytics and cookies.

27 Wordpress Wordpress itself is being reviewed for GDPR compliance. They are in the process of creating a GDPR validation environment for all plugins, such that plugin authors can verify their plugins as GDPR compliant.

28 Existing data Many website owners tend to assume that once they have been contacted by someone, they have the right to use the details for marketing purposes. This can no longer be done. The best way to deal with this is to send an to all individuals currently in the marketing database, requesting them to opt in or out of future marketing.

29 Summary GDPR comes into effect 25 May 2018 BDA will manage dietitian data for branches and SGs As a Freelance Dietitian, you will need to manage any data you hold for your clients in a different way. Keep up to date on the ICO website

30 What if you have your own business?

31 Your Questions 1. Do I have to encrypt e mails? What about texts? Some patients like to text a lot. How do I know if my is safe. What about the clients? 2. Some clients contact me in the first place via e mail. I then assume that they are happy for correspondence. Should I be getting them to sign something? 3. I have written a privacy policy. Is it enough to provide to clients or should they be signing to say they are in agreement. 4. I keep paper records in a locked filing cabinet in a locked room in a secure building. What if I am burgled? Would this count as a breach, or a have I done enough? What is enough? Has this changed from the previous data protection laws? 5. My understanding is that the fines have increased for data breaches, however, I have read the info, and it seems that little has actually changed in terms of advice on how to remain secure. Am I right? Or is there more to it than that? -Anne

32 My main question is about how the FDG site will be managed as if someone say looks me up and inputs details on there for a query, how will this be managed? For example I know I will need a privacy statement on my own website, will there be a generic statement on the FDG plus need to put our own on? -Rebecca My concerns are ensuring protection using the Internet - in particular through , and how long to retain client records. - Elizabeth

33 I ve done a bit of reading about the new regulations but as a lone working freelancer I just cannot work out if I am supposed to change anything I do or not. Work I do within other organisations e.g. registered hospitals, is fine as they are ready for the change in regulations. When it is just me and a member of the general public, possibly a GP or consultant receiving letters, do I need to change what I do? How do I need to change wording on my website under terms and conditions/ data protection clauses? -Lucy

34 Most of what I have seen relates to bigger businesses involved in using client s data for advertising or potentially selling on. What I d like to know is the impact for those of us managing personal data on a very small scale. In particular, the new rules about having to inform clients of how the data will be stored/used. What exactly do we have to inform them of? For example, if someone s us with an initial enquiry, do we have to start explaining about security and that we won t be passing their on to a third party, before we can actually respond to their enquiry?! I presume not as that would be silly but from some things I have seen about GDPR, this seems to be the implication. A plan to draw up a nice FDG flow chart would be good, if the info can be simplified sufficiently?! -Isi

35 Do we need tighter physical security for clients' personal data records, not relying on our house security but buying in cabinets with better locks? Extra layer of password protection, eg for s? What permissions do we need to get from new clients before we start, with any specific wording you have available? Do we need to contact old clients to let them know what we re doing with their data? What needs to be done to old client records..shredding, burning, etc? Anything specific as regards IPO registration? Places we can look for more information and guidance? -Hilary

36 These are some of the questions I have about the GDPR related to the practicalities of being a private practitioner: 1) how should I store paper patient records? 2) how should I store electronic patient records? 3) how do I ensure s are secure if not using an NHS.net 4) what permissions do I need to get from the patient? 5) if I am not using patient records for any marketing activity and only communicating with other HCPs such as referer/gp/slt does this make a difference? 6) When and how should I dispose of patient records paper and electronic? - Nicole

37

38