GDPR – Part Two. Privacy Notices and Consent

Posted by Katrina on 15/02/2018

Hopefully you’re reading this after digesting the first part of this GDPR blog. If so, then even more hopefully, you will by now have done a “data audit” as recommended by the Information Commissioner’s Office (ICO).

You haven’t? Then you should: read it here it won’t take too long. Work out all the personal data you hold: on clients, staff and contractors (Associates etc). where do you get it from? And with whom do you share it? If you export data to a third party (a laboratory or cloud storage for your Practice Management Software maybe), do they have good data security (can they describe it or have a policy you can see?) and where is it stored or backed up? In particular is cloud storage in the EEA or in another country?

The Audit

When you’ve completed your audit, the next thing is to consider “why” you hold the data – the “purpose of processing”. For the vast majority of practices, this is blindingly obvious – to you at least! You process client data in order to provide safe and effective pet healthcare, you process staff data for employment law purposes, and you process contractor data to maintain effective financial and performance records. Simples!

Marketing and ICO

A few practices may undertake forms of marketing which go beyond those simple purposes. They may buy in mailing lists to attract new clients, or may offer additional services to existing clients. If you undertake direct marketing in this way, you should look at the advice given by ICO (Google: ’ICO direct marketing’).

One of the relatively few (for veterinary practices anyway) major changes that the General Data Protection Regulations (GDPR) will introduce is that ‘data subjects’ (i.e. living individuals) whose data you will hold, store, process and ultimately delete, must be given prior notice about the data you hold, the reason/s you hold it, who you disclose it to and what their rights under the new Data Protection regime will be. This is called a Privacy Notice.

If that sounds like a complicated document, it is! At least in the sense that it needs to be drawn up carefully. It must not read like a complicated document, since you must, by law, be transparent and clear in your communication.

Privacy Notice

The ICO helpfully suggests that you do not need to spell out the full details of your Privacy Notice when clients (or staff, or contractors) first engage with you, but you must signpost it to them so that they can easily find it. That’s easy on a website (“click here for further details”), but perhaps a little more difficult when clients telephone or present in person.

You could, for instance have a short Privacy Notice at reception, or on a practice information leaflet, and either display a full version on the premises or laminate one that is available for clients to read. However you do it, a Privacy Notice is a must!

Again, you can read about Privacy Notices on the ICO website, and/or you can sign up (for free) to which is an open access website for small businesses and charities. They have good legal opinions backing them.

Lawfully Process Data

Now let’s have a closer look at “consent”. Don’t confuse this with the professional term: in this case, it is defined as one of six ways in which you can lawfully process personal data. We have seen it rumoured that you will need to have explicit, clear and unambiguous consent from every client/employee/contractor before you can even access the personal data you already hold! Whilst possible (maybe), that’s a very big ask.

Fortunately, the GDPR allows other ways for organisations to lawfully process data. One of these is the “legitimate interest” test. Essentially, this means that if the data subject would reasonably expect you to collect, hold, etc., their data for, effectively, self-evident purposes, and you only collect and process data for such essential purposes, and you are not contravening or infringing their rights to privacy in the process, then that’s OK.

Well, it’s sort of OK. It is recommended that in order to validate your choice of “legitimate interest” as a lawful basis for processing, you should carry out a Legitimate Interest Assessment (LIA). This would set out firstly, what those essential interests are; secondly,  identify the necessity for processing the data; thirdly, to balance the needs of the organisation against the rights of the data subject; and finally, what actions will be taken to ensure that processing is not excessive or invasive.

DPN Network

Again, the ICO and DPNetwork have excellent advice on how to carry out an LIA and it’s strongly recommended that you do this before relying on this basis. But it does avoid the need for a blanket consent exercise.

So for caution’s sake, when getting updated personal details or having clients sign treatment plans, it is probably advisable to get patients to clearly indicate that they consent to the use of data as in your Privacy Notice (which should be available to them to read if they wish). And refreshing that consent (e.g. at pet medical history updates) is a good idea too. The use of pre-ticked boxes, inaction or silence on the part of a data subject can no longer be relied on, either.

It’s anticipated that generic templates will be available for Privacy Notices, LIAs and other key components of the new Data Protection legislation in the coming months, but it’s a good idea to have some drafts in your mind now to stay ahead of the game.

In the third and final part of this monthly blog, we’ll look at Data Security, dealing with Subject Access Requests and complaints, and an update on how the new Data Protection Act is going through Parliament.

PS: Annual Registration Fees with the ICO

Parliament hasn’t yet approved a new fee-scale for registering with the Information Commissioner after the new Data Protection Act becomes law in May 2018. But the ICO’s draft guidance to the Government has suggested a three-tier approach. Very small, or new veterinary practices which process fewer than 10,000 personal records will be Tier One with a fee “up to £55”; but those with larger client bases will fall into Tier Two: “up to £80”. It’s likely that existing annual notifications will be valid until their expiry date. Watch this space!