In the first two articles in this series we’ve taken a look at how the new Data Protection Bill – incorporating the EU’s General Data Protection Regulation (GDPR) - is coming along. You can find the first blog here and the second here. We’ve highlighted the importance of preparing by taking a good look at all the personal data you currently hold in the practice (a Data Audit). Where does it come from? With whom do you share it (or might disclose it to)? How long will you keep it? Do this as a practice team, because ultimately everyone is responsible for good Data Protection.
The Data Protection Bill has now reached the House of Commons, where a first debate on it – and the amendments proposed by the Lords – took place on 5th March. No great changes of any relevance to the veterinary industry so far, but it is possible, so we’ll continue to update Simplyhealth Professionals practices as we move towards the implementation date of 25th May 2018.
We gave some clues as to future Data Protection fees payable by Data Controllers in our last update, and now we have a clearer idea, although still subject to Parliamentary approval. As predicted there are three ‘tiers’, but some careful thinking may be needed to know which one you fall into.
Firstly, if you do not do any electronic processing (at all – that includes computers, tablets, smartphones, CCTV or any form of digital equipment) – and that’s pretty unlikely in 2018, or if you only use a computer for the purposes of staff employment, PAYE, business administration, and payment processing (i.e. only basic personal details) you are technically exempt from paying a fee.
If you have a small practice, with 10 or fewer staff (every part-timer counts as ‘one’ and that includes the cleaner), and if your annual turnover is less than £632,000 then you are in Tier 1. The fee will be £40, or if you pay by direct debit, then £35. You will get a reminder when your current registration runs out, and an opportunity to set up the direct debit then.
Larger practices, who do not fall within the above criteria, will pay a Tier 2 fee of £60 (again presumably with a direct debit discount of £5). This covers Data Controllers with 250 or fewer staff and a turnover of less than £36 million. Large Corporates may need to do some calculating, but otherwise this Tier will cover just about every other large-ish practice or small chain.
Tier 3, at £2,900 annually, is probably not an issue for vets!
If you are currently registered (‘notified’) with the ICO – as you almost certainly are – there is no need to take any action until you receive your reminder to renew after 25 May 2018.
Your fee level will, in most cases, be accurately anticipated by the ICO but you should check to make sure it is correct and either call or e-mail them if not. It seems likely that if your renewal date is shortly after the implementation of the new law, there will be significant delays in getting changes made, but so long as you can show you took all reasonable steps then this should not disadvantage you.
Remember that Associates will only need to register – as now – if they act as Data Controllers in their own right (see the ICO’s Information Governance in Dental Practices, September 2015).
Between now and 25th May, practices will need to:
- Complete their data audit (as above, if not already done)
- Check where back-ups are stored (ask your software provider/s)
- Consider how to present Privacy Notices to clients (see more below)
- Consider revising their Data Protection and Information Security policies
- Carry out and document a Legitimate Interest Assessment
- Draw up a Data Breach policy and procedure (if not already done)
- Appoint a Data Protection Officer
Helping Member vets
To help with preparation, Simplyhealth Professionals will be publishing further guidance for members on all of the above.
A Lawful Basis
As noted when writing about Privacy Notices in previous articles, a Data Controller can only process data under the new legislation if they have a Lawful Basis to do so. Sounds reasonable, and GDPR gives six options to choose from.
Consent sounds like a good idea. However, remember that consent can be withdrawn at any time, and whilst you might simply and rightly stop treating a pet whose owner decides, for whatever reason, to exercise this ‘right’ it would make life difficult for all concerned.
Necessary to fulfil a contract would apply in the case of pet health plans so is appropriate for those cases.
Necessary for a Public Task is actually appropriate for all processing to do with contracts, such as the NHS. Although this will not be relevant to the veterinary industry.
Legitimate Interests of the Controller. A ‘legitimate interest’ is really any self-evident need that an organisation has in order to function, and where a ‘data subject’ (client) would ‘reasonably anticipate’ that such processing is necessary, provided it does not undermine any of their rights.
In order to use Legitimate Interests as your Lawful Basis, the legislation requires that you complete a Legitimate Interests Assessment(LIA). This is not too difficult provided you follow the detail of the law: firstly do you need the information? Secondly is there any alternative? Thirdly can you balance your need against the clients’ rights? And finally what actions do you take to ensure the security and confidentiality of the data?
Why the fuss about ‘Lawful Basis’? The legislation requires that your full Privacy Statement, freely accessible to all those persons whose data you process, specifies clearly what this basis is. On a website this must be clearly signposted (not buried in the small print), and in the practice its availability can be pointed out within a brief statement given verbally or, displayed in the waiting room.
A few odds and ends.
If your practice software provider stores or backs up your data, you should have a fully documented contract showing where the data is kept, and if it is overseas (especially if outside the European Economic Area) does it conform to GDPR requirements?
If you use client data for marketing purposes, and also if you routinely contact clients by e-mail or text message, you will need to have specific marketing consents for these activities. Again, simple messages about forthcoming appointments can be consented with specific ‘opt-in’ boxes to be ticked and signed for. ‘Opt-outs’ or other non-explicit methods will no longer be acceptable.
Finally, make sure everyone in the team is aware of the changes coming up, of their increased responsibilities around data security (no more passwords on Post-It notes!), data breaches, and confidentiality, and review your training at regular intervals!