Divider

On May 25th 2018 the new General Data Protection Regulation (GDPR) will come into effect. Balens have provided the following non-exhaustive information, to assist clients in meeting their GDPR responsibilities

Further Help

The ICO (Information Commissioners Office) have published a number of really helpful guides, and checklists.

Guide to the GPDR for Organisations:

https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/

‘Getting ready for the GDPR checklist’:

https://ico.org.uk/for-organisations/resources-and-support/data-protection-self-assessment/getting-ready-for-the-gdpr/

’12 steps to take now’ guide:

https://ico.org.uk/media/for-organisations/documents/1624219/preparing-for-the-gdpr-12-steps.pdf

Data protection self-assessment toolkit:

https://ico.org.uk/for-organisations/resources-and-support/data-protection-self-assessment-toolkit/

 

Lawful Basis for Processing Data

Data can only be processed if there is at least one lawful basis to do so. The lawful basis for processing data are:

  • The data subject has given consent to the processing of his or her personal data for one or more specific purposes.
  • Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
  • Processing is necessary for compliance with a legal obligation to which the controller is subject.
  • Processing is necessary in order to protect the vital interests of the data subject or of another natural person.
  • Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
  • Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

Source: https://en.wikipedia.org/wiki/General_Data_Protection_Regulation

Balens will be processing clients data under the Lawful Basis of Contract for our Insurance and Financial Services, and under Legitimate Interest for Marketing Purposes. See also Marketing – ‘Opt in’ vs ‘Opt out’, below, for further information.

 

Your rights to YOUR data under GDPR

Do you want to know your rights to any data that is held on you after the GDPR comes into effect on May 25th 2018, the ICO has published a guide under ‘Individuals Rights’, the link is here: https://ico.org.uk/for-organisations/data-protection-reform/overview-of-the-gdpr/individuals-rights/the-right-of-access/

On a final note, The ICO have published a data protection self-assessment toolkit.

“Use our checklists to assess your compliance with the Data Protection Act and find out what you need to do.

Good information handling makes good business sense, and provides a range of benefits. You'll enhance your business's reputation, increase customer and employee confidence, and by ensuring that personal information is accurate, relevant and safe, save both time and money”.

https://ico.org.uk/for-organisations/resources-and-support/data-protection-self-assessment-toolkit/

We hope our clients find some of this information useful, and we will update this post as more information becomes available.

 

GDPR and Record Keeping

We have received a number of requests from clients regarding record keeping in light of GDPR, and how long they should keep their client consultation notes / record cards for given the regulation notes that personal data should be kept for no longer than is necessary.

If you currently have a Balens Health Professionals Policy with us, underwritten by Zurich Insurance plc, it is a condition of your Insurance Policy to take and retain client records. The policy wording notes:

The records shall be kept for at least 7 years following the last occasion on which treatment was given. In the case of treatment to minors, it is advisable that records should be kept or at least 7 years after they reach the age of majority (18).

Record Keeping - Condition 14 c, on page 35

The Statute of Limitation in the UK (i.e. time when an individual is able to bring a claim) is 6 years for certain injury claim situations, or 6 years after the individual reaches the age of majority in the case of minors. However, these 6 years start from the date that the injury was discovered, not from the time that the alleged incident that caused it occurred. There are also instances, for example if treating a vulnerable client, where the statute may be overturned. Your records are your best line of defence in any claim situation hence the need to keep these for at least 7 years. It will be for you to determine, in view of your own client base, whether you choose to keep the records for longer than the 7 years noted in the policy wording, and then note this in your Privacy Notice for your clients.

There are provisions under the GDPR with regards to keeping records to defend yourself in a claim situation (https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-to-erasure/ - When can I refuse to comply with the right of erasure), which clearly give you the right to hold your client records to comply with your insurance Terms and Conditions, should your client make a request for them to be deleted under their Right of Erasure.

 

Marketing – ‘Opt in’ vs ‘Opt out’

It is up to all businesses to determine the lawful basis on which they will process their client’s data. There are a number of option for this, and it is likely that there will be different bases for different areas of processing. Depending on which lawful basis the company chooses will determine if marketing material is an ‘opt in’ or an ‘opt out’.

A company may determines that its current clients have a Legitimate Interest in receiving marketing information, as they are, or have previously been, a client, and shown interest in the business. Under this lawful basis, clients are automatically ‘opted in’ to receiving marketing material, but they must have an option to ‘opt out’ of this should they request it.

However, if for any reason the business is profiling the data or cannot show legitimate interest i.e. the individuals are not clients of the business, then the lawful basis will likely be Consent. In this case the business will need to receive the individual consent before sending marketing information, i.e. they personally ‘opt in’ to receiving marketing information.

Some businesses may choose to get Consent from those they wish to send marketing information to, even where they may have an option for Legitimate Interest, as it will ensure that the information is sent only to those individuals who have specifically requested it, rather than to all clients.

At Balens, we have chosen the lawful basis of Legitimate Interest for marketing material. We do not send a great deal of marketing e-mails and believe that our clients will be interested in the information that we do send. However, we will always ensure clients have the option to ‘opt out’ of receiving this information.

 

Can Balens provide a template for a Privacy Notice?

Unfortunately we are unable to provide a standard Privacy Notice for you to adapt, as this will vary dependent upon the individuals business.

Details of what is required in a Privacy Notice are available on the Information Commissioners Office website at https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-to-be-informed/?q=privacy+notices

A copy of Balens Privacy Notice, as an example, may be found on our website at: http://www.balens.co.uk/privacy-notice.aspx

 

Do I need to contact all of my past clients with my new Privacy Notice?

In essence you should be providing updated privacy information to past as well as current clients and past employees if applicable, where you continue to hold their data. However, the GDPR does allow a caveat for this not to happen ‘where the effort is disproportionate’.

The ICO web page states:

There are a few circumstances when you do not need to provide people with privacy information, such as if an individual already has the information or if it would involve a disproportionate effort to provide it to them.

https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-to-be-informed/

Where we at Balens would encourage you to contact all current clients as a minimum, notifying them how you will be handling their data after 25th May, it is for individual practitioners and businesses to determine if the effort is disproportionate or not regarding past clients. If you decide this is the case, as soon as past customers contact you, you will need to provide them with an updated Privacy Notice and where you have a website, ideally the Privacy Notice will need to be displayed here also.