Data Protection for small healthcare organisations. (*re-edited March 2018)



hello I'm Robert Parker and I'd like to welcome you to today's webinar from the ICO that which is entitled data protection now and in the future an introduction for small organizations in the healthcare sector you'll be hearing from Laura Neurath and Liz Makai who are from the I SEOs assurance Department they'll be taking you through the slides and including questions we accept we expect the session to run for around 40 minutes the slides and the notes from this webinar will be available on our website from tomorrow now if you're not able to stay with us throughout a recording of today's webinar will be available on the ICS website by close at play tomorrow as well now regarding questions please would you submit your questions as they occur to you throughout the presentation and I'll put the most frequently asked to Lauren and Liz so I'd like to now hand over to Lauren thank you Robert and welcome to our webinar today so the webinar is going to cover the following key objectives we're going to help you understand the work that's done at the ICO give you a basic understanding of the principles of data protection give you a basic introduction to the general data protection regulations or gdpr and we're going to highlight some of the key risks to privacy compliance for health sector organizations firstly just a bits about was at the ICO hopefully you'll be aware of us already and that we are the regulator's of the Data Protection Act and the upcoming general data protection regulation or gdpr from May 2018 amongst other things but just to give you some background information we have approximately 400 staff overall including some small regional offices our main office is based in Wilmslow in Cheshire and as I mentioned Liz Anaya from the assurance Department we care our audits of larger organizations such as NHS trusts police forces and local councils and we also conduct 1-day advisory visits to charities and smaller organizations as well as carrying out information risk reviews which are a more detailed review of data protection processes as well as all this we occasionally conduct one-day workshops to try to focus on data protection related issues in order to help raise awareness of compliance the I see our role is to encourage good practice assess eligible complaints advise individuals and organizations and take appropriate action where legislation has not been complied with it's really the role of the ICO is twofold it's to educate data controllers on their obligations and protect the rights of individuals as well as promoting good practice and providing advice the ICO carries out enforcement work which is more the punitive side of the ICA role as a regulator reported breaches are investigated an appropriate enforcement action is taken the specific actions that our enforcement team can take follow an investigation of an information security breach but to issue a civil monetary penalty notice which could lead to a fine ranging up to five hundred thousand pounds to issue an enforcement notice which is a formal notice requiring an organization or individual as to take the actions specified in the notice in order to bring about compliance with the Act and related laws failure to comply with a notice is a criminal offence and finally to request and agree on undertaking with the organisation a formal undertaking can be given by an organisation to the ICO committing the organisation to a particular course of action or otherwise achieving compliance the requirements under the GDP are for breach reporting my dates controllers and processes have been strengthened and introduces a duty on all organisations to reports certain types of data breach to the ICO within a 72 hour time frame in addition there will be a two-tier sanction Museum introduced and fines will be significantly enhanced for more serious breaches finally the ICO also provides advice on a case-by-case basis via our helpline as well as investigating written complaints from the public of our organizations before we go into the finer details of data protection law I'd just like to pause and reflect on the possible impact of personal data breaches the slide on display depicts a real Messier case example from 2013 an insecure yahoo email account was used by the Burnet surgery for communicating with patients about familial test appointments and results the email account was hacked put yourself in this position how would you feel if you are one of the patients affected if it was your organization whose email was hacked how would this affect your practice how would this affect your patients this is just one example for many demonstrating what data protection is important for everyone the basis of data protection centers around personal data but what is personal data the Data Protection Act or the DPA defines personal data as data which relate to a living individual who can be identified from those data or from those data and other information which is in the possession of or likely to come into the possession of the data controller like the DPA the gdpr applies to personal data however the GD P RS definition it's more detailed and makes it clear that information such as an online identifier for example an IP address can be personal data this definition provides for a wide range of personal identifiers to constitute personal data reflecting changes in technology and the my organizations now collect information about people in addition personal data that has been sadhana mised can fall within the scope of the GD P R okay what about sensitive personal data what kind of data would be classed a sensitive personal data under data protection legislation under the DP a sensitive personal data is data concerned with racial or ethnic origin political opinions religious beliefs or other beliefs of a similar nature membership of a trade union physical or mental health or condition sexual life the Commission or alleged commission of any offence or any court proceedings or sentence relating to any offence committed or alleged to have in common alleged to have been committed interestingly financial information is not defined in the act for sensitive personal data however in this day and age many people would classics of such under GD P are sensitive personal data is known as special categories of data these categories are broadly the same but there are some minor changes for example the special categories specifically include genetic data and biometric data when they are processed to uniquely identify and individual personal data relating to criminal convictions and offences are not included but similar safeguards apply to its processing so how does data protection relate to you protecting people's information rights and personal data is a frontline service taking a positive approach to your responsibilities will deliver benefits to your organization as well as helping you to comply with data protection legislation therefore it's important to understand the benefits of getting it right and the implications of getting it wrong for your organization benefits of doing it right include it will help your organization to why with its legal obligations under information rights law it will save your organization time effort and money information is the key business assets handling it properly it will help your organization to achieve its business objectives good data protection practice build up good relations and Trust with people you deal with and the public as a whole impacts of doing it wrong could include financial and reputational costs a data breach can be expensive to put right and will reduce public and customer confidence in your organization and you may receive a monetary penalty from the ICO data protection legislation also gives an individual rights concerning their personal data on the processing of such data although we won't be going into this aspect in any great detail today it's important to understand that the legislation does include these rights for individuals as well as requirements for organizations it's important to make sure everyone in your organization understands the importance of information rights and their own responsibilities delivering them now this might seem an obvious statement however for clarity data protection legislation applies to a particular activity processing personal data rather than to particular people or organizations so if you process personal data then you must comply and in particular you must handle the personal data in accordance with the data protection principles broadly if you collect or hold information about an identifiable living individual or if you disclose use retain or destroy that information you are likely to be processing personal data the scope of both the current Data Protection Act and the upcoming gdpr and data protection bill are therefore very wide as they apply to justify everything you might do with individuals personal details we are now going to move on to talking more detail about the principles of data protection the Data Protection Act of 1998 has eight principles principle one personal information must be fairly and lawfully processed principle 2 personal information must be processed for limited purposes principle 3 personal information must be adequate relevant and not excessive principle for personal information must be accurate and up-to-date principle 5 personal information must not be kept for long within this necessary principle 6 personal information must be processed in line with data subject rights principle 7 personal data must be secured and principle 8 personal information must not be transferred to other countries without adequate protection this slide shows you the new gdpr principles personal data should be processed lawfully fairly and in a transparent manner it should be collected for specific explicit and legitimate purposes it should be adequate relevant limited to what is necessary it should be accurate and when necessary kept up to date it should be kept in the form which permits identification of data subjects were no longer than is necessary for the purposes for which those data are processed and processed in a manner that ensures appropriate security of the personal data as you can see there are obvious similarities with the existing DPA principles we've just talked about however there is a new requirement for all data controllers to be able to demonstrate their compliance with the new principles this is centered around accountability basically the gdpr requires you to show how you will comply with the principles for example by documenting the decisions you take about a processing activity so moving back to the principles under the Data Protection Act we're going to go through them in other to more detail starting with principle 1 personal information must be fairly and lawfully processed now we can break this principle down into the two parts firstly let's think about fair processing must be fair you should have a legitimate reason for collecting and using the data you should be transparent about how you'll use the data handle the data in a way that would be reasonably expected and not use it in ways which would have an adverse effect sundean on the individual this can be achieved through the provision of fair processing information also known as privacy notices which identify the data controller the purpose of processing and any other relevant information personal information must also be lawfully processed so processing must be done in line with requirements within the legislation plus any of the sectoral legal or regulatory requirements and you contractual requirements and any duty of confidentiality so the often neglected second principle this principle is closely linked to the first principle and that it also aims to ensure that organizations are open about their reasons for obtaining personal data and that what they do with the information is in line with the reasonable expectations of the individuals concerned if an organization intends to use the data they hold for purposes other than was it was collected for they should inform the individuals concerned to give an example if a GP disclosed his patient list to his wife who runs a travel agency so that she can offer special holiday deals to patients needing recuperation disclosing the information for this purpose would be incompatible with the purposes for which it was obtained we're now going to look at the next few principles in a little more depth together known as the information standards or data standards principles they seek to regulate the amounts of data collected about a person by an organization the quality of that data and how long it is kept for our view is that organization should be striving to do this in any of them as if you're guided by these principles you can increase efficiency and reduced costs the next principle States personal information must be adequate relevant and not excessive in relation to the purpose or purposes for which they are processed under gdpr this is very similar in that personal data should be adequate relevant and limited to what is necessary think of this as the Goldilocks principle the data collected should be just right too much risks and invasion of privacy too little risks ill-informed or poor decisions made which can affect that individual this process is also referred to as data minimization so if we break this principle down into its constituent parts and we'll carry on with the three bears analogy firstly personal information must be adequate this is about having enough information to fulfill your business need so to give an example one of the purposes for which you might collect personal information is for treatment for a bad back if an individual has now or has in the past had a manual labor intensive job then you'll need to know their career history however if you were treating this patient for an ingrown toenail then you may not require a record of their full career history to carry out the treatment personal information must be relevant this depends on the individual case examples of information collected could include a home telephone number a star sign political affiliation religious beliefs well how about if a family members information is collected as a next of kin think about your justification for collecting information on a case-by-case basis an information must not be excessive this relates back to the point I made earlier about data minimization so if your office or Medical Center has visitor protocols in place that require the capture of personal data relating to those visitors such as biometric fingerprints consideration should be given to the type of days to collect it how much data is held and how long data's being retained for so to recap on the third principle the data collected should be just enough to fulfill the purpose for which you've collected it you should be able to justify why you need to have all the separate pieces of personal data about each person an information shouldn't be held just in case it might be useful at some points in the future now there are clear bears business benefits to this principle by minimizing the data you hold you make it easier to locate relevant information and cut down on the need to store data as well as reducing the burdens of responding to a subjects access request moving on to the fourth principle this is possibly the most complicated if the ones we're going to look at what it's so short it doesn't seem like it at the farthest in fact this principle in both the Data Protection Act and the gdpr is the same personal data shall be accurate and where necessary kept up to date so let's break this principle down personal data has to be accurate so what do we mean by this the term accuracy is not defined in the act was it does say that data would be deemed inaccurate if it is incorrect or misleading as to any matter of fact and what does the Act mean by a matter of facts this will be something you can demonstrate to be true as opposed to someone's opinion or belief so for example a date of birth or an address so give an example here if a patient moved house within their local area and the record at the health center says they still have it the old address then that record would be inaccurate as a matter of fact however if the record says they used to live with the old address then it will be accurate I would note here that there is an expectation on the individual to ensure that their personal information is kept up-to-date so the juicy for the organ to take reasonable steps to verify the accuracy of the information will depend on the importance of the information and the impacts that getting it wrong would have for example an HR department processing a job application for external candidates would need verification that any candidates had actually held the required essential job qualifications they listed on their application form but they would have less needed to check weather details about a summer job held twenty years ago are correct data must also be kept up to date however it may become inaccurate over time for example if a patient's next of kin moves a dress or changes their contact number organizations are expected to carry out periodic checks to ensure that data is up-to-date although clearly as I said earlier there is some expectation on individuals to inform organizations where personal data has changed an information must only be kept up to date where necessary so where it's necessary for that information to be up to dates for example if the patient's subsequently migrates abroad it may then no longer be necessary to continue to update that information there are some situations where it's okay to hold information which is no longer correct an example here could be if a mistake was made so if a member of staff was disciplined for an incident they later turned out they didn't commit this would still be an accurate record of the events that took place and they need to be retained however the note should make clear that the discipline was an error and as an organization what should you do if accuracy is challenged firstly you should investigate and if you agree correct the information or market on the record as a mistake it's always good practice to ask for evidence if possible and carry out checks to verify at this stage under current legislation there is no right for an individual to require you to delete information they believe is inaccurate but they can apply to a court to do so then if you disagree with the initial challenge it's good practice to record the fact that it has been disputed now moving on to look at opinions under principle for opinions about individuals are personal data however generally opinions cannot be challenged under the fourth principle for example if a patient doesn't agree with the comments of health professional in the medical record concerning their condition or diagnosis the patient is unlikely to be able to challenge the accuracy of the data under the fourth principle the disputed data will be the view of the health professional who took the notes and is therefore an opinion about the patient's medical condition or diagnosis professionals opinions are often an area of contention sometimes an individual may ask for an opinion or diagnosis to be deleted because they believe it's be inaccurate however if the record accurately reflects that professionals opinion then it will remain accurate an example of this may be if a patient's medical records from their doctor say they have depression but they don't agree so they rights their doctors to challenge this however this was the doctor's opinion at that particular time and the records actually have accurately reflect this the doctor can simply put a note on the patient's record to say they don't agree as we've already said according to the legislation the data is inaccurate only if incorrect or misleading as to any matter of fact now going to look at the fifth principle the fifth principle states that personal data processed for any purpose or purposes shall not be kept for any longer than is necessary for that purpose or those purposes now the law doesn't provide any interpretation of principle 5 nor does it set out any maximum or minimum retention periods there are however certain considerations that organizations must take into account when setting attention periods first of all any judgment about retention of data should consider an statutory requirements to retain the information any industry guidelines or standards the value of that information the risks of retaining the information and the need to keep the information accurate and up-to-date the potential risks of retaining the information too long could include if it goes out of date the wrong information could be used in error the more time passes the more difficult it may be to ensure the accuracy of the information and it could mean more work in responding to a subject access request information that's kept for longer than necessary is also likely to be excessive or irrelevant and may be inaccurate as well so there may be issues with principles 3 & 4 – however you must take care not to delete the data too soon as it may risk reaching principle 3 personal data must be adequate the fifth print supplies there to prevent you from retaining personal data without good reason any personal information that has become redundant should be deleted but any deletion needs to be done securely for example you can't just put paper into a bin it needs to be shredded and this links into the principle of information security some organizations have automatic systems set up to delete types of electronic personal data after set periods information that's kept for historical statistical or research purposes can be kept indefinitely this is known under current legislation as the section 33 exemption it can be kept for these purposes as long as it isn't used in connection with decisions about an individual or in a way that is likely to cause damage or distress however if the information is no longer needed for the purposes then the exemption won't apply and it should be deleted the sixth principle relates specifically to the rights of individuals namely the right to know who will see in use the personal data the right to know why their data is being collected and what it will be useful the right to have copies of all their personal data that is being processed or held and the right to have any codes or jargons within provided copies of their personal data explain to them the first two rights can be fulfilled by organizations through the implementation of controls such as their processing notices and privacy policies and the second two relate to subject access requests of czars under gdpr individual rights including subject access are not covered within the principles in gdpr instead they are covered under separate articles the main rights for individuals under the gdpr will be subjects access to have inaccuracies corrected to have information erased to prevent direct marketing to prevent automated decision-making and profiling and data portability on the whole the rights individuals will enjoy under the to DPR are the same as those under the date of section acts but with some significant enhancements if you're geared up to give individuals their rights now then the transition to the to DPR should be relatively easy one of the key rights for individuals under both the data checks nuts and the gdpr is the right to access their personal data that an organizational holds about them this is called a subjects access request or saw the requirements under the current law for dates controllers are as follows you have 40 calendar days to respond to a saw even if nothing is held if you do not have clear effective procedures in place with responsibilities assigned it will be challenging for you to meet the deadlines you must provide copies of the information in permanent form however you do not necessarily need to provide the originals and you must provide all copies held at the time of the request regardless of whether they're scheduled for deletion the subjects access requests process itself puts certain requirements on the requester – namely requests must be in writing however the request itself doesn't have to specify or name the Data Protection Act specifically requesters should provide proof of identity so that the dates controller can verify who is making the request requesters could be required to pay an administration fee this is normally 10 pounds and can be up to 50 pounds for manual health records and the dates controller can ask for clarification of a request more information or the fee if this has not been provided initially this stops the clock in terms of time for the data controller to respond the rules for dealing with subjects access requests will change into the gdpr however the main change is that in most cases an organisation will not be able to charge for complain with a request and under normal circumstances an organisation will have just a month to comply rather than the current forty days moving on now to the seventh data protection principle this principle focuses on information security it states that personal information must be secured organizations should have appropriate technical and organizational measures in place to protect the personal data that they handle so why does information security matter getting information security wrong can have both financial and reputational implications to the success of any organization it can also cause damage or distress to an organization service users patients or customers as was seen in the recent one a crime ransomware virus incidents that hit many NHS organisations it is extremely important to apply the correct resources checks and balances in this area to avoid the reputational and financial risks that were realized in this recent attack as a slide states some examples of the harm that could be caused by the loss or abuse personal data could include lost or misfiled patient test results by follow-up medication had been prescribed but was never delivered which could present a threat to life or well-being patient records related to sensitive issues being disclosed with possible serious implications or the lack of availability of vital patient data in an emergency situation not all breaches are serious as this but many can still cause embarrassment and inconvenience and people are entitled to protection from that as well advances in technology make the processing of personal data in bulk much easier but also increase the potential harm that can arise from mistakes for example thousands of records can be stored of a single memory stick which is small portable and therefore easy to lose in the past it wouldn't have been physically possible for an employee to carry that much personal data around with them we would like to draw your attention to a particular case where the ico issued a civil military penalty with the risks of Port information security controls were highlighted this breach occurred in March 2012 when the website of the British pregnancy advisory service or B pass was attacked the attacker used an automated tool to identify website owner abilities these tools are widely available on the internet and target well-known vulnerabilities and poor website coding practices B practice website enabled users to request a callback for advice by completing a webform with contact details unknown to be passed the website retained a copy of the callback details unnecessarily and this was available to the attacker after he gained access to the website's content management system fortunately the attacker was not able to publish this information which was was recovered by police being passive now removed the callback details from the website and taken substantial remedial action to ensure that this security breach will not be repeated this incident was deemed to be a breach of the seventh principle in particular B pass failed to take appropriate technical and organizational organizational measures against the unauthorized processing of personal data stored on the website in addition the breach was of a kind likely to cause substantial damage or substantial distress users of the website could have been caused distress simply by knowing that their personal data had been accessed by the attacker and by the concern that the data may have been further disclosed how would you feel if this was your data how would you feel if you have been responsible for the breach how would this affect your organization how would this affect your clients or service users it's important to be aware that the data protection principles interconnect this means that failure to comply with one of the principles can lead to problems with the others for example failure to keep information up to date when circumstances change may cause information that was originally adequate to become inadequate keeping information longer than necessary may mean that the information becomes irrelevant or excessive all these could have an effect on the principle which relates to the security of data without maintaining the quality of data process you're not only likely to breach one of these principles but in addition your organization will be run less efficiently you'll be wasting money and calling rep and causing reputation of damage some key questions to ask yourself when you start any new process or are reviewing an old one oh why the information was collected in the first place have you defined the purpose for which you are collecting it what information you need in order to fulfill that purpose are you collecting just the right amount how long has it been or needs to be held for so how will you ensure that the information is maintained and is up to date you should regularly check the quality of the personal debt you hold correcting any inaccurate records removing irrelevant ones and updating out-of-date ones it may not always be practical to check the quality a very record you hold but it should at least be possible to check a sample okay well thanks very much got a few questions and thanks very much for everyone who's submitted one and just in case anyone missed the beginning of the recording it will be available on our website along with the slides and the speaker notes as tomorrow anyway back to the questions there's a few that we can go through now another one how does the right to be forgotten work with gdpr and health care information in relation to health care information if it's required to be held under a statutory or legal requirement it can't be deleted so only under certain conditions can information be deleted there is a lot more information about the right to be forgotten available on our website and we are going to be covering gdpr in more detail on our workshops and I can give you a lot more information about those at the end of the session so there will be more information about the workshops and one of the questions actually did ask for a recommendation and ico recommendation on the training provider and unfortunately as Raz as regulator we can't offer a recommendation but we are doing these sessions ourselves and our website two will be regularly updated with more information so I'm afraid that's the best I can do in terms of a direct steer for a training provider but we know there are plenty and many of them are excellent a couple more questions just physical or mental health include all records of a medical nature that's short answer/essay yes okay good and we have the the what size businesses must comply slightly longer question I work in schools as a speech and language therapist I'd like some guidance on how long I should retain case notes the students that I've discharged is it reasonable that is to destroy discharge case notes after two years or when they leave school whichever happens sooner so we've touched on this point briefly earlier when we talked about the fifth principle and the data section apps it doesn't provide any interpretation it doesn't set any maximum or minimum retention periods we would say that it's a judgment and in relation to retention and that judgment should consider its statutory requirements to attain that information any industry guidelines or standards the value of that information and the needs keep it accurate and up-to-date up-to-date okay that's enough questions for now hopefully there'll be a few more before we finish but I'll hand back to Lauren or Liz thank you so moving on to talk a little bit more about the general data protection regulations it might be reassuring for you to know that many of the definitions and the principles in the gdpr are broadly the same as those in the DPA if you're currently subject to the DPA it's highly likely you'll be subject to the gdpr however there are some notable changes particularly in relation to an organization's obligations as their data processor as dates processors now have certain data protection obligations under the GD P R as discussed previously the broad definition of what's classed as personal data remains the same however the definition under GD P R is more detailed and sensitive personal data is referred to as special categories of personal data it's broadly classified the same as the data protection act with the addition of genetic and biometric data that's processed to uniquely identify an individual now moving on to key risks for you as small to medium-sized enterprises in the health sector and some of the main compliance areas within the legislation these risks have been identified using the work that our assurance team has carried out over the past few years within the health sector with various types and sizes of organization so thinking about the information security risks to an organization system access is one of the key risks that arises within the work of assurance so thinking about if employees leave your organization they're not removed from a system they could potentially still have access to personal data and disgruntled ex-employees are a common security threats thinking about clear desk policies so if paper records are left out on a desk that could lead to the risk of unauthorized individual obtaining knowledge of a person's medical condition or other personal information if service users are local to the area you could be responsible for someone overseeing that information which could lead directly to a serious complaint encryption is an absolute must without this there's no excuse if a breach were to happen a stolen laptop is relatively inexpensive what people sensitive data that can be accessed on it you may be facing a hefty fine and if your service users come to your premises for treatment you need to ensure that they are unable to obtain anyone else's information so thinking about the physical security protocols are in place in your premises how would you know for example if a file was removed from the premises by a member of the public it's essential to ensure they have password security procedures in place and another key risk of identified as a lack of effective security incident monitoring or reporting so think about how you or your staff would know how to identify and report to security incidents sorry about that so here's a very recent example of a data breach that highlights some of the key risks we've just discussed this was a booper data breach which affected 500,000 insurance customers and was reported last month in July Ripa disclosed a data breach whereby an employee inappropriately copied and removed information relating to five hundred and forty seven thousand international health insurance plan customers customers with domestic health insurance were not impacted what UK customers may have been affected if they purchased fund for youth plans for use while abroad stolen data included names dates of birth nationalities and song concepts and administrative information were not only financial or medical data there are obvious questions to be asked in this case around the appropriateness of the access controls that were in place the use of any removable media and any proactive security monitoring that was taking place manual records pose a particular risk but it's very easy to paper files to be misplaced lost or removed without systems in place for logging and tracking manual records these records could be lost while being moved from one area of an organization to another in some instances organizations have not known when a record has gone missing or even if they had it in the first place without secure storage areas for records there is a risk of records being lost damaged inappropriately disclosed or even stolen we have seen premises where archived records were kept in an unlocked damp cellar data in manual records should be kept accurate and up-to-date if an address on a file is wrong for instance if a grant is moved and the address has not been updated this could lead to medical information being sent to the wrong address and either be lost or read by the wrong person organizations must be aware of the risks involved if staff are not trained in records management even if permanent staff are trained what about the risks involved with volunteers work experience students or template staff housed in is training a range for new starters it only takes one person to make a mistake but there can be significant consequences to an organization if records should be lost another area of risk relates to subject access requests many concerns about how subject access requests have been handled are brought to the ICO every year by members of the public problems can be due to staff not being fully aware of what a subject access request is and how to deal with one for instance staff may not know that a subject access request does not have to say explicitly that it is one and a valid request could therefore be missed we have received concerns where the subject access request was included within at the plain letter the stuff did not notice this and the request was not fast passed on to the appropriate subject access requests responses are sometimes subject to reductions or exemptions the work that is done while processing a response should be logged and reported otherwise if there's a complaint about the response or the request is repeated the organization would not have any record about their previous response so Mis mistakes may be made or work repeaters unnecessarily a subject access request must be responded to promptly and in any event by 40 calendar days after it was submitted a response to a subject access requests is later than this is a breach of the DPA okay I'll pick up a few more questions now if I'm a very quick one I think who actually is the data controller is it the organization or is it the boss I'm in this case it would be the organization that would access the data controller okay thank you as a healthcare provider many of us have reviewed our organization through completion of the NHS IG information governance toolkit does this provide us a basis in preparing for the GDB are absolutely so we've touched previously on the fact that their data touch notes and the gdpr are very similar so in completing the IG toolkit you will have a very strong basis for ensuring compliance with the gdpr going forward okay very detail well how about sending documents by emails to clients that include their personal information do the documents need to be password protected they absolutely should be password protected where they contain personal information is there at special recommendations for clinical and health psychologists and therapists no no specific recommendations it's every one that needs to comply in every one that needs to handle personal information in the same way okay thanks very much I'll hand back to Lauren now just what a bit of a plug for our the IC who has a free helpline number unfortunately not going to get to everybody's questions but just to give you that number that's available office as Monday to Friday and so it's it's a free service oh three oh three one two three triple triple one three four any inquiries or questions that you've got thank you okay so before we conclude our session today we hope we've highlighted sort of the key risks that smaller organizations working in the health sector face some of you may already be aware of some that may be new to you but either way we at the ICAO would like to offer practical advice on how to address and manage these risks to ensure that your data protection compliance and prepared for the introduction of the GDP are so as I mentioned earlier we're going to be hold in a series of workshops which we'd like to invite you to apply to attend the workshops are free of charge and are a unique opportunity to discuss the challenges you face and how to deal with them with experts advice from the ICO at hand to help and advise the workshops will be held over three days the 11th of October at a venue in London 7th of November a venue in Birmingham and ninth of November at a venue in Manchester the main topics of the day will be information security so thinking in light of the recent cyber attacks on the NHS you can learn how to get the basics rights will cover gdpr and you can learn how to start preparing for the changes to the legislation well touch on records management discussing the lifecycle of a record and how to ensure your organization has the tools to get it right and we'll cover subjects access requests how to avoid complaints and keep your service users happy further information about the times and venues and how to apply can be found on our website under about the ICO and use an advanced and we'll just move on to the last section which shows you a little bit more information about the live chat and you can find a link to our website there as well okay well thanks again for joining us today we'll close the webinar now and the recording as I've said a couple times a recording will be available on our website from tomorrow news about future webinars going to our monthly e-newsletter which has got over a hundred and twenty thousand subscribers so if you're not signed up to that then it might be a good idea if you did to keep across when the webinars and any other updates that we that we make we're also on Twitter ICO news and I'll plug the the free helpline once again oh three oh three one two three trouble one three so thank you again for your participation and goodbye

Leave a Reply

Your email address will not be published. Required fields are marked *