GDPR made easy for counsellors: Part 2b
8
principles of data protection Recap
Under the Data Protection Act 1998, the information held on individuals must be:
1 Fairly and lawfully processed
You’re honest about how you intend to use my data, and tell me in a privacy notice when collecting my personal data. Then before you share you have a damn good lawful reason.
2 Processed for limited purposes
You collect my shoe size for the purpose of making me shoes. You don’t then pass onto a PPI firm
3 Adequate, relevant and not excessive
You don’t need my weight, height, hair colour, blood type, to make me a pair of shoes.
4 Accurate and up to date
You don’t have old addresses etc. Consider regular reviews with long term clients.
5 Not kept for longer than is necessary
You don’t need to keep my shoe size on file for 15yrs. (data retention schedules are later in the blogg series)
6 Processed in line with your rights
There are currently 6 rights https://ico.org.uk/for-organisations/guide-to-data-protection/principle-6-rights/
The main points for counsellors
Right of subject access I can request to see data held about me. It’s effectively my data. Don’t forget those clinical notes from earlier. You should respond promptly & within 1 calendar month. https://ico.org.uk/for-organisations/guide-to-data-protection/exemptions/
Damage or distress I have a right to prevent processing thought this is currently limited in scope.
Prevent directing marketing & correcting inaccurate personal data
Compensation covers data breaches
GDPR will have 8 rights of an individual see later in the blog serious. https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual...
7 Security appropriate security to prevent personal data you hold being accidentally or deliberately compromised. That’s our locked filing. However don’t forget your electronically stored data. Computer or web based.
8 Not transferred outside of the EEU without adequate protection. https://ico.org.uk/for-organisations/guide-to-data-protection/principle-8-international/
Step 2 on your GDPR journey
As you’ve already reviewed the information you hold. Now Review
What contains personal data?
What contains sensitive personal data?
Do you hold adequate, relevant and not excessive data?
There’s a lot for you to do, I’ll see you next Monday