GDPR made easy for counsellors: Part2b

GDPR made easy for counsellors: Part 2b

8 principles of data protection Recap

Under the Data Protection Act 1998, the information held on individuals must be:

1         Fairly and lawfully processed

You’re honest about how you intend to use my data, and tell me in a privacy notice when collecting my personal data. Then before you share you have a damn good lawful reason.    

2         Processed for limited purposes

You collect my shoe size for the purpose of making me shoes. You don’t then pass onto a PPI firm

3         Adequate, relevant and not excessive

You don’t need my weight, height, hair colour, blood type, to make me a pair of shoes.

4         Accurate and up to date

You don’t have old addresses etc. Consider regular reviews with long term clients.

5         Not kept for longer than is necessary

You don’t need to keep my shoe size on file for 15yrs. (data retention schedules are later in the blogg series)

6         Processed in line with your rights

There are currently 6 rights https://ico.org.uk/for-organisations/guide-to-data-protection/principle-6-rights/

The main points for counsellors

Right of subject access I can request to see data held about me. It’s effectively my data. Don’t forget those clinical notes from earlier. You should respond promptly & within 1 calendar month. https://ico.org.uk/for-organisations/guide-to-data-protection/exemptions/

Damage or distress I have a right to prevent processing thought this is currently limited in scope.

Prevent directing marketing & correcting inaccurate personal data

Compensation covers data breaches

GDPR will have 8 rights of an individual see later in the blog serious.  https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual...

7         Security appropriate security to prevent personal data you hold being accidentally or deliberately compromised. That’s our locked filing. However don’t forget your electronically stored data. Computer or web based.

8         Not transferred outside of the EEU without adequate protection. https://ico.org.uk/for-organisations/guide-to-data-protection/principle-8-international/

 Step 2 on your GDPR journey

As you’ve already reviewed the information you hold. Now Review

What contains personal data?

What contains sensitive personal data?

Do you hold adequate, relevant and not excessive data?

There’s a lot for you to do, I’ll see you next Monday