Data breaches
Before we begin today’s blogg did you know that you now have a duty to report a date breach, In fact 72 hrs to do so. So next time you email you email list details of your latest training and you forget to make sure you blind copy bcc people in you will have breached data protection and need to fess up. Both to the ICO and if appropriate the person who’s data was involved.
Todays blogg 8 rights of an individual – some of these aren’t new
1. Right to be informed
There is an obligation to provide ‘fair processing information’,
So simply be honest and transparent about what are you planning to do with their data and how you store it. See my blogg part 4 privacy statements.
2 Right of access
Individuals have the right to access their personal data and supplementary information. This isn’t new. Clients have always had a right to see the notes written about them. You should already be informing them this in your client information/contract
Technically this is through a data subject access request - don’t confuse that it will be an FOI freedom of information request. This information must be supplied FREE and you have1 month to supply the information.
In reality your client will simply ask to see their notes next session and you can get them out the filing cabinet
3 Right of rectification
Individuals are entitled to have personal data rectified if it is inaccurate or incomplete.
This could be as simple as a client wants their address updating. However also consider one they have read their notes they my feel something is inaccurate
4 Right to erasure
People have the right to have their personal information erased.
However ICO says it’s not an absolute right to be forgotten.
It can be erased if
It is no longer needed for the purpose for which it was collected for in the first place. Remember in blog Part 4 the privacy statement in relation to the organising a party, I didn’t need their number 2 weeks after if we didn’t organise another part.
If there is no compelling reason for its continued processing.
A counselling compelling reason would be the exercise or defense of legal claims. Remember in blog part 2b we looked at not keeping data longer than necessary.
5 Right to restrict processing
A counselling example. If you no longer need the personal data but the individual requires the data to establish, exercise or defend a legal claim.
6 Right to data portability
The right to data portability allows individuals to obtain and reuse their personal data for their own purposes across different services.
7 Right to object
You must include this in your privacy statement. Remember the telling clients they can withdraw consent in your privacy statement
8 Rights related to automated decision making including profiling
I can’t think of a reason a counsellor would be using a machine to make an automated decision about their client, or was using a machine to profile their client but if you can then check out https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/rights-related-to-automated-decision-making-including-profiling/
See you Friday for data retention schedules. How long should you be keeping personal data?