GDPR made easy for counsellors; Part 6

Data retention schedule

Hi everyone, data retention on a Friday afternoon, I’m just so rock and roll.

A data retention schedule - is basically you being very clear how long you keep personal data.

Now hands up who’s never really thought about how long they keep client notes or client contact information? Who’s never thought there may actually be a specific need to keep information?

·        Do you keep data for as long as you fancy or until you remember to have a clear out?

·        Do you keep client notes until your secure storage is full?

·        Do you keep for x time because you think that’s just what others do?

·        Do you keep it because you never know when the client may want to come back in the future?

·        Do you keep every text, email, of any contact from the client for ever and a day too?

So that would be a problem under current data protection let alone under the new general data protection regulations GDPR.

Remember in an earlier blogg you needed a clear lawful reason to share data. You also need a legitimate reason for keeping them too. To be clear that’s a legitimate reason that is listed in GDPR not something you just made up and think it legitimate.

IMPORTANT BIT Go and read your insurance document right now.

The main reason you’re keeping adequate records after the client has finished sessions is because there is a legal amount of time they can take legal action.

An action for me and my practice in all my GDPR reading is to double check if that limits 5, 6 or 7 years. My insurance ask me to keep them for 5 years.  So that’s what I do.

Remember in blogg 5 one of 8 rights of an individual was the right to erasure but of the exceptions was “The exercise or defence of legal claims”

Keeping Adequate records

Now this is open to interpretation. It doesn’t specifically say notes it says records. So this could be

·        Client name

·        Start date of sessions

·        End date of sessions

·        Number of sessions completed

·        Main presenting issue

·        Any specific interventions etc

If you keep clinical notes and do choose keep them, they would be adequate records.

Do I keep all my clients contact information too? No. Why would I need to? What would be the legitimate reason? I don’t need their mobile number to ring them, as I wont be contacting them once finished. The number was taken for contact while they were a client. Any use of their number beyond that would not be for the reason it was collected.

Legal jargon bit  ICO website says “ Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed”

So no longer than necessary would be the length of time for legal action. Beyond that what would be your legitimate reason for keeping them?

https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/principles/

Privacy statements

From Blog 4 don’t forget that once you are clear on how long and why you are keeping notes or adequate records you need to be clear with the client in your privacy statement and tell them. They have a right to know what you are keeping and for how long.

Remember from blog 2 data protection recap you couldn’t keep my shoe size for the next 20years.

Remember to tell them the length of time you’re keeping information is from the end of counselling and for under 18’s that’s from the point at which they turn 18.

Actions -  

·        read your insurance small print

·        Go and check your filing cabinet (paper, electronic, virtual) and check you don’t currently have any notes you have kept beyond a legitimate timeframe. If you have dispose of them as confidential waste.

See you next week for a GDPR round up and checklist reminder of things to doing

and I’ll have a useful data sharing checklist to use for those moments of to share to not to share