As busy therapists, we know you are working hard to provide the best care for your clients, and you want to be sure that you are doing the best you can for them. With GDPR coming into effect in May 2018, there are a lot of concerns regarding how this applies to healthcare practitioners and what processes need to be in place. We hope that this post will help reassure you that the team at MyTherapyTracker have worked hard to ensure that we comply with GDPR as a practice management solution.
MyTherapyTracker was created by two speech and language therapists working in independent practice, and we know what it is like to run a therapy practice and how important our information governance is for our professional compliance to HCPC standards and code of practice. That is why we created MyTherapyTracker to help us to securely manage our patient records as well as support best practice in collaborative intervention at the same time. Our unique ClientView feature was created in line with the over-arching ethos of the GDPR to be clear and transparent, so parent/carers can largely exercise their right to access on their terms at any time. We are the only cloud-based practice management system in the UK which was created by therapists specifically designed for therapy, so we know how important GDPR is from both angles of data protection. As a cloud-based practice management solution, we are often asked,
“Is MyTherapyTracker GDPR compliant?”
To respond to that, we need to ensure we are discussing GDPR for what it is rather than what it is not. GDPR affects all organisations that hold personal data, and in your case it is likely to be health-related and in some cases could be considered “sensitive” personal data. MyTherapyTracker is a tool which is part of your practice management that can certainly help you to comply with GDPR but you have to do the work to ensure all your practices are in accordance with best practice based on the guidelines set out by GDPR. Let’s look at this in a bit more detail.
What is GDPR and how will it affect my practice?
GDPR is the General Data Protection Regulation which is in effect as of May 2018 and updates the regulatory guidelines on how personal data is held and processed which was previously in place via the Data Protection Act 1998. As a health practitioner and subject to HCPC requirements, you are likely to hold personal data for the purposes of carrying out your work. According to the ICO, you must have a lawful basis in order to process personal data. These lawful reasons are listed as: Consent, Contract, Vital Interests, Public Task, Legal Obligation & Legitimate Interests – for the purposes of healthcare provision these may be most applicable for your practice. It is important that you understand the lawful basis for processing, your role as data controllers and processors and ensure that you have communicated this information clearly to your clients.
Data Controllers & Data Processors
As a healthcare practitioner responsible for the care of your clients, you or someone in your organisation will be the Data Controller and responsible for how you set out your procedures to hold and process your clients’ data. Whether or not you are the controller, you keep healthcare records, and therefore you are a Data Processor of your clients’ data. As a MyTherapyTracker customer, your clients’ data is your responsibility, but using our service means that MyTherapyTracker and its hosting partners are also Data Processors by securely hosting your data on your behalf. As a Data Controller or Data Processor, you are required to comply with the GDPR guidelines relevant to your role. Both Data Controllers and Data Processors need to be aware of the rights your clients/carers or customers have regarding how you hold and process their data.
The Individual’s Rights Regarding their Personal Data
These are the rights of the individual regarding their personal data as outlined by the ICO. There is more information available on the Information Commissioner’s Officer website ico.org.uk.
Right to be Informed (GDPR Article 13): You should inform your clients/carers of the following:
- what type of personal data you hold
- where it comes from
- the lawful purposes for processing that data
- who has access to their data
- how the data is used
- how long we keep the data
- their rights regarding their data, including the right to withdraw consent for Data Processing, where relevant, and their right to complain
Right of Access (GDPR Article 15): The client and carer are entitled to request access to their personal data upon (written) request free of charge (with additional copies provided being chargeable).
Right of Rectification (GDPR Article 16): The carer and client are entitled to have personal data rectified if it is inaccurate or incomplete, and your organisation must comply with the request within 1 month.
Right to Restrict Processing (GDPR Article 23): The client and carer have a right to restrict processing of their personal data only where it applies outside of our legal requirements to process data, which may relate to sharing their information with other professionals.
The following rights may not be applicable given legal-obligation and legitimate-interest bases for processing data, or may not be relevant to your service provision:
- Right to erasure (GDPR article 17)
- Right to portability (GDPR article 20)
- Right to object (GDPR article 21)
- Right not to be subject to automated decision making (GDPR article 22)
As a healthcare practitioner and a Data Controller, you should be concerned with the security of the personal data you hold for the purposes of carrying out your work. This is the case for GDPR whether you keep paper notes or electronic notes and whether or not you choose to use a cloud-based practice management solution like MyTherapyTracker. The ICO has some really helpful information regarding secure cloud-storage which can also be found on their website. With regard to ensuring the security of your data, it is important that you trust your Data Processor(s) to provide you with the best possible security for your data. MyTherapyTracker hosts your data using cloud-storage located in the UK which is accredited to ISO 27001 Certification: the internationally recognised certification available for ensuring information security and business continuity best practice.
So to answer the question, “Is MyTherapyTracker GDPR compliant?” Of course, no practice management solution can claim that using a software system alone makes your practice compliant. Complying with the GDPR guidelines is about being careful with someone else’s personal information as well as being clear and transparent about what you are doing with it. MyTherapyTracker, like any software solution is a tool, alongside many others such as consistent, robust business processes, to achieving best practice and compliance with GDPR.
We know that it may seem daunting and that there is a lot to consider, but we also hope that MyTherapyTracker can be part of your plan to help your practice to comply with GDPR along with ensuring your practice management is sorted as well. We hope you have felt reassured that as a team of therapists behind this intervention-focused practice-management solution, we have explained how we are working with you to support your practice towards GDPR compliance.