GDPR for Psychotherapists - Legal issues; excerpts from the GDPR text

Next >

< Previous

One in a series

This is one in a series of interconnected blogs about applying the GDPR(2016) law for psychotherapists in the UK. The blogs are somewhat independent, but it would be best to first read the Overview and Introduction blogs, to orient yourself to the wider context and give background.

Disclaimer: these are only my opinions. I am not a lawyer. This is not legal advice, but just sharing how I as one (technically informed but not legally trained) person subjectively interpret the GDPR that will become effective on 25 May 2018.

The "legitimate interests" purpose for psychotherapists

As regards the "legitimate interest" purpose as the lawful purpose for psychotherapists. I personally think it only rarely is a good fit, for the following reasons:

The ICO says you can only rely on legitimate interests if you cannot find another purpose (eg contract or consent - which seem obviously possible).

This is a paragraph about legitimate interests with examples: "The GDPR specifically mentions use of client or employee data, marketing, fraud prevention, intra-group transfers, or IT security as potential legitimate interests, but this is not an exhaustive list. It also says that you have a legitimate interest in disclosing information about possible criminal acts or security threats to the authorities."

It gives me a strong impression that this category is almost exclusively one for marketing and direct marketing campaigns - including perhaps sending out public interest information to targeted groups, e.g. about access to a helpline, or wearing condoms, or canvassing to get votes. Also fund-raising by a charity would come into this category. All these seem very different from the activity of psychotherapy and counselling.

"You cannot rely on legitimate interests if there is another reasonable and less intrusive way to achieve the same result."

https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/legitimate-interests/

If you decide on legitimate interests as your lawful basis, you must make a Legitimate Interests Assessment, write this up and keep a copy to show to the ICO if asked.

You must include the Legitimate interests purpose in your Privacy notice to clients. "You must tell people in your privacy information that you are relying on legitimate interests, and explain what these interests are."

Extracts from the GDPR (2016)

From Art 4 Definitions

'personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;

'data concerning health’ means personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status;

‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;

From Art 6 Lawfulness of processing

Processing shall be lawful only if and to the extent that at least one of the following applies:

  • the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
  • processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
  • processing is necessary for compliance with a legal obligation to which the controller is subject;
  • processing is necessary in order to protect the vital interests of the data subject or of another natural person;
  • processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
  • processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
  1. Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data.
  2. If the data subject’s consent is given in the context of a written declaration which also concerns other matters, the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language. Any part of such a declaration which constitutes an infringement of this Regulation shall not be binding.
  3. The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, the data subject shall be informed thereof. It shall be as easy to withdraw as to give consent.
  4. When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.

From Art 9 Processing of special categories of personal data

  1. Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation shall be prohibited.

  2. Paragraph 1 shall not apply if one of the following applies:

  3. the data subject has given explicit consent to the processing of those personal data for one or more specified purposes, except where Union or Member State law provide that the prohibition referred to in paragraph 1 may not be lifted by the data subject;
  4. processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3;
  5. [ And 8 other categories none of which I believe is applicable ]

From Art 13 Information to be provided where personal data are collected from the data subject

  1. Where personal data relating to a data subject are collected from the data subject, the controller shall, at the time when personal data are obtained, provide the data subject with all of the following information:
  2. the identity and the contact details of the controller and, where applicable, of the controller’s representative;
  3. the contact details of the data protection officer, where applicable;
  4. the purposes of the processing for which the personal data are intended as well as the legal basis for the processing;
  5. where the processing is based on point (f) of Article 6(1), the legitimate interests pursued by the controller or by a third party;
  6. the recipients or categories of recipients of the personal data, if any;
  7. where applicable, the fact that the controller intends to transfer personal data to a third country or international organisation and the existence or absence of an adequacy decision by the Commission, or in the case of transfers referred to in Article 46 or 47, or the second subparagraph of Article 49(1), reference to the appropriate or suitable safeguards and the means by which to obtain a copy of them or where they have been made available.

  8. In addition to the information referred to in paragraph 1, the controller shall, at the time when personal data are obtained, provide the data subject with the following further information necessary to ensure fair and transparent processing:

  9. the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period;
  10. the existence of the right to request from the controller access to and rectification or erasure of personal data or restriction of processing concerning the data subject or to object to processing as well as the right to data portability;
  11. where the processing is based on point (a) of Article 6(1) or point (a) of Article 9(2), the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal;
  12. the right to lodge a complaint with a supervisory authority;
  13. whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the data subject is obliged to provide the personal data and of the possible consequences of failure to provide such data;
  14. the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

From Art 32. Security of processing.

  1. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:
  2. the pseudonymisation and encryption of personal data;
  3. the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
  4. the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
  5. a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

  6. In assessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.

From Art 33 Notification of a personal data breach to the supervisory authority

In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the [competent supervisory authority - in the UK that is the ICO], unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.

From Art 34 Communication of a personal data breach to the data subject

  1. When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay.
  2. The communication to the data subject referred to in paragraph 1 of this Article shall describe in clear and plain language the nature of the personal data breach and contain at least the information and measures referred to in points (b), (c) and (d) of Article 33(3).
  3. The communication to the data subject referred to in paragraph 1 shall not be required if any of the following conditions are met:
  4. the controller has implemented appropriate technical and organisational protection measures, and those measures were applied to the personal data affected by the personal data breach, in particular those that render the personal data unintelligible to any person who is not authorised to access it, such as encryption;
  5. the controller has taken subsequent measures which ensure that the high risk to the rights and freedoms of data subjects referred to in paragraph 1 is no longer likely to materialise;