GDPR for Psychotherapists - Recommended actions
/One in a series
This is one in a series of interconnected blogs about applying the GDPR(2016) law for psychotherapists in the UK. The blogs are somewhat independent, but it would be best to first read the Overview and Introduction blogs, to orient yourself to the wider context of this series of blogs.
No legal advice
Disclaimer: these are only my opinions. I am not a lawyer. This is not legal advice, but just sharing how I as one (technically informed but not legally trained) person subjectively interpret the GDPR (2016) and DPA (2018)that have been in effect since May 2018.
No affiliation
I do not get paid for, or get any other consideration, and don't have any affiliate arrangements with the organisations, companies or individuals I mention or their products or services. I do use many of the software applications I mention, but receive no discount or anything for mentioning them.
This blog is the summary version for people who are impatient, and who, against my personal preference, do not want to do much thinking themselves, but just like to throw their lot in with me, trust me, and blindly follow my recommendations; they still will be responsible for their choices, and they need to do a certain amount of personalising it and thinking through their situation; it is the easiest one to use - I give all my opinions, and as few nuances and options as I can.
Part I. Opinionated action summary
The basics
A person who processes personal data must adhere to the following principles, Processing the data must be
- done lawfully
- such that you only collect data for specified, explicit and legitimate purposes (the "lawful purpose" or "lawful purposes")
- adequate, relevant and limited to what is necessary
- accurate and where necessary kept up to date
- retained only for as long as necessary
- done securely
The data subject (i.e. typically your client) must
- be given a privacy notice or statement
- must be told if other people will hold or process their personal data (e.g. email suppliers; cloud storage providers; the executor of your therapeutic will)
- must be told if their data are or may be held outside Europe and if so given details
- must be told whenever there is a personal data breach that puts them at risk
The data subject has rights
- of access to their personal data
- to rectification
- to erasure
The GDPR distinguishes between the "data controller" (who determines the purposes and the means of processing personal data) and the "data processor" (who processes personal data on behalf of a controller). Bigger organisations are obliged to appoint a "data protection officer", but that is not relevant when you are a self-employed psychotherapist.
What do you need to do?
- Register with the ICO. Main exception is if you don't use a computer or mobile phone at all for anything related with clients. Otherwise, you need to. £35 or £40 per year.
- Carefully review and think through what personal data you hold concerning clients (name and address already are 'personal data'); review where you hold them; think about the risks there are of someone getting hold of them.
- Decide on what reason you have for holding the data. You are not allowed under GDPR to hold data without reason. This is your choice of "lawful purpose". I recommend using "Contract" as lawful purpose. That means you need to have a contract or agreement with your clients, or everyone whose information you hold. Even if the contact is very short. If you want to consider other options, read in Part II.
- Prepare a Privacy statement or Privacy notice. Put it on your website; include it in your contract or agreement you have with clients. Review, update and adapt your contract or agreement. Get clients to sign a contract or agreement as soon as you can.
- Most psychotherapists will come to the conclusion, if they are holding data in computer form, that their security is insufficient. The GDPR is clear that you need to "implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk". They state that this includes pseudonymisation; encryption; appropriate levels of security for hardware and software; functional and reasonable back-up arrangements; and a degree of quality control and testing that means that you know security is adequate.
- Whatever you say you will do in the Privacy statement, do it. Make the changes. Now.
It is inherently more difficult to ensure the security of mobiles than of laptops and desktops. One approach would be not to let client material be available on your mobile. Including having no email contact with your clients.
Many therapists keep "contacts" of clients (e.g. name, addrss, phone number, email) in some form on their mobile. And would use a mobile to some extent for making appointments and for communicating about changes to appointments. SMS messaging is inherently unsafe. If you want to have messaging contact with clients, it is best to use a fully encrypted and secure app. Two of the best names are Signal and wire. And you would insist in writing that all messaging with a client would have to use this secure app. And not use SMS. Or Facebook Messenger.
Messaging is easy to make secure. Email contact much harder. One solution is to refuse any email contact. But many therapists with a website would at least have a contact form, which uses a particular email system. Clients cannot waive their right to confidential processing. If a client would say, I don't mind, emails can be unencrypted; you can hold my data unencrypted, I'm happy to put it in writing.... Then later on, if your computer gets stolen or hacked, the information is leaked out, something bad happens with it, and you get reviewed by the ICO, the ICO (and your client for that matter) will hold you responsible for the fact that you held sensitive personal data on clients, and did not protect them adequately. Regardless of your client's position on the matter.
The GDPR does not dictate particular methods of ensuring security, not even encryption. It tries to avoid being prescriptive and bureaucratic. But it does say that you are responsible for "ensuring an appropriate level of security". With the extensive experience of IT environments and technology that I have, I cannot see how anyone can believe that you could ensure adequate security if you would hold data unencrypted
- on your own computer
- in your backup of data (whether on an external drive or in the cloud; and according to the GDPR you
have backup storage) - in a synced cloud supplier such as Dropbox or iCloud
- on the servers of your email supplier.
There is probably a lot of practical merit in a degree of pseudonymisation. But it will rarely suffice as the only form of security. So use pseudonyms; but do not believe it is enough.
The ICO have an extensive section on security and encryption on their website. It has developed [joint guidance on security[(https://ico.org.uk/for-organisations/security-outcomes/) together with the National Cyber Security Centre (NCSC). And for practical advice, they refer more generally to statements from the UK government, specifically advice from the NCSC.
Following is an as-brief-as-possible list of basic security measures to have in place, in line with the main reference to NCSC's special website Cyber Essentials that the ICO refers to. It is assumed here that you have either a Windows or a Mac environment. For other Operating Systems there would be slightly different options.
The most important general statement is to keep all your systems as up to date as you can, and to use all the security settings that your computer system offers you, to the maximum degree.
In addition you need the following measures:
- Have a firewall in place. Either from your Operating System, or from your antivirus protection system (Windows)
- Use passwords. Use strong passwords. Use a password manager. And use where it is offered for relevant parts of your system 2 Factor Authentication (2FA) / Multifactor authentication (MFA).
- Effectively control who has physical access to your system. This includes relatives, partners, spouses, children. Never share passwords; not even with relatives. When you can, only use software from official recognised sources. Any system you have that needs to be secure needs to have an individual(not shared) username and password to login. And a screen-saver so that once logged in it does not remain "open" indefinitely.
- On Windows, have a good anti-virus and anti-malware system in place. On Mac, most people still do not. Make sure that the automatic protection options on Mac are not disabled.
- Keep all your systems up to date. Have the latest version of your Operating System (MacOS; Windows 10). Enable automatic updating whenever possible. Use the latest version of your browser(s). Latest version of Microsoft Office. Install all software updates when they are offered.
- You need to have a password manager. Get 1Password and use it. Possible alternatives - LastPass; Dashlane; KeePassXC. KeePassXC is free; all the others are commercial i.e. cost money. Never share a password, not even with family. Never use a password for more than one application which has any importance.
- Make a choice of a fully secure encrypted email system, choosing between Protonmail and tutanota. Insist to clients in writing that they can only have email contact with you if they install the same email system you have selected, Protonmail or tutanota, and use it with you. Use this also for the contact form on your website.
- Set up a backup system (this is a direct requirement of the GDPR - Art 32 (1)). Have frequent backups using Apple Time Machine or Windows automatic backup, to an external hard drive. Be synced with cloud storage, or have an automated cloud backup system. For the latter use pCloud with pCloud Crypto (the cheapest), Spideroak or Tresorit.
- Encrypt your laptop / PC / desktop. Encrypt your external backup drive. For Apple this can be done by setting FileVault and letting Time Machine encrypt the drive. For Windows this requires using Bitlocker and / or using the free, open-source, but technically more challenging Veracrypt. The ICO specifically names File Vault and Bitlocker.
In your privacy notice you must give an outline of the above systems, i.e. describe where the data will be held, with which suppliers, whether they will be encrypted or not, and if you use pseudonymisation. As regards countries, the ICO have a list of countries outside Europe that are accepted. This includes the USA and Switzerland, and, substantially, Canada.
Although this may seem eclectic, I believe that the above is a good check-list for many therapists to go through and work with, in order to deal with the immediate implementation challenges of GDPR. It does not make recommendations for mobile phones; that is a separate blog.