GDPR for Psychotherapists - Technical issues; general and information security

Next >

< Previous

One in a series

This is one in a series of interconnected blogs about applying the Data Protection Act (2018) and the GDPR(2016) laws for psychotherapists in the UK. The blogs are somewhat independent, but it would be best to first read the Overview and Introduction blogs, to orient yourself to the wider context and give background.

No affiliation

I do not get paid for, or get any other consideration, and don't have any affiliate arrangements with the organisations, companies or individuals I mention or their products or services. I do use many of the software applications I mention, but receive no discount or anything for mentioning them.

Very brief basics of information security

The GDPR states the following in Art 32: "Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia ..."

The GDPR deals centrally with the question how we can appropriately protect the personal data we hold about clients, i.e. their "information", from attacks or incidents which would impair the confidentiality, integrity or availability of the information. This is the general content of "information security" (often abbreviated to "Infosec"). As so much information is held on computers, and moved over networks and especially the internet, there are special sub-fields of cybersecurity (synonyms - computer security, IT security), internet security, network security and mobile security.

Good sources for brief introductions are wikipedia (articles under the above headings as keywords), Britain's National Cyber Security Centre (NCSC), and in the context of GDPR, the following links:

Thinking about information security involves thinking about the possible threats against which you are protecting. In the case of client information held by psychotherapists, we can think of:

  1. Human threats, in particular from people sharing our living accommodation or work space, or our own neglect (e.g. loss of a laptop on the underground). There is agreement amongst infosec professionals that the number one source of compromised security is human error and issues.
  2. From cybersecurity professionals or hackers (the distinction is hard to make). This can vary from technically professional targeted attacks to random hacking, e.g. in the context of training programmes in hacking. There are armies of hackers in the USA, China, Russia, Iran and Israel - to mention some major countries. And most hacking attacks on the internet these days are not made by human beings, but are fully automated. Successful attacks are often followed by blackmail to destroy the data acquired.
  3. Attacks originating from an agenda, either from press or media people who are looking for "material", or from people who want to threaten or damage - because of a grudge, or stalking, or matters of child custody or divorce disputes, or just to make money.
  4. More old-fashioned attacks which would start with the stealing of laptops or mobile phones, followed by "seeing what is on it"
  5. Attacks starting with insiders in one of the top companies holding or handling so much of our information:
    • Google (owned by Alphabet) + gmail + the "G Suite" (G Drive etc.) + Android + Chronicle + DeepMind
    • Microsoft + OneDrive + LinkedIn + Azure + Bing
    • Apple + iCloud + iPhone
    • Amazon Web Services (AWS), the ultimate host of much of the Cloud - for periods of time Dropbox, many well-known "independent" hosting companies, and many governments, including the US and UK governments, held much of their data on AWS servers
    • Internet Service Providers (ISPs), telecomms and mobile companies
    • Facebook + WhatsApp, Twitter and other big social media companies
  6. Governments, friendly or unfriendly, and their spying and surveillance agencies. Includes the NSA, Homeland Security, FBI, CIA, MI5, MI6, GCHQ, FSB.

It may not be possible to effectively secure ourselves against data leaking out to groups 4 and 5 above, "Big Cyber" and government / spying agencies. Even so, it may not be necessary or judicious to make it too easy, and offer them all our data without any attempt at all to protect them.

The attitude taken by the ICO, and by me in this note, is to be practical, and discuss some basic measures that can be taken at very low cost, involve limited effort, and still provide extra security. It is like locking your house and your car, and not leaving your camera or laptop in plain sight in a car while it is parked. They don't stop all theft, but still seem appropriate standard measures to take.

Recommendations for passwords

To be specific about passwords - in my opinion (and of the NCSC, and the vast majority of security experts) you cannot have adequate password protection without using a "password manager", for creating new strong passwords, and for storing new passwords.

The three big names in password managers, all paid, are 1Password, LastPass and Dashlane. If you don't want to pay for your password manager, there are KeePass/KeePassXC and Bitwarden; of which I prefer and use myself KeePassXC; but I think you give up a certain amount of convenience and ease of use. I also have used and recommend 1Password. Buy 1Password directly from 1password.com ; not from the Apple store.

Minimum password length is best at 15 for random characters. Don't use passwords that only consist of normal English words. Never share a password. Never use the same password for different applications, if they have any importance.