My brother in law’s a dispensing optician. He’s received GDPR advice recently from a professional body to which he belongs which says a few things. My brother in law is not an expert and this is what he thinks it says.
- Because he deals with the Health Service, GDPR has decided he is a public body. As a small business he is not exempt from GDPR. The Government said so.
- Public bodies need to appoint a DPO
- On his staff he has 3 people and a dog. All they know about GDPR can be written on a single pixel on a broken iPad. He as owner and his accountant (his wife) as financial person cannot act as DPO. That leaves his receptionist aged 18 called Beyoncé. He has no money for another staff member. If he appoints another member of staff he stops being a profitable business and goes out of business. The dog probably knows more than Beyoncé about GDPR.
- His professional body suggests that he contacts his nearest optician and acts as their DPO while they act as DPO for him. Commercial and competition interests make this an unappetising prospect let alone the fact that neither DPO will have the foggiest what GDPR means.
- He has to delete patient files after 10 years. If a patient dies he has to keep their record for 10 years. At the same time he should not hold any personal information or health records any longer than necessary.
- He’s worried that he’ll be non compliant and the massive fines will put him out of business.
- Their lawful basis for processing data is either Public Task (whatever that is) or Legitimate interest (same). He doesn’t understand either.
- The deadline for doing all this is today! The guidance arrived in the last few days.
What can we do to help him?
Here’s the guidance
|ABDO, with the Optical Confederation, communicated to members in December 2017, has been negotiating with Westminster. The organisations requested that optical practices be exempt from appointing a Data Protection Officer (DPO). Unfortunately despite our best efforts this request was unsuccessful and all optical practices, now defined as Public Authorities under the new GDPR, will need to appoint a DPO.
You will find below what practices should consider when reviewing their position on GDPR and the ICO guidance on these points.
Small business owners who do not have existing staff who could potentially be the DPO, who may struggle financially to fulfil their GDPR obligations in employing a DPO, are encouraged to do as much possible to become compliant by reviewing:
Some members of ABDO with one person practices are working with local colleagues to be the DPO for each other, which is reasonable if the individuals have a good knowledge and understanding of GDPR requirements to comply.
Please note that this is guidance and you should visit the ICO website for more detailed information and explanations. There is also an ICO helpline to provide advice for small businesses too.
|What’s new and how does this affect optical practices?|
|All data processing should be lawful, transparent and fair. The new GDPR law puts in place more requirements for businesses to make uniform processes they will already have in place:
• to prevent a breach (practices should be able to demonstrate all processes and have a DPO to manage GDPR under new law);
• to comply with data requests (you have one month to respond and you cannot charge under the new law);
• and to report a breach (72 hours to report a breach under new law).
You should not hold any personal information or health records any longer than necessary.
You should continue to abide by the GOC standards in this situation and consider the ICO advice that patient records contain personal data and should not be kept longer than necessary:
|What you need to review|
|Practices need to review processes considering the new rules on:
The ICO website has detailed guidance on all rights:
o Right to be informed
You should continue to practice as you do currently with regards to providing GOS. This includes referring patients to secondary care, sending out reminders, appointments etc.
Communicating information/marketing on relevant products which are specific to your patients, which they currently expect, should remain the same too. Patients should always be given the option to opt out of receiving marketing material as they should be currently.
You should write to patients to inform them of your updated privacy policies, including your lawful basis under the new rules of GDPR.
Optical practices that provide General Ophthalmic Services (GOS) lawful basis is Public Task (You can use the interactive toolkit on the ICO website to confirm your lawful basis) and for all other processing within practices the lawful basis is a Legitimate Interest. All Practices Privacy notices should be reviewed to include your lawful basis and inform patients of this.
Public task – You can rely on this lawful basis if you need to process personal data:
It is most relevant to public authorities, but it can apply to any organisation that exercises official authority or carries out tasks in the public interest.
You do not need a specific statutory power to process personal data, but your underlying task, function or power must have a clear basis in law.
The processing must be necessary. If you could reasonably perform your tasks or exercise your powers in a less intrusive way, this lawful basis does not apply.
Document your decision to rely on this basis to help you demonstrate compliance if required. You should be able to specify the relevant task, function or power, and identify its statutory or common law basis.
Legitimate interest is the most flexible lawful basis for processing, but you cannot assume it will always be the most appropriate.
It is likely to be most appropriate where you use people’s data in ways they would reasonably expect and which have a minimal privacy impact, or where there is a compelling justification for the processing.
If you choose to rely on legitimate interests, you are taking on extra responsibility for considering and protecting people’s rights and interests.
Public authorities can only rely on legitimate interests if they are processing for a legitimate reason other than performing their tasks as a public authority.
There are three elements to the legitimate interests basis. It helps to think of this as a three-part test. You need to
The legitimate interests can be your own interests or the interests of third parties. They can include commercial interests, individual interests or broader societal benefits.
The processing must be necessary. If you can reasonably achieve the same result in another less intrusive way, legitimate interests will not apply.
You must balance your interests against the individual’s. If they would not reasonably expect the processing, or if it would cause unjustified harm, their interests are likely to override your legitimate interests.
Keep a record of your legitimate interests assessment (LIA) to help you demonstrate compliance if required. See the ICO website for templates.
ABDO is working with the Optical Confederation on the role and requirements of a DPO in small practices to be accepted by the ICO and will communicate on this separately. We understand that for some practices that it may not be financially viable to appoint a DPO and if you need further advice, please email email@example.com contact the ICO direct on the number provided above.
The ICO guidance on a DPO is noted below:
What professional qualities should the DPO have?
It doesn’t specify the precise credentials they are expected to have, but it does say that this should be proportionate to the type of processing you carry out, taking into consideration the level of protection the personal data requires.
So, where the processing of personal data is particularly complex or risky, the knowledge and abilities of the DPO should be correspondingly advanced enough to provide effective oversight.
It would be an advantage for your DPO to also have a good knowledge of your industry or sector, as well as your data protection needs and processing activities.
The DPO’s tasks are:
It is important to remember that the DPO’s tasks cover all personal data processing activities.
When carrying out their tasks the DPO is required to take into account the risk associated with the processing you are undertaking. They must have regard to the nature, scope, context and purposes of the processing.
The DPO should prioritise and focus on the more risky activities, for example where special category data is being processed, or where the potential impact on individuals could be damaging. Therefore, DPOs should provide risk-based advice to your organisation.
If you decide not to follow the advice given by your DPO, you should document your reasons to help demonstrate your accountability.
The GDPR says that you can assign further tasks and duties, so long as they don’t result in a conflict of interests with the DPO’s primary tasks.
Please also note that there is no ICO recognised qualification/certificate for a DPO. There are companies that offer GDPR training but everything you need to know is on the ICO website.
|Summary of Next Steps|
|You now need to:
The Optical Confederation will be issuing further detailed guidance which we will communicate in due course. In the meantime if you need further advice please email ABDO Policy Officer Debbie McGill firstname.lastname@example.org
|GDPR for ABDO Members|
|This guidance applies to ABDO members and their work in practice and with members of the public.
ABDO will be communicating separately with members about protection of members’ data in a letter enclosed in Dispensing Optics.