News focus: data protection law changes

Physios have only three months to prepare for fundamental changes to data protection laws. Robert Millett reports.

New Europe-wide legislation, known as the General Data Protection Regulation (GDPR), comes into force on 25 May. The new law, which is set to replace the Data Protection Act, will affect any individual or company that processes personal information – including private physiotherapists and business owners.
Jo Hampton, CSP head of governance, says the regulation will require organisations, including the CSP, to be more accountable and transparent about the data they hold, and allow people greater access and control over their own personal data.
‘GDPR will affect many CSP members, especially those who are running their own businesses, so it’s vital to prepare now and become aware of the changes.
‘Everyone who collects, stores or processes personal data will need to comply with the new regulations or run the risk of being fined. That may involve updating security or software, changing working practices and putting polices into place to meet all the requirements. 
‘Depending on the size of your business, that could take considerable time and planning, so don’t wait until the last minute. Members who haven’t already done so should refer to guidance from the Information Commission Office (ICO), identify how GDPR impacts on them and start making the necessary changes,’ says Ms Hampton.
After 25 May, non-compliance with GDPR could lead to criminal prosecution or non-criminal enforcement and an audit. In addition, the ICO will have the power to impose a penalty on data controllers of up to €20 million or four per cent of an organisation’s global turnover.

Start now

CSP member Stuart Nottingham is clinical director of Sun Rehabilitation, a UK-wide occupational health business based in Pershore, Worcestershire. He says people who own and run physiotherapy businesses must act now.
‘Under the new regulations, fines for non-compliance could be up to four per cent of your business’s annual turnover,’ he warns. ‘We started upgrading our systems to be GDPR-compliant last August and, although we are mostly there, still aren’t completely finished.’
To prepare, he hired a technology consultant, John Gordon, to guide his company through the process. ‘I would recommend that all businesses consider getting advice on how to become compliant with the new legislation. It helped us enormously. John saved us from having to find answers to a lot of issues and, potentially, wasting a lot of time going down blind avenues.’

Prepare for the worst

The first step was a risk assessment of every aspect of the business to examine current data protection policies and identify any area of non-compliance with the new regulations (which are available on the ICO website).
‘Until you’ve done a risk assessment you really don’t know what you’ll have to do,’ says Mr Nottingham. ‘We had to look at everything: where and how we hold data, who has access to it, what levels of encryption we use, how records are maintained and how we communicate and record consent.’
Mr Nottingham’s company employs staff working throughout the UK, providing musculoskeletal treatment to improve absence management and staff wellbeing. ‘We transfer data about patient referrals all over the UK so we’ve had to ensure we are doing that in a secure and compliant manner,’ he says. 
‘Sending even password-protected patient information in an open email is unacceptable now and so we’ve installed new software that encrypts emails.’
As well as considering the security of stored and transferred data, the company has also had to revise its policies and process procedures on how to handle personal requests from individuals seeking access to data held on them.
In addition, Mr Nottingham says it’s vital to prepare for the worst, by establishing a plan of action to be followed in the event of a data breach. 
‘You should be making every effort to make sure that never happens. But if it does, what do you do? You need to have your planned response written down in your processes and policies document.’
He adds: ‘My strong advice to any physiotherapy business owner who hasn’t started to prepare yet is: don’t leave it to the last minute because it will take time for you to get it sorted out. And there isn’t much time left.’ 

Get ready now 

CSP members got a stark warning on GDPR from a government official at a recent conference of the Medico Legal Association of Chartered Physiotherapists (MLACP) in London.
Paul Davidson, a special adviser on law enforcement and security at the Foreign and Commonwealth Office, said that private physios should ‘get ready now’. ‘GDPR will be a game changer for everyone because it will bring in a raft of legal responsibilities for anyone who holds data,’ he said.

In order to prepare, Mr Davidson suggested that physio businesses should:

  • do a data audit: look at what information you hold, where and why you keep it, what legislation allows you to hold it and with whom you share it;
  • work out how to manage subject access requests when people ask for the data you hold about them;
  • establish a privacy policy and ensure your clients give explicit consent for you to collect and hold data about them;
  • plan how to deal with a data breach.

Further reading

This article was amended on 15 February 2018, to correct the figure for the maximum financial penalty that data-controllers could face if they fail to comply with GDPR.


Robert Millett

Number of subscribers: 6

Log in to comment and read comments that have been added