Cyber security adviser warns physio businesses to prepare for data protection changes

Physiotherapy businesses need to be more ‘cyber resilient’ and prepare for new legislation which will increase people’s rights to access their personal data.


The General Data Protection Regulation (GDPR) legislation comes into effect in May 2018

This was the advice of Paul Davidson, a special adviser on law enforcement and security at the Foreign and Commonwealth Office, during his speech at the Medico-legal Association of Chartered Physiotherapists (MLACP) conference.

He told the event in London on 24 November: ‘Cyber attacks are doubling every year, and your data is valuable, but there are simple steps you can take to reduce the risk.’

He suggested that physio businesses should limit access to their data, make use of cloud storage systems, use password vaults, back up data to at least three different places on separate networks, use secure web services, encrypt data on mobile devices and USB sticks and consider employing a professional cyber security service.

Game changing law

Mr Davidson warned that new Europe-wide legislation, the General Data Protection Regulation (GDPR), would come into effect in May 2018 and that private physios should ‘get ready now’.

‘GDPR will be a game changer for everyone, because it will bring in a raft of legal responsibilities for anyone who holds data,’ he said.

‘Lots of people think its European regulation so we don’t need to worry about it because of Brexit, but that’s not accurate. The UK has already confirmed that our domestic law will align to the legislation.

‘And anyone who deals with Europeans – for instance a physio who treats a French person – this law protects them, wherever they are in Europe. So you will need to accord to the GDPR.’

Increasing fines

Delegates heard that fines for data protection breaches, issued by the Information Commissioner’s Office, currently range from £1,000 up to hundreds of thousands of pounds.

Under the new legislation, fines in the UK are likely ‘to go up tenfold’, Mr Davidson said.

Get ready now

To prepare for the GDPR, Mr Davidson suggested that physio businesses

  • Do a data audit: look at what information you hold, where and why you keep it, what legislation allows you to hold it and who you share it with
  • Work out how to manage a subject access requests, when people ask to access the data you hold about them
  • Establish a privacy policy and ensure your clients give explicit consent for you to collect and hold data about them
  • Plan how to deal with a data breach

Author: Robert Millett

Number of subscribers: 0

Log in to comment and read comments that have been added