Friday 2nd February 2018
GDPR – Protect & Respect Personal Information
- 2 February 2018
In recent months, awareness of the new General Data Protection Regulation (GDPR) has been steadily increasing within the veterinary industry. We have been working for some time now on ensuring that we are doing everything we can to help practices comply. This includes changes being made in RoboVet and Rapport, which you can find out more about below.
GDPR comes into force on 25 May 2018 and applies to all organisations across Europe. Its purpose is to strengthen the rights of individuals, currently enshrined in the Data Protection Act (1998), and ensure that organisations protect and respect the personal information that they collect and store. It is enforced in the UK by the Information Commissioner’s Office (ICO) and will stand regardless of Brexit.
Under GDPR, personal information is defined as, ‘any information relating to an identifiable person who can be directly or indirectly identified’ (ICO 2017). Like the Data Protection Act before it, GDPR does not cover animal information, as it is concerned only with people. For a vet practice an ‘identifiable person’ would include clients, employees, referring vets, client contacts etc. Essentially, the personal information of any individual, that interacts with the practice, must be protected and treated with respect in the spirit of GDPR.
The idea of upholding the spirit of GDPR is key to the ‘Accountability Principle’. This requires organisations to ‘demonstrate that you comply with the principles of GDPR and states explicitly that this is your responsibility’ (ICO 2017). It is therefore critical that practices understand GDPR and design, implement and maintain procedures to mitigate risk by ensuring that the personal information they control and process is being protected and treated with respect. Practices that do not do this cannot demonstrate compliance.
Measures taken by the practice, to demonstrate compliance with GDPR, will need to cover a whole range of activities of which only one is the use of RoboVet. Other considerations must include, but are not limited to, personal information on paperwork sitting on a desk in reception or in folders in the back office, files saved on hard drives and desktops and the security of the practice server.
The role of RoboVet is to help facilitate a best practice approach but it is not responsible for making the practice compliant; compliance is the responsibility of the practice.
We would strongly recommend that practices educate themselves on what is required of them under GDPR. As a software provider, it is not our remit to offer legal advice however, we can provide information on changes that are being made in RoboVet to help facilitate best practice under GDPR.
Useful sources of information are:
- The Information Commissioner’s Office (ICO): Guide to GDPR – the official UK government body responsible for upholding the rights of individuals, in respect to their personal information, and for bringing organisations found to be in breach of data protection laws to account.
- ICO Privacy notices, transparency and control – ICO information specifically on the requirements around privacy notices.
- Preparing for GDPR: 12 Steps to Take Now (ICO) – An overview of considerations that organisations should make in preparation for GDPR.
- GDPR & RoboVet Webinar – hosted by the RoboVet Product Team on Tuesday 20 February 2018; this is an opportunity to learn about the changes being made in RoboVet to help practices manage how they handle personal information. View a recording of the webinar here.
- Our website – includes information and useful tips on GDPR.
GDPR: RoboVet & Rapport
The changes being made in RoboVet and Rapport to help facilitate best practice under GDPR will be available with the Spring 2018 Release in May. Each new feature can be related back to a key principle of the regulation (GDPR Principles, ICO 2017). These principles exist to protect individuals by putting the onus on organisations to ensure that personal information is:
o Processed lawfully and fairly.
o Used only for the purpose that the individual is advised it will be used.
o Kept for no longer than necessary.
o Stored and processed securely.
- The right to be informed – this encompasses your obligation to provide fair processing information, typically through a privacy notice and emphasises the need for transparency over how you use personal data.’ (ICO, 2017).
RoboVet will provide the facility for the practice to record, and report on, compliance with their own process regarding data protection. This could include stating when, how and who shared the privacy notice with a client/client contact, and if that client/client contact has given consent. It is up to the practice to decide if and how this facility is used and this may depend on the lawful basis that the practice has chosen for processing personal information. The ICO website should be consulted for guidance on the different legal bases.
Rapport customers will be able to upload their privacy notice to their Rapport account. When a new client registers through the practice’s online portal they will be shown the practice privacy notice, if one exists. The client must then agree to this before they can complete their registration. The privacy notice will also be shown to existing clients when they log into their pet portal for the first time after the privacy notice has been uploaded, and subsequently each time it is updated by the practice. This will be fed back into RoboVet, so that the client record shows that they acknowledged the practice privacy notice online.
New clients will be automatically opted out of receiving automated communications (e.g. reminders and marketing) and positive action must be taken to manually opt them in. In addition, communication preferences are now front and centre on the ‘change details’ screen. The purpose of these changes is to encourage practice staff to discuss communication preferences with clients/client contacts, so that clients are empowered to choose how their personal information will be used by the practice to communicate with them.
- The right to restrict processing – individuals have a right to ‘block’ or suppress processing of personal data. When processing is restricted, you are permitted to store the personal data, but not further process it (ICO, 2017).
A new ‘revoke consent’ function is being introduced in RoboVet. This gives authorised users the ability to easily pause communications with the client/client contact with the click of a button. In addition, if a ‘revoked’ client is a Rapport Pet Portal user, access to their Pet Portal will be suspended and no communications will be sent from Rapport. This can then be easily reversed in RoboVet if the client advises that they are now happy for processing to recommence. It is up to the practice to decide if they choose to accept an individual’s request to block or suppress processing of their personal data, in line with GDPR.
- The right to rectification – GDPR gives individuals the right to have personal data rectified. Personal data can be rectified if it is inaccurate or incomplete (ICO, 2017).
Practice staff can help ensure that an individual does not have to request rectification by following a best practice process to ensure that personal information is regularly checked for accuracy. Each time a client comes into the practice, this represents an opportunity for staff to check that their address, email, telephone number and communication preferences are all still correct. Accurate personal information is also of huge benefit to the practice as it reduces the risk of wasting resources on undeliverable correspondence.
RoboVet will help facilitate this via the addition of a new prompt that encourages users to periodically check with clients that their personal data is accurate and that their communication preferences are as they wish. The ability to record when personal information was last checked, and report on this, will allow practices to easily see how up to date their client/client contact personal information is. Finally, the addition of the ability to email an individual client from the ‘work with’ will make it easier to contact a client regarding something like a personal information accuracy check.
- The right to erasure – also known as ‘the right to be forgotten’, the broad principle underpinning this right is to enable an individual to request the deletion or removal of personal data where there is no compelling reason for its continued processing (ICO, 2017).
Practices can adopt a preventative approach to ‘the right to erasure’ by ensuring that personal information is not stored for any longer than necessary. For example, if a client registered with the practice several years ago but never attended, it might be difficult to justify keeping their personal information on record in RoboVet and anywhere else in the practice.
Authorised users will be able to anonymise one or more clients in RoboVet using the new ‘Anonymise’ function, which allows practices to quickly and easily remove personal information that should no longer be stored in RoboVet. This is designed to help practices proactively remove personal information relating to clients who have not been in the practice for several years and it can also be used to react to a specific request from a particular individual, should the practice wish to comply with the request. The animal record is not affected by the anonymising process and it does not alter the practice’s financial records. The result of using the anonymising function is permanent and the client’s personal information can never be retrieved. Rapport Pet Portal users that are anonymised in RoboVet will lose access to their Pet Portal.
- Data protection by design and default – Under the GDPR, you have a general obligation to implement technical and organisational measures to show that you have considered and integrated data protection into your processing activities (ICO, 2017).
It is critical that practices consider and implement a whole range of procedural and physical measures to protect and respect personal information and mitigate risk of a data breach. This could include, but is not exclusive to, training staff in the practice’s data protection processes, implementing a clear desk policy to ensure paperwork containing personal information is kept private, and ensuring the practice server is in a secure place. Considering these examples, a ‘data protection impact assessment (DPIA)’ can help the practice to identify where it could be vulnerable to a data breach and highlight areas where particular measures are required to mitigate this risk.
As well as the enhancements to our products, we will also be making changes to our terms and conditions that practices have in place with us, of which customers will be notified in due course.
Share this story
To keep up to date with all the latest news from Vetsolutions you can add our RSS feed or sign up to recieve e-newsSign up today>