GDPR- General Data Protection Regulation - May 2018 - Michael Coe

RE: GDPR- General Data Protection Regulation - May 2018 - Michael Coe

Martin Atkinson — Wed, 29 Nov 2017 09:19:00 GMT

[quote user="David Mills"]The irony of a locum asking this is, apparently, lost.[/quote]The significance of your comment is certainly lost on me.

RE: GDPR- General Data Protection Regulation - May 2018 - Michael Coe

Michael Coe — Tue, 28 Nov 2017 18:54:28 GMT

No, I do not use scare tactics for my course sign ups. I have spent so many years working in the Veterinary Profession at a number of levels. I am passionate about my work and professional career as a Manager and a now qualified "Paralegal".

I understand people are somewhat cheesed off with all this new legislation coming in and it's red tape. I believe that you and others should be prepared and ready as these are very serious changes to legislation for a number of years.

I would love for people to attend my course; of course I would. I am recognised as a specialist provider of services for the industry. I was at the London Vet show as an exhibitor this year, meeting you all and listening to everyones concerns about practice Management.

In every industry there are always going to be those who do not want to be compliant without a "good push". So the question is: How do those in smaller practices ensure compliance in all areas of the new GDPR?

As a conversation on here there is only so much that can be covered. This is a complex change in how we all will mange our data in future. I am offering a small friendly workshop with the underpinning of Employment law for up to 6 people only. I want to educate not just take the money. I know this is unusual but this is how I like to operate my training sessions and my clients will agree here. Sorry no scare tactics here, just good old fashioned discussion going on.

The change in law is coming in May 2018 so its time to be prepared and know your legal duties.

RE: GDPR- General Data Protection Regulation - May 2018 - Michael Coe

David Mills — Tue, 28 Nov 2017 18:51:56 GMT

[quote user="mariette asselbergs"]

Sorry to be suspicious Micael Coe, but do uou have a commercial interest in scaring us in signing up to your course?

Marietter

[/quote]

The irony of a locum asking this is, apparently, lost.

RE: GDPR- General Data Protection Regulation - May 2018 - Michael Coe

Martin Atkinson — Tue, 28 Nov 2017 18:26:32 GMT

[quote user="mariette asselbergs"]

Sorry to be suspicious Micael Coe, but do uou have a commercial interest in scaring us in signing up to your course?

Marietter

[/quote]Ooh you cynic Mariette. You would never catch me accusing anyone of being a purveyor of processed pork products!

Maybe its the ostrich in my genes but storms and teacups come to mind. There are basically only two actions we would take that come close to being relevant under this new legislation: transfer of patient's records to other vets and reminders.

The patients records do not belong to the client they belong to us, albeit the owners are entitled to a copy, and provided they only hold information on the patient, as animals don't have rights under this legislation it is not relevant. If there are personal comments about owners in your notes potentially visible to third parties then you're a fool to start with. Under any circumstances all we'd need to do is check with the owner they are happy to have the records transferred when requested.

Reminders are just that, they are not marketing material I never have and never will share the data relevant to those with a third party.

All financial data is already secure and not shared under present legislation.

RE: GDPR- General Data Protection Regulation - May 2018 - Michael Coe

J G Wray — Tue, 28 Nov 2017 18:05:43 GMT

[quote user="mariette asselbergs"]Sorry to be suspicious Micael Coe, but do uou have a commercial interest in scaring us in signing up to your course?[/quote]

This is a re run of other Regulatory changes some of us have experienced, e.g. in relation to H&S.

I see the current situation as the "Cassandra" phase - look it up and you'll see what I mean.

This doesn't mean it can or should be avoided, but there's mischief here in the tensions between different Regulators, the need to make provision for liability and the limitations and inertia in PMS providers and that's scope enough for some to make hay.

How many here have a PMS with a means of deleting financial records relating to a client account over 6 years old?

RE: GDPR- General Data Protection Regulation - May 2018 - Michael Coe

mariette asselbergs — Tue, 28 Nov 2017 14:51:29 GMT

Sorry to be suspicious Micael Coe, but do uou have a commercial interest in scaring us in signing up to your course?

Marietter

RE: GDPR- General Data Protection Regulation - May 2018 - Michael Coe

Michael Coe — Tue, 28 Nov 2017 12:47:55 GMT

I agree some are Ostriches and are devoid of practice responsibilities at this time! But do not be under an illusion of false security here. The reason for GDPR is to secure our private Data and tackle Cyber crime world wide. For the Ostriches out there get ready to face hefty fines and prosecutions, for not complying with GDPR. The new regulation makes everyone Ostriches and individuals at this time Void of Practice responsibilities; now responsible personally. So it is a chain of events, an individual employee breaches "Individual" data, they have breached GDPR for some reason, they can be held to account, then data processors are held "legally" liable and then the main "Controller" is held legally responsible for the breach. One new part of the act is that GDPR training is held for all employees and individuals at all levels. Do not wait until May 2018 as it will be too late! This is why I am holding a course in London on December 7th 2017 under CPD here on this site. Be ready not fined, in some instances businesses may not be able to hold data as a legal right due to disregard of regulation under the Act.

In fact most Professional bodies are behind on GDPR and how it will effect their members. They may be hesitant to give out guidance or rules as they do not want to be held "legally" responsible for not upholding this new regulation. [A lot like Health and Safety Law, it is up to "individuals and employers to be compliant]. It will come down to whether you are GDPR compliant by the regulator, on individual businesses being compliant. i.e. having trained and compliant employees or non compliant employees breaking the law.

There are a number of changes that are new under GDPR and must be responded to within specific time frames. This is not a nice to have or to be ignored and then implemented half heartedly. it is a serious change in law. Be ready.

RE: GDPR- General Data Protection Regulation - May 2018 - Michael Coe

J G Wray — Tue, 28 Nov 2017 12:29:08 GMT

[quote user="Michael Coe"]Any information that can "identify" an "Individual" is classed as Data Protection under the new GDPR Regulations. So if private information leaks then the is classed as a breach. There are new rules for reporting Data Protection breaches at all levels[/quote]

Interesting conversation with the Veterinary Defence Society yesterday. This was in tandem with the change in wording of the Code to Professional conduct dated October 2017.

Both hold that notes can make reference to the owners without compromising them as being clinical notes for the animal, who cannot own data and therefore is not covered by GDPR.

You will see veterinary surgeons behaviours defaulting to the comments from these two organisations

RE: GDPR- General Data Protection Regulation - May 2018 - Michael Coe

Michael Coe — Tue, 28 Nov 2017 12:20:40 GMT

Any information that can "identify" an "Individual" is classed as Data Protection under the new GDPR Regulations. So if private information leaks then the is classed as a breach. There are new rules for reporting Data Protection breaches at all levels.

RE: GDPR- General Data Protection Regulation - May 2018 - Michael Coe

Michael Coe — Tue, 28 Nov 2017 12:17:02 GMT

The GDPR Regulation has a number of "individual" rights attached to "Consent" and defining actual "consent". Third party suppliers also have to be aware of outsourced data consent and so should you as a practice. Most issues will come from computer tech suppliers who are not GDPR Ready.

This does not release you from being prosecuted or fined under the new GDPR Regulations or for potential data breach.

"Consent" is a complex issue not just a quick "Fix" by including a clause in business terms and conditions. Hence due to all the complexities, this is why I have a course in London on 7th December 2017.

RE: GDPR- General Data Protection Regulation - May 2018 - Michael Coe

J G Wray — Thu, 23 Nov 2017 12:13:05 GMT

It would be helpful if RCVS could clarify their position and even better if they could show how their own record keeping in respect of correspondence, enquiries, complaints, disciplinaries and mediation dovetails with those who they Regulate.

The argument that there is chalk and cheese here won't wash - it's about consistency and lack of hypocrisy

I feel for those practices that are in the PSS over this. RCVS will, probably, require all PSS practices to be compliant as part of their obligations under PSS. Now, obviously, all practices need to be compliant, but for those outside PSS and with Data Controllers in the practice that don't have MRCVS after their name there is no authority and possible sanction coming from RCVS in this respect.

RE: GDPR- General Data Protection Regulation - May 2018 - Michael Coe

J G Wray — Thu, 23 Nov 2017 12:06:53 GMT

[quote user="Edward Jones"]Unfortunately our PMS has a tick box labelled 'Exclude form marketing' so we don't currently have this. PMS providers are likely to have to make provision that opt-in consent can be documented.[/quote]

This smells like Robovet. There is, I am given to understand, a Project team at VetSolutions tasked to do something. I have asked for details and have had no reply, as yet, not even acknowledging my request.

The de facto definition of an active client in management and PMS terms is a client with an associated transaction in the previous 12 months and this is used for reporting and benchmarking

However, the RCVS' definition of an active client is unclear and may just be a Registered client, without a lot of other qualification. The problem here is that client who can create an obligation for a veterinary surgeon at any point in their animal's lifetime (think parrot) may have records going back decades. How do we justify, to ICO, hanging on to old information in accordance with our obligations from RCVS?

It would be helpful if RCVS could clarify their position and even better if they could show how their own record keeping in respect of correspondence, enquiries, complaints, disciplinaries and

RE: GDPR- General Data Protection Regulation - May 2018 - Michael Coe

Edward Jones — Thu, 23 Nov 2017 11:54:02 GMT

It's not clear to me if an animal's clinical record is subject to the GDPR - I would presume not. However, as JGW has previously mentioned, many vets are incredibly lax about letting clients' private information leak into the clinical records (e.g. 'owner away on holiday', 'treatment declined on financial grounds').

RE: GDPR- General Data Protection Regulation - May 2018 - Michael Coe

Bob Russell — Thu, 23 Nov 2017 11:09:33 GMT

I was warned that the new data protection rules and RCVS requirements for transferring a history may well be incompatible therefore new guidance might have to come from the college.

RE: GDPR- General Data Protection Regulation - May 2018 - Michael Coe

Edward Jones — Thu, 23 Nov 2017 10:34:35 GMT

[quote user="J G Wray"]

[quote user="Edward Jones"]With regards consent, will it be sufficient to put the appropriate wording in the terms and conditions of business?[/quote]

Possibly, in part. There's stuff open to interpretation and definition of what constitutes an active client, i.e. someone appropriate to receive the message

[/quote]

Hmmm. From https://ico.org.uk/for-organisations/resources-and-support/data-protection-self-assessment/getting-ready-for-the-gdpr/

[quote]Unbundled: consent requests must be separate from other terms and conditions. [/quote]

Consent must also be opt-in and be documented. Unfortunately our PMS has a tick box labelled 'Exclude form marketing' so we don't currently have this. PMS providers are likely to have to make provision that opt-in consent can be documented.

RE: GDPR- General Data Protection Regulation - May 2018 - Michael Coe

J G Wray — Thu, 23 Nov 2017 10:01:58 GMT

[quote user="Edward Jones"]With regards consent, will it be sufficient to put the appropriate wording in the terms and conditions of business?[/quote]

Possibly, in part. There's stuff open to interpretation and definition of what constitutes an active client, i.e. someone appropriate to receive the message

[quote user="Edward Jones"]Then a quick email/mail shot to all existing clients informing that agreement to the terms and conditions is necessary for a continued client-professional relationship, and job done.[/quote]

Ho, ho ho, it is Xmas after all. Some clients don't have email addresses. Some CRM data is either inaccurate or out of date etc etc. This is not a first rodeo....

RE: GDPR- General Data Protection Regulation - May 2018 - Michael Coe

Edward Jones — Thu, 23 Nov 2017 09:44:06 GMT

With regards consent, will it be sufficient to put the appropriate wording in the terms and conditions of business? Then a quick email/mail shot to all existing clients informing that agreement to the terms and conditions is necessary for a continued client-professional relationship, and job done.

RE: GDPR- General Data Protection Regulation - May 2018 - Michael Coe

J G Wray — Wed, 22 Nov 2017 16:20:27 GMT

[quote user="Michael Coe"]It's been interesting to read all the comments on here regarding the new GDPR regulation coming into force on May 25th 2018. The new regulation does raise some interesting thoughts and questions for everyone who has to deal with handling data.[/quote]

Perhaps not with all here on this forum. Vets have ostrich in their genes, or at least, some do.

Beyond the requirement in law, I am also interested in how two sets of people we interact with are going to behave.

The first is our Regulator. There are number of questions there, not least how they handle data themselves given a much touted remit to protect the public and also what they expect of us and how they would support a claim for retention of data for a prolonged period.

The second is our Practice Management Systems suppliers. These people are venal and wont to supply solutions devised by techies.

None of this will bother the ostriches, or those devoid of practice responsibilities.