GDPR

RE: GDPR

Martin Atkinson — Thu, 19 Apr 2018 13:55:58 GMT

[quote user="Andrew Mellor"]

and have you got contracts with insurance companies, lab,crematoria etc etc that they will not sell/use client data etc

[/quote]I'm sure they are working on it - I can't make them. Anyway of the examples you have given, the client has entered into a contract with the insurance company to share their date and in doing so have implied consent and it is justified by legitimate interest (other practices the same); I don't give client data to labs or crematoria other than the pet's name and ID number. Off the top of my head I can't think of anyone else I would need to share any data with. Come May 25th if there is any 3rd party that hasn't entered data protection into their contracts they will not get any without the client's consent or the information will be pseudonymified.

RE: GDPR

Andrew Mellor — Thu, 19 Apr 2018 13:45:27 GMT

and have you got contracts with insurance companies, lab,crematoria etc etc that they will not sell/use client data etc

RE: GDPR

Martin Atkinson — Wed, 18 Apr 2018 17:20:59 GMT

Well, I've registered with the ICO; done a data audit and identified how we store data; I've formulated our data protection policy; justified our data retention policy; there are notices in reception and on our website explaining how we collect and store/use data; the staff have had their confidentiality training and this has been recorded; they've updated their PMS passwords; they know how to handle a subject access request; they have signed a confidentiality clause in their contracts; reminders now have an opt out option when they are sent; all new clients now complete a registration form which tells them how we use their data and gives them a chance to opt out.

I think I'm about ready for May 25th.

RE: GDPR

Chris Geddes — Wed, 18 Apr 2018 11:06:43 GMT

The ICO have recently published a guide for microbusinesses....

https://ico.org.uk/media/for-organisations/documents/2258293/eight-practical-steps-for-micro-business-owners.pdf

RE: GDPR

David Mills — Mon, 16 Apr 2018 21:54:48 GMT

A lot of fear about this, and from I can see its all ifs and buts and cpd companies/individuals are going to have a good few months packaging up what is available for free.

The law before case law is theoretical and open to interpretation, and that makes paying for advice at this point potentially costly, stupid and worthless. I suspect it has been brought about to reduce spam marketing, selling on of personal details to big data companies and the misuse of data by, amongst others, social media and email corporations.

The veterinary industry is very small fry, and unless you're flogging your clients details (or keeping lists of animal abusers for instance), most issues can be sorted by a quick word or slap on the wrist from the ICO.

RE: GDPR

Martin Atkinson — Sat, 14 Apr 2018 17:53:54 GMT

[quote user="Edward Jones"]

On another list I'm on there's a bit of fuss about getting 3rd party suppliers to sign contracts concerning what they do with any personal data we pass on to them. I suppose this might include laboratories, any company used to help manage reminders, and perhaps any drug company to whom we send a adverse reaction report to?! Any comments on this?

[/quote]One would hope they're on the ball and will contact us but if they don't then perhaps we should write to them asking what their position is and seek reassurance that they are handling our data in a secure way. Unless we do we may still be responsible for data leaks even if its their foul up.

RE: GDPR

Rob Loxley — Sat, 14 Apr 2018 13:24:48 GMT

[quote user="Edward Jones"]getting 3rd party suppliers to sign contracts concerning ... Any comments on this?[/quote]

We have a signed agreement between us and a 3rd party marketing company regarding what they do with client data we supply. But yes, it does make you think how much personal data we store, process and pass on, when you try to start documenting it...

RE: GDPR

Edward Jones — Sat, 14 Apr 2018 13:12:34 GMT

RE: GDPR

Martin Atkinson — Fri, 13 Apr 2018 18:39:18 GMT

[quote user="Bob Russell"]

Try to avoid 'consent' and go for 'legitimate interest' instead. By registering there should be a legitimate interest justification created. Should be no problem asking for any other relevant contacts.

Consent needs to be specific to a task whereas legitimate interest covers most of the needs of day to day client interaction.

A consent form for surgery gives very specific consent for that procedure. Legitimate interest covers the day to day marketing, reminders etc. Just make sure there is a mechanism in place for a client to opt of these.

I am no expert nor am I willing to spend thousands on a consultant. If common sense does not work then they will need to prosecute me!! Consultants are playing the fear card not of ICO intervention but a client suing the practice. Why would they do that if you are taking all sensible steps?

[/quote]Pretty much what I would have replied. So long as you can show a legitimate interest that the data you keep is for the the welfare of the pet and that it is secure then you can justify keeping it. Existing clients have shown a previous intention to purchase so you can continue to send them reminders etc but you should give them the opportunity to opt out. New clients need to be given the opportunity to opt out when they register. You should also put notices in the waiting room and on your website telling all clients how you collect, store and use data.

I attended a seminar on GDPR at Snowscene by Andrew Rastall and if you go to his website at connectedvetacademy.co.uk you can do a useful course for free which virtually replicates that (you can also pay him to do it all for you if you want). Also download the GDPR checklist for veterinary practices from the BVA website and it all seems a lot less onerous.

Basically you just have to justify the data you keep, prove you store it securely, that you've done a data audit and the staff have all been made aware of how to collect/record/use data and can respond to a request to delete it appropriately (a subject access request), document all this and you're most of the way there.

If you're a big practice with little time to work on this then it may be worth paying someone to do it for you. If you're a small practice and a few hours to spare before May 25th I'm pretty sure you can do it all yourself.

RE: GDPR

Chris Geddes — Fri, 13 Apr 2018 12:56:58 GMT

I would highly recommend a recent webinar hosted by thewebinarvet.com. If you're a member, you'd be mad not to watch it. If you're not, I think it's about £30. 2 1/2 hours long, very relevant to practices, highly recommended! (I have no interest in the company!).

Otherwise, there is lots of free info online but takes a while to plough through it all and you have to apply principles to vet practice. As usual, check the source as there is some rubbish out there.

Chris

RE: GDPR

Andrew Mellor — Fri, 13 Apr 2018 12:29:51 GMT

what a great response thank you for that AND I THINK YOU ARE ABSOLUTELY CORRECT ABOUT THE CONSULTANTS PLAYING THE FEAR CARD.

RE: GDPR

Bob Russell — Fri, 13 Apr 2018 12:18:26 GMT

Consent needs to be specific to a task whereas legitimate interest covers most of the needs of day to day client interaction.