GDPR communications

RE: GDPR communications

Rob Loxley — Thu, 17 May 2018 15:04:36 GMT

[quote user="Martin Atkinson"][quote user="robloxley"]If it contained confidential details (e.g. bank account details) you could consider, say, sending it as a password-protected PDF and separately communicate the password to the intended recipient.[/quote]I cannot think of any occasion that I would want to send such sensitive information.[/quote]

Pay-monthly 'pet health club' where using an external company to set up and administer the direct debit?

RE: GDPR communications

Martin Atkinson — Thu, 17 May 2018 09:37:51 GMT

[quote user="robloxley"]I think the question was more about security of data once we send it out,[/quote]It is a good point. Given we are supposed to have a contract with companies who process our data which states how they will deal with it securely should we have a similar arrangement with any practice that may request case histories etc? - that clearly is impractical. I seem to recall in my GDPR CPD that so long as you determine that the request is genuine,and thus in the client's legitimate interest, then it is OK to send the information.

[quote user="robloxley"]Given we're happy to post such data as you suggest, I'm happy to just email it.[/quote]There is a another level of responsibility with email rather than post, not just GDPR but the PECR regulations related to security of electronic communications.

[quote user="robloxley"]If it contained confidential details (e.g. bank account details) you could consider, say, sending it as a password-protected PDF and separately communicate the password to the intended recipient.[/quote]I cannot think of any occasion that I would want to send such sensitive information. If you have any doubt then simply contact the client and ask them if they want you to respond to the request.

RE: GDPR communications

Rob Loxley — Wed, 16 May 2018 19:38:42 GMT

[quote user="Martin Atkinson"]This is really all taken care of as mentioned in other threads by legitimate interest[/quote]

I think the question was more about security of data once we send it out, not whether or not we are able to send the data? Given we're happy to post such data as you suggest, I'm happy to just email it. If it contained confidential details (e.g. bank account details) you could consider, say, sending it as a password-protected PDF and separately communicate the password to the intended recipient.

RE: GDPR communications

Martin Atkinson — Wed, 16 May 2018 15:31:53 GMT

This is really all taken care of as mentioned in other threads by legitimate interest. The client has given de facto permission by requesting a referral/gone to another practice. If you're worried and your PMS won't allow you to do it, convert the clinical history to a Word file of similar and pseudonimify it by removing client details and then attach to your email.

As for direct emails to clients if you are just communicating with them rather than sending marketing material then again I don't see an issue, they have effectively given you permission with a 'previous intention to purchase' and again legitimate interest, just give the option to opt out of further emails. Or send the communication by post.

RE: GDPR communications

Bob Russell — Wed, 16 May 2018 13:36:46 GMT

Why are you worrying?

As long as you are using a fairly reputable email service then the security should be fair. Probably better not to keep messages on their servers any longer than necessary. Ours are deleted automatically after 30 days.

Histories are imported to the patient records then deleted from the email server.