RE: Help with GDPR Staff contracts

Peter Faulkner — Wed, 23 May 2018 18:07:06 GMT

Thanks Martin, that's great.

Its amazing how much is involved in all this.

RE: Help with GDPR Staff contracts

Martin Atkinson — Wed, 23 May 2018 12:15:22 GMT

I don't know if it was me but my contracts already had a confidentiality clause:

c) In no way divulge or make public any confidential records, accounts, information, transactions or details of the employer relating to the business except to a person having the legal authority to require such disclosure. This would normally mean a subpoena from a court of law.

Here is a copy of the record of GDPR training they undertook, which they have signed and is kept as an annex to the contracts, I hope this will suffice but would be interested if anyone has anything they think is better:

Record of confidentiality and data protection training

Current staff members underwent confidentiality and data protection training on (date) and were made aware of the following:

The PMS is password protected with their personal password which should be updated regularly and workstations should be logged off between sessions of use and when left unattended in public areas.

A data audit was carried out to identify what information the practice collects, where it is held and the legal basis for holding that information.

Paper files which include credit card receipts, client registration and consent forms are to be stored securely and not left in places with public access such as the reception desk and are subject to an agreed retention period.

What constitutes personal information under GDPR or anything that could be used to identify an individual, but we do not request or store sensitive or special category personal information.

During telephone calls staff must ensure that they cannot be overheard by members of the public if they are using information which could identify the caller.

The data information controller should be identified if a breach of data security is identified.

Personal information should be accurate and up to date. This is achieved by asking clients if their details have changed and/or by requesting them to complete an information update sheet on a regular basis.

Clients must be asked if they wish to continue to receive information which uses their personal data such as appointment reminders, given the choice to opt in and their preference recorded in the client file with the date.

A data protection policy has been formulated and instructed in accordance with this training.

Sensitive information should not be included in emails.

Staff should not use personal devices such as mobile phones, laptops or tablets to access the PMS without using two-factor authentication and these and removable data storage such as USB sticks should encrypted to prevent access to data if lost or stolen.

Staff have been trained on how to recognise, report and handle a subject access request or a request to see information held on an individual.

We the undersigned confirm that we have received relevant confidentiality and data protection training as recorded and on the date indicated above: