Are you ready for the new data protection rules?

The new Data Protection rules come into force on 25th May 2018.  The Information Commissioners Office is helping people to prepare with webinars and courses.  You can watch the webinar for Health Sector small businesses here:  (scroll down the page for the webinar)

There are also free workshops as follows:

11 October 2017: Congress Centre, 28 Great Russell Street, London

7 November 2017: Crowne Plaza Hotel, Central Square, Birmingham

9 November 2017: Principal Hotel, Oxford Road, Manchester

Here is a Mint Practice Summary of the rules as applied to Osteopaths:

There is a lot of cross over between the Data Protection Act and the new rules but there are a few key areas that Osteopaths should be aware of:

General Data Protection Rules (2018)

Personal Data should be:

  1. processed lawfully, fairly and in a transparent manner
  2. collected for specified, explicit and legitimate purposes
  3. adequate, relevant and limited to what is necessary
  4. accurate and where necessary kept up to date
  5. kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which those data are processed
  6. processed in a manner that ensures appropriate security of personal data

Accountability is central to the GDPR.  Data controllers are responsible for compliance with the principles and must be able to demonstrate this to patients and the regulator.  In osteopathic practice the data controller will be the person with key responsibility – the principle or individual osteopaths. All practices are recording and storing personal data so therefore need to be registered with the Information Commissioners Office.

Demonstrate Compliance

One of the key requirements of the new rules is that you need to demonstrate compliance.  In osteopathy this would require documenting your processing activities – you should be able to justify the data you collect, what it is used for and how you store and process that data.

Adequate and Relevant Data

You need to consider your case history and make sure that all the data you collect is necessary – it should be adequate and relevant to helping you make informed clinical decisions.  Consider whether any of the data is unnecessary and could not be justified.

Storage Procedures

Every clinic should have storage procedures for processing data whether electronic or paper format.  They should state how you store the data, who has access to it, the security controls in place and when and how you dispose of the data.


You must have permission for the way you use your patients data.  They need to opt in to receiving direct marketing. (Previously it was an opt out culture).

Up to Date

Under rule (d) you must keep data up to date.  You should periodically check addresses and medical information are kept up to date.  It is your responsibility to keep records accurate.

Patient Rights

Patients have rights under the GDPR to:

  • subject access (see the data you hold about them)
  • have inaccuracies corrected
  • have information erased
  • prevent direct marketing
  • prevent automated decision-making and profiling
  • data portability

Subject Access Requests

A subject access request in this context is a patient requesting a copy of their records.  Patients have a right to see the information kept about them.  Under the GDPR the rules are:

  • You must respond to requests within 1 month
  • Requests must be made in writing
  • You should have proof of identification to ensure the request is genuine
  • You are no longer allowed to charge for releasing information
  • Make a record of when and how you have responded to the request

The change of note here are that you will no longer be able to charge for providing copies of notes and that you must respond to requests within 1 month (the current stipulation is 40 days).

This should give you an idea of the changes that you need to make in your practice to prepare for the new rules.  Mint will have a new module available for purchase from the website from next month.  There will be more information on the GDPR and a template for your data procedures.  We are working on a completely revised edition of the Mint Folder ready for the new Osteopathic Practice Standards in 2018.

Leave a Reply

Your email address will not be published. Required fields are marked *