I suspect you can’t have missed the massive surge of emails recently from companies asking to keep your data on file – possibly even from organisations you’d forgotten you had anything about! This is all part of the new Data Protection law that came into force today, the “General Data Protection Regulation”. While this is European legislation, the government has confirmed that it will apply and continue to apply in the UK whatever happens over Brexit. In this blog, I’m going to talk about how may affect you, as a client of a veterinary practice.
What does the new law do?
Essentially, it imposes much stricter laws on how organisations gather, store, process and use personal data. The definition of personal data is also widened from older legislation, and now encompasses any information that could be used to identify a living person – so not just name, address, phone number etc, but also potentially the IP address of your computer, and any comments you have made that could be linked to you. It also gives you a much wider range of rights over your data – for more detail, see below.
What information does my practice hold on me, and why?
Well, it does of course depend on the practice! However, in general, most practices will hold some or all of the following information that might be considered personal data on you:
- Your name, address and contact details
- Records about billing and payment
- Any correspondence you’ve had with the practice
- Records of conversations you’ve had with staff
- Information about how you visit and use their website
Is that legal?
Your practice has had two years to prepare and adjust their approach to these matters, so they will have undertaken what’s called a “Data Audit”, and will have identified all the personal data they hold, and what their legal basis is.
Under the GDPR there are six possible legal bases for processing, personal data. The ones that might apply your vets’ relationship with you might include:
- Consent – you must have freely given specific and unambiguous permission for your data to be used for a particular purpose. This might include, for example, asking if you want to sign up for an optional reminder service.
- Contract – the data is being processed for the performance of a contract. This, for example, might be used cover the practice’s processing of your address and payment details, for billing purposes.
- Legal obligation – the practice is required by law to process the data. It could easily be argued that this would cover keeping clinical records, for example.
- Vital interests – processing the data is necessary to protect someone’s life. This wouldn’t usually apply to veterinary practice, but might, for example, be relevant if you suffered from a severe allergy, for example to penicillin, and they kept records to make sure they didn’t prescribe penicillin based antibiotics to your pets.
- Public task – the processing is necessary to perform a task in the public interest. Again, it doesn’t seem that relevant, but would probably cover some legal functions your vet carries out, e.g. Pet Passports or export certificates.
- Legitimate interests – the data is processed to perform a task in the practice’s legitimate interests in a way that does not unreasonably impact your rights. This is the basis that is most appropriate for most communications – for example, contacting you about your animal, or sending you email newsletters.
What about clinical records for my animals?
In general, these do not count as Personal Data. However, they may if they contain details unique to you – for example, your contact details, or records of unique conversations with you.
What are my rights?
You get significantly enhanced rights over your data:
- The right to be informed as to what data the practice hold on you
- The right of access to your data
- The right to amend your data if it is incorrect
- The right to erasure of your data if it is held under consent (you may not be able to enforce this right if it is held under certain other legal bases)
- The right to restrict processing (in most cases, but there are some exceptions)
- The right to data portability, in other words, to transfer your information to another practice, although actually you’ve had that for many years!
- The right to object to any processing you disagree with
- Rights in relation to automated decision making and profiling, although this is unlikely to apply to most veterinary practices.
Who enforces this?
The Information Commissioner’s Office, or ICO, is the regulator in the UK.
Where can I find out more?