Privacy Regulation and Audiology (III)

Inhis latest article on GDPR, Geoff Cooling looks at the rights of the person under the new rule.

Legal basis for data retention and contact

There may be an argument that there is a legal basisfor contact if we have sold a person a hearing aid.Service calls or periodic hearing tests may well beseen as necessary contact on a contractual basis. Doyou have the cash for a barrister to fight that argumentin court? The simplest way to remain legal when itcomes to consent to contact and indeed to retain datais simply to get clear consent for all of the reasons weprocess data or contact a patient. Then there is noquestion about legality and you have covered yourself.

The nightmare letter

I read an excellent article on LinkedIn by ConstantineKarbaliotis who is a privacy expert and a Director atPWC Canada. He adapted a request letter that he hadwritten several years ago to reflect the requirements ofthe GDPR. He called it the Nightmare Letter and it sent chills down my spine.

The letter lays out implicitly the rights that any personhas under the GDPR to request information from anycompany that has their data. I think it is imperative thatwe understand this clearly so in this final article I amgoing to lay out the rights that any person who dealswith your company has. Remember, it does not matterif you are a multi-billion company or a sole trader, theGDPR covers you.

Article 15 and right to access

Under Article 15 of the General Data ProtectionRegulation, any customer of your business has rightsto access the personal data that you hold about them.Under article 12 of the GDPR, you have one month toreply to them or they can forward a letter of complaint tothe local data protection authority. But what informationcan they request from you? Exactly what can theyask of you? That is where the letter formulated byConstantine Karbaliotis is hugely enlightening.

What data?

Any customer can request an outline of exactly whatpersonal data is held in any files or databases that youown or use. The request for information will include anyand all data that you might hold on your informationsystems, whether or not contained in databases,including e-mail, documents on your networks, or voiceor other media that you may store.

Where it is stored

They may also request to be advised where andin which countries their personal data is stored, oraccessible from. If you use cloud services to store orprocess their data, they can ask about the whereaboutsof their data and where it has been stored during the previous 12 months. They can also ask for a full copyof or access to any of their personal data you hold andbe furnished with a clear explanation of how long youhold their data and why you do so.

Specific uses and third parties

They can ask you to provide a detailed account of thespecific uses that you use their data for. They can alsoask for a list of the third parties with whom you haveshared their personal data. They also have the right toknow where those third parties have stored their dataand the legal basis for the transference of their data tothose third parties.

Profiling and automated decisions

They have the right to receive information about anyautomated decisions made about them and anyprofiling of them you undertake. For instance, if youhave profiled them as a “consultation no sale” and aresending a letter to them, they have the right to ask youon the logic of that decision and on what basis you aredoing so.

Privacy breach

They of course have the right to know if any of theirpersonal data has been disclosed inadvertently by you,any third parties or as a result of a security or privacybreach. In this case, you will need to offer a generaldescription of what occurred, the date and time of thebreach, the date and time the breach was discovered,the source of the breach, the details of their personaldata that was disclosed, your assessment of the risk ofharm to them because of the breach, a description ofthe measures you have taken or will take in the futureto prevent further unauthorised access to their data.

Your security

Even if you are unsure if their data has ever beenexposed, they have the right to ask you what steps youhave taken to minimise the risks that it may be. Theycan ask questions about your information policiesand the standards that you adhere to in relation tothe safeguarding of personal data you hold. They canalso ask about the training you have undertaken inthis sphere or the training and policies that you havedelivered to your staff.

Backups and security tech

They can ask if you have backed up their personaldata, and if so, where it is stored and how it is secured,including what steps you have taken to protect thatdata from loss or theft, and whether this data backupincludes any encryption. They have the right to knowwhether you have put any technology in place tosecure their data and if you have any technology which allows you with reasonable certainty to know whetheror not any personal data has been disclosed.

They have the right to know whether you have in placeintrusion detection systems, any firewall technologies,what access and identity management technologiesyou use, whether you use database audit or securitytools, or other technologies to track access.

Wide ranging right to answers

As you can see from the preceding paragraphs,people have rights to a wide range of information fromyou. When I first read the nightmare letter I have tosay I was shocked by the amount of information wewould need to collate to answer a request for all of theinformation that the GDPR allows.

I mean the nature of the information is not necessarilybusiness sensitive, however, information such aswhere your third party partners store their data is notsomething that up to now we have really considered.I know I haven’t. In fairness, I think we have all beenblasé with personal data. I think I would be pretty techaware and security conscious.

I secure and encrypt any digital device I use, however,I have never thought about database auditing toolsor even checked access logs. The GDPR tightens upprivacy regulation across the EU and beyond. The keyhere is that even if a business is not within the EU, ifit is dealing with EU data, it needs to be completelycompliant with the GDPR.

Software GDPR compliant, are you?

Even if you are using a GDPR compliant softwaresystem to handle patient data, that doesn’t mean thatyou are GDPR compliant. It means that your databasesystem is technically compliant, you will still have toinstitute processes and procedures to ensure thatthe way you use the software and how you shareinformation within your organisation and with thirdparties is compliant. The onus here is on you, notsomeone else.

Get ready for a request

I think it is incumbent upon us all to ready ourselvesfor a request. Much of the details that have been raisedhere can in fact be set out in a generalised document.The questions that may be asked of us are relativelygeneralised and it is better to be prepared to answerthem, rather than receiving a request and panicking.

Remember, each instance that you may use their datafor needs to be clearly and implicitly explained in easyto-understand language. We also need to allow them toopt in for some instances and opt out for others. Wethen need to ensure that we record the permissionsand ensure that they are honoured. In this way, we cango a great deal of the way to protect ourselves.

Read the first and second installments of this series of 3 articles.