When patients give you their personal information, they expect you to keep it securely and use it appropriately. The Information Commissioner’s Office (ICO) is the body that ensures compliance with the Data Protection Act in the UK.
Trust in the osteopathic profession is important and part of this requires osteopaths to comply with their legal duties to ensure patient information is safe and secure keeping patients safe.
There is data protection legislation in place to ensure the security of personal data and it sets requirements about how to collect and process data lawfully.
Osteopaths must comply with these requirements and must also normally register and pay an annual fee to the Information Commissioner’s Office (ICO).
About the ICO
The ICO is the UK regulator for data protection and information rights. The ICO website contains lots of information to support osteopaths to comply with data protection legislation.
The ICO website has a hub especially for small organisations and businesses with a range of resources that can support osteopaths to comply with data protection legislation including self-assessment quizzes to understand levels of compliance and resources to support compliance. Non-compliance can mean not keeping patients safe and can mean fines from the ICO so it is important to familiarise yourself with the requirements and the support available on the ICO website.
Why does data protection matter?
The ICO explain that ‘Data protection law sets out what should be done to make sure everyone’s data is used properly and fairly.
You probably have personal data about your customers and clients such as names, addresses, contact details. You might even have sensitive information such as medical data.
You may need this to deliver goods or services, but you shouldn’t use it in ways people wouldn’t expect. And you have to protect it.
This is because if personal data falls into the wrong hands, people could be harmed. Depending on the situation, they could become victims of identity theft, discrimination or even physical harm.
Generally speaking, data protection law applies to all workplaces, business ventures, societies, groups, clubs and enterprises of any type. That includes you if you’re a sole trader or self-employed, if you work for yourself or if you’re an owner or director. It also applies if you only employ a handful of staff or even if you don’t employ any staff at all.’
The Osteopathic Practice Standards D5 states: ‘You must respect your patients’ rights to privacy and confidentiality, and maintain and protect patient information effectively’ and this includes a requirement to comply with the law on data protection. Keeping patient data safe maintains confidentiality, protects patients and maintains trust in the osteopathic profession.
Do I need to be registered with the Information Commissioner’s Office and pay a fee?
Most osteopaths will need to be registered with the Information Commissioners Office to comply with the data protection legislation. You can use this ICO self-assessment tool to understand if you need to be registered with them and pay a fee.
I’ve received a letter from the ICO telling me to pay a fee, what should I do?
If you receive a letter that looks like this one, you should use the ICO registration self-assessment tool to see if you need to pay and, if you believe you are exempt, you should let the ICO know by 27 August 2021. If you are not exempt, you will need to register through their website and pay the fee. Please note, if you use electronic mechanisms for patient records or CCTV for crime prevention purposes it is likely that you will need to register.
I haven’t received a letter from the ICO telling me to pay a fee what should I do?
If you don’t receive a letter, you may still be legally required to register so you should take steps to use the ICO registration self-assessment tool to see whether you need to pay the fee.
There is more information specifically for human health and social care organisations on the ICO’s website.
Where can I get further information about data protection?
The ICO has a web hub specifically designed for small and medium enterprises which has lots of tips and simple guides that you may find useful. It has plenty of resources including checking how compliant you are with legislation, ways of minimising the risk of personal data breaches and support to develop appropriate legal privacy notices explaining to patients how you are using their data and keeping it safe.
General Data Protection Regulation
The General Data Protection Regulation (GDPR) came into effect on 25 May 2018 and meant some changes to previous requirements. For more information, visit the ICO website.
People and organisations who process personal information are data controllers and must register with the Information Commissioner’s Office, so you need to establish who the data controller is for your patient records.
To find out if you are a data controller and how to register see https://ico.org.uk/for-organisations
Retention of patient records
Osteopathic Practice Standard D5 (3) says that you should keep patient records:
- for a minimum of eight years after their last consultation;
- if the patient is a child, until their 25th birthday.
The ICO also provides guidance on: