Since May 2018, a legislation called the General Data Protection Regulations came into effect which expects all businesses to keep more detailed records about individual clients. Within the new GDPR all those who hold data on individuals must notify as a data controller with the ICO. Viktoryia Health has registered with the ICO since May 2018 and will continue to do so for the time period that Viktoryia Health will legally be required to do so.
The Data Protection Act 1998 defines the rules which protect the personal data of an individual. As a business we need to be aware of regulations which apply to keeping information on adults and children. These rules have now changed under the new GDPR giving more emphasis on the need for consent and data retention and lawful processing.
The Information Commissioners Office (ICO) is the UK’s independent public body set up to uphold information rights in the public interest promoting openness by public bodies and data privacy for individuals. The ICO enforces and oversees the GDPR.
Notification is a legal requirement and all businesses who are processing personal information must notify unless exempt.
Under the new GDPR guidelines regarding Data protection all those obtaining and storing data on other individuals must be registered with the ICO and comply with all data protection and general data protection regulations.
Processing personal information also includes taking photographs and using a digital camera or mobile phone. Therefore, if I am going to be carrying out this activity, I will be required to notify.
Viktoryia Health will never give out, sell or swap:
- Personal Information
- Details of medical records /medical history/ health related information
- Your contact details
- Treatment details
- Financial details
Under the GDPR, the data protection principles set out the main responsibilities for organisations.
The principles are similar to those in the DPA, with added detail at certain points and a new accountability requirement.
- Processed lawfully, fairly and in a transparent manner in relation to individuals;
- Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;
- Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
- Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
- Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals;
- Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
Article 5(2) requires that “the controller shall be responsible for, and be able to demonstrate, compliance with the principles.”
When handling, collecting, processing or storing personal data, I will ensure that:
- All Personal data is accurate and up to date
- Errors are corrected effectively and promptly
- The data is securely destroyed (shredded) when it is no longer needed – time scales vary for different types of data and this information can be obtained upon request by anyone whose data is held within my setting.
- The personal data is kept secure at all times. Online data is only stored on approved secure sites such as and only accessed from password protected and virus checked devises.
- The GDPR is considered when setting up new systems or when considering use of the data for a new purpose – all new purposes must be made known to individuals and consent obtained.
It is equally important not to:
- Process personal data that I do not need for my work
- Use the data for any purpose it was not explicitly obtained for.
- Process data that is inaccurate
- Store/process/handle sensitive personal data unless I have the individual’s explicit consent or it is for lawful reasons in order to carry out the contract or for compliance with a legal obligation.
If you require any more information regarding the GDPR and changes to data protection please inform Viktoryia Rohal of Viktoryia Health.