Physiotherapy businesses need to be more ‘cyber resilient’ and prepare for new legislation which will increase people’s rights to access their personal data.
The General Data Protection Regulation (GDPR) legislation comes into effect in May 2018
This was the advice of Paul Davidson, a special adviser on law enforcement and security at the Foreign and Commonwealth Office, during his speech at the Medico-legal Association of Chartered Physiotherapists (MLACP) conference.
He told the event in London on 24 November: ‘Cyber attacks are doubling every year, and your data is valuable, but there are simple steps you can take to reduce the risk.’
He suggested that physio businesses should limit access to their data, make use of cloud storage systems, use password vaults, back up data to at least three different places on separate networks, use secure web services, encrypt data on mobile devices and USB sticks and consider employing a professional cyber security service.
Game changing law
Mr Davidson warned that new Europe-wide legislation, the General Data Protection Regulation (GDPR), would come into effect in May 2018 and that private physios should ‘get ready now’.
‘GDPR will be a game changer for everyone, because it will bring in a raft of legal responsibilities for anyone who holds data,’ he said.
‘Lots of people think its European regulation so we don’t need to worry about it because of Brexit, but that’s not accurate. The UK has already confirmed that our domestic law will align to the legislation.
‘And anyone who deals with Europeans – for instance a physio who treats a French person – this law protects them, wherever they are in Europe. So you will need to accord to the GDPR.’
Increasing fines
Delegates heard that fines for data protection breaches, issued by the Information Commissioner’s Office, currently range from £1,000 up to hundreds of thousands of pounds.
Under the new legislation, fines in the UK are likely ‘to go up tenfold’, Mr Davidson said.
Get ready now
To prepare for the GDPR, Mr Davidson suggested that physio businesses
- Do a data audit: look at what information you hold, where and why you keep it, what legislation allows you to hold it and who you share it with
- Work out how to manage a subject access requests, when people ask to access the data you hold about them
- Establish a privacy policy and ensure your clients give explicit consent for you to collect and hold data about them
- Plan how to deal with a data breach
Author: Robert Millett
Find Out More
Number of subscribers: 0