GDPR and Mental Capacity Assessments
GDPR has had varying degrees of impact on all sectors of society and business but none more so than that of independent mental capacity assessments. Whether you are a national company such as TSF Consultants or a practitioner conducting assessments in your spare time the impact and implications of GDPR is huge.
Data processor, Data controller or both?
Control, rather than possession, of personal data is the determining factor here. The Data Controller is the person (or business) who determines the purposes for which, and the way in which, personal data is processed. A Data Processor is anyone who processes personal data on behalf of the Data Controller.
Considering the nature of mental capacity assessments, it is certain that any company involved in this field will be classed as both. It is also highly likely that even individuals doing ad hoc private assessments will also be considered as both.
The very nature of the clients that we assess means that mental capacity assessors automatically fall under the regulations relating to special category data. There are separate and specific safeguards for this type of data in Article 10 but what does this mean in practice. In essence, this means that additional data security needs to be put into place to protect the data of those who fall under a special data category.
GDPR contains explicit provisions about documenting your processing activities, and controllers and processors both have documentation obligations. GDPR guidelines inform us that;
- They must maintain records on several things such as processing purposes, data sharing and retention.
- They may be required to make the records available to the ICO on request.
- That they must document their processing activities if they are involved “in the processing of special categories of data or criminal conviction and offence data.”
- When documenting findings, the records they keep must be in writing. The information must be documented in a granular and meaningful way.
A key principle of the GDPR is that you process personal data securely by means of ‘appropriate technical and organisational measures’ – this is the ‘security principle’. Doing this requires you to consider things like risk analysis, organisational policies, and physical and technical measures. This means that you must have appropriate security to prevent the personal data you hold being accidentally or deliberately compromised. Whilst information security is sometimes considered as cybersecurity, it also covers other things like physical and organisational security measures.
What does all this mean in practice?
The practical implications for mental capacity assessors are huge and, in many cases, will require a complete overhaul of systems and privacy policies and data protection systems.
It will require every mental capacity assessor to have their own dedicated electronic systems on which to view information relating to their clients. These devices cannot be used for any other purpose so that means not using personal mobiles or computers to access or store data or even to write up reports! This means using separate, dedicated, secure data storage and access servers.
All data must be anonymised, even on the dedicated devices and the data used to identify that individual also needs to be stored elsewhere. For example, Mr Smith might be referred to as Ref 1278, but there can’t be any record that Ref 1278 relates to Mr Smith on the same device.
At TSF we have invested heavily in ensuring we are GDPR compliant and are protecting our client’s data.
- We have updated all our policies to be GDPR compliant and reflect the extra sensitive nature of the data we handle.
- By using a Secure encrypted file transfer system, we ensure that all our data is in an encrypted and stored off-sight in a highly secure domain.
- Each client has their own specific ‘safe area’ within our Secure Encrypted File Transfer where their data is stored and only TSF employees who have an identified need to access that individual’s data are allowed access.
- All our directly-employed assessors are issued with their own TSF specific phones and laptops which are encrypted and imbedded with software that enables us to disable and wipe all data remotely should they be lost or stolen.
- By employing a separate Data Protection Officer, we are ensuring we are compliant with all our necessary documentation requirements and monthly data audits.