GDPR – you’ve all heard of it – comes into force this May. Have you got it cracked yet? If not this new post shares the work so far by an NHS communications team.
by Amanda Nash
There’s two things designed to make you keep scrolling on your social media feed: an acronym you don’t really understand, and one the so-called experts are saying you must comply with or your career is doomed.
Oh, and by the way, behind that acronym there’s a mountain of literature, expert blogs and videos, growing greater by the day, for you to absorb so that you do understand. It sort of falls into the TL;DR (too long, didn’t read) category. Well, maybe it’s just me.
That’s certainly the way I was beginning to feel about GDPR. It’s an acronym that’s hard to get your tongue round, let alone your head. There’s lots of myths going round about it too – communications professionals will have to stop sending information to journalists because of it, we’ll have to have a new and individual consent form every time you video someone etc.
When I’m having a bad day running and a steep hill stretches out ahead, and another after that, and then another (it’s pretty hilly where I live), I have to take the approach of chunking it down. I break my run down into bits. I take the same approach to those big tasks that I find difficult to get into never mind get a grip of.
So, as part of my CIPR Continuous Professional Development, I spent some of the new year reading the 14-page CIPR Guide to GDPR, visiting the ICO site, watching these videos and accessing other different sources to find out what this means for me as a Head of Communications in an NHS Trust and our communications team.
Today we sat down as a communications team and ran our own informal team training session. Together we watched videos, read and bounced around some questions and thoughts. We don’t have all the answers (no-one does whatever they tell you) but we do have a plan and this is it. I’ll warn you, it’s basic.
What we know about GDPR
The big differences between GDPR are the current Data Protection Act would appear to be:
The definition of personal data is wider including any data such as name, email address, images, biometric data that identifies someone
You not only have to comply with GDPR you need to demonstrate you do – think documenting not just consent but any decision-making process
There is a bigger focus on the rights of individuals – particularly the right of erasure commonly known as the right to be forgotten
Among the six conditions for processing personal data is consent
Consent now requires an active and affirmative opt-in approach, no pre-ticked boxes which you have to uncheck to opt out of. Individuals need to positively opt in and it needs to be as easy for them to opt out again and withdraw their consent as it was to give it in the first place.
What do we do in our communications team that could be affected by this?
- We keep contact details for key stakeholders which we use to regularly communicate with them – this includes our Patient Council members, patient support groups, journalists, etc
- We take images (photos and videos) of patients, donors to our charity, staff and members of the public. We use these online, in print, in our image library etc. We use consent forms to document we have the consent of any patients. This is because in healthcare we have a duty of confidentiality to patients and their information and we have to record the person’s consent to share anything about them.
What are we going to do next?
1. We are going to review all our stakeholders and contact them by email to ask them: do you still want us to continue to regularly communicate with you? If so, in what format (give them options) and can you complete the attached to give your written consent for us to do this.
This isn’t rocket science. It’s common courtesy and good communications. It’s almost like updating our records – something that is overdue anyway. Most of our key stakeholders have asked for more contact with us and are in regular communication so we can’t see this being a problem but it is a good opportunity to talk to people about what information they want, how often etc, how they want to engage with us. And, if I’m honest, without the introduction of GDPR, that task would probably never get to the top of the to-do-list.
2. We are reviewing our current consent forms to include more information on
- How any words/footage/photos will be used – including in our image library
- How they will be stored and for how long
- How to withdraw your consent if you want to
3. We are talking to our Information Governance lead about our organisational privacy statement
What we concluded after our informal training session is that this isn’t something to have us running for the hills. Nothing is going to fall over on 25 May 2018 (when GDPR becomes law) and we’re in a good place.
In healthcare, the importance of documentation cannot be overstated. We already have processes for consent in place, based on sound communications principles. By that I mean, not sending people information they don’t want (SPAM) and always ensuring people are given clear information and time to consider their decision before they give consent for sharing information about themselves. This is really important in healthcare, which is so personal and often catches people at vulnerable times in their lives. It’s not right to ask someone if they don’t mind the BBC filming them in their pyjamas, with the BBC reporter standing right behind, mic in hand. We have to be respectful, considerate, mindful of the needs, wishes and dignity of the person in front of us.
As a team we still have questions – for example, if we are invited along to an event marking a group of Healthcare Assistants gaining their next qualification, do we have to consent all 20 people individually for them to appear in a group celebration photo? Could we record consent in a very short video format?
Now my next task, as manager of our charity team too, is to get to grips with what this means for our CRM. That might be a bit of a bigger hill. I’m taking a deep breath and just aiming for that tree at the top.
Amanda Nash is Head of Communications at Plymouth Hospitals NHS Trust
image by Tullio Saba