GDPR compliance update for the week of 23/04
It’s a month until the GDPR compliance regulations kick into gear and we’re well on the way to becoming compliant! Here’s an update on what we’ve done, what we’re doing, and what’s on the cards for the upcoming month!
Cliniko as a processor of data
When it comes to your patients’ data, Cliniko is a processor of the data in your account, while you are the controller of that data. As a processor of data we will assist you to fulfil your needs as a controller, for example, by providing tools that can help you stay compliant with your patients’ requests!
Here’s an update on changes that we’ve already released to help you with your compliance:
- You can now permanently delete a person completely from your Cliniko account, addressing the Right to Erasure/Right to be Forgotten. This is important for people who don’t have a legal requirement to retain records, or if that legal requirement has lapsed.
- In the Online Bookings portal, we’ve added details on how we store information in Cliniko and now require consent from your patients when making a booking. This change will help us in our quest to serve Online Bookings in the EEA zone legally.
- Changed our bulk SMS function to distinguish between marketing messages and need-to-know messages.
Thankfully, we have a lot of things in place already to help with other rights, such as the Right to Object (since you’re allowed to edit marketing statuses in Cliniko), and Right to Rectification (as you can change any incorrect details in any Cliniko area!).
To improve on what we have available right now, the following changes are in progress:
- A one-stop page to give you all (I mean, ALL!) information for a single patient. This will cover the Right to Access and Right to Portability tenets of GDPR.
- Removing all currently “soft” deleted patient-related items in Cliniko. Previously, we just hid a deleted patient from being seen and used. We will be “hard” deleting soon!
- Removing the patient name from the “history” in your browser, to help with preventing any possible data leakage from your account.
- And, more to come!
The final piece of the puzzle, for our needs as a processor, will be to enter into a DPA with each and every account using Cliniko in the EEA zone. That document is with our lawyers right now, getting reviewed again, and we’ll be launching that one in the next month, too!
Cliniko as a controller of data
Cliniko is also a controller of data: your information that you provide to us! This can include, but is not limited to, your email address, phone number, business details, and more. As a controller of data, we have similar responsibilities to you as you do to your patients. This means that we’re working on making sure we are compliant in this area, too! Some of the tools to help us comply with this include:
- Full account deletion when requested of us.
- Improved our tagging of EEA zone accounts, so that we can communicate with you in a more direct fashion (which will help us deliver this article as a message to you within your account soon!).
- Improved and formalised our back-of-house policies, in regards to our employees and our policies surrounding the use of data in Cliniko and our related tools.
We’ll be announcing our new updates when they get released in the Updates & Changes area of our Community.
As usual, you can always ask us for clarifications, or more information, via the Help → Chat With Us option within your Cliniko account.