Treatment Register for Psychologists and GDPR: a Guide TO Completing It

The Treatment Register to psychologists and psychotherapists It’s certainly not news and its correct maintenance is the first indicator of responsible, spotless, and regulatory-compliant data and processing management.

The register of processing activities It was one of the innovations introduced by Regulation (EU) 679/2016 (the so-called GDPR), and represents (as specifically detailed in the Article 30), and one of its most important obligations.

Treatment Registry and Psychology: What is it?

Theregister of processing activities is an internal document (to be shown only upon specific request from the competent authorities) which also psychologists and psychotherapists are obliged to draw up and keep updated (as communicated by the (CNOP). The document is easy to complete and must be kept in written form, including in electronic format, taking into account the overall compliance framework and the obligation to cooperate with the Data Protection Authority, established by Article 31 of the GDPR.

It is necessary to specify that they are identifiedtwo types of treatment register also for psychologists and psychotherapists:
1 – the register maintained by the data controller,
(the natural or legal person who determines the means and purposes of the processing);
2 – the register kept by the manager or sub-manager,
(the natural or legal person who processes the data in the name and on behalf of the owner).
Please remember that this is an essential document for regulatory compliance.
Two, and well defined, theprerogatives of the treatment register:
1 – must be constantly updated
2 – must bear “in a verified manner”
→ the date of its first institution, or creation
→ the date of the last update.
Thefunction of the treatment register in the clinical context of thepsychology it is twofold:
1 – represents a measure of accountability for the data controller and the data processor;
2 – allows subsequent verification by the Supervisory Authority of compliance with the legislation by the obligated parties (art. 30).

What information should it contain?

TheThe data processing register for psychologists contains key information regarding the processing operations performed by the data controller/processor. Each professional must provide an updated overview of the processing operations in place within their organization.

Referring directly to the website of the Personal Data Protection Authority, in addition to the indication of the name/contact details of the data controller (and, if appointed, of the joint data controller, of the data controller’s representative and of the data protection officer), with reference to thecontents of the treatment register, the following is represented:

““The Purpose of processing: In this field, in addition to the main purpose of processing, broken down by type of processing, it would be appropriate to also indicate the legal basis for the processing. Also with regard to the legal basis, it would be equally appropriate to indicate one of the specific conditions (context to Article 9, paragraph 2 of the GDPR) for processing special categories of data.”
“Description of the categories of data subjects and categories of personal data” in this field, both the types of data subjects and the types of personal data being processed must be specified (e.g., personal data, health data, biometric data, genetic data, data relating to criminal convictions or offences, etc.).
““Categories of recipients to whom the data has been or will be disclosed”: This field should include, even simply by category, and the other data controllers to whom the data is disclosed. This is to allow the data controller to have an effective understanding of the number and type of external parties entrusted with the processing of personal data.
““Transfers of personal data to a third country or an international organisation”: this field must contain information on the aforementioned transfers, together with an indication of the third country(ies) to which the data is transferred and the “safeguards” security context to Chapter V of the GDPR.
““Deadlines for deletion of the various categories of data: This field must specify the deletion deadlines for each type and purpose of processing (e.g., “in the case of a contractual relationship, the data will be retained for 10 years from the last recording – see Article 2220 of the Civil Code”).
““General description of security measures”: This field should include the technical and organizational measures adopted by the data controller context to Article 32 of the GDPR. This list is open and non-exhaustive. This list is inherently dynamic, as it must continually reflect technological developments and the emergence of new risks. Security measures may be described in a summary or concise form, or in any case in a manner that provides a general and comprehensive overview of such measures in relation to the processing activities performed.

In light of what has just been considered and required for compliance with the legislation, it is worth noting that, starting from the basic standard model, each owner will be able to build his own “personalised” modeldata processing register, taking into account its specificity.

Treatment Activity Log for Psychologists: The Pre-Compiled Templates in PsyCare

In reference to the Treatment activity log for psychologists and psychotherapists, PsyCare makes available to members on the platform the template already filled out and downloadable in editable format (for integrations to the person).

For all further detailed references see pto clarify any further general doubts, the website of the GPDP (Personal Data Protection Authority) is the only valid reference: as an independent administrative authority established by the so-called privacy law, it is the supervisory authority also designated for the purposes of implementing the General Data Protection Regulation (EU) 2016/679 (Article 51).

Storage and updating methods: what should the psychologist do?

The treatment register as to the document recording and analyzing the processing carried out by the owner/manager, must be kept constantly updated since its content must always correspond to the effectiveness of the treatments implemented.

Any changes, particularly regarding the methods, purposes, categories of data, or categories of interested parties, must be immediately entered into the Register, accounting for any subsequent changes.

The register it can be filled out in both paper and electronic format but, as already mentioned, it must in any case bear, in a verified manner, the date of its first establishment (or the date of the first creation of each individual record for each type of treatment) and the date of the last update.

In the latter case, the register must contain a note of the type:
– “card, created on dates XY”
– last updated on XY dates”.

It is therefore essential that the treatment register for the psychologist it is updated; otherwise it is not adequate and the owner is liable to sanctions.

Accountability: the owner's responsibility

One of the key principles, perhaps the true and strongest cultural revolution brought about by the GDPR, is the concept of accountability, or rather of accountability of the data controller (Article 5 of the European Regulation). We like to emphasize that “accountability” in English means “being held accountable for one’s actions,” I know it’s something more than the simple responsibility.

The new and improved approach is therefore based on:
∼ measurement of the consequences of the treatment
∼ rights and freedoms of the data subject
∼ risk assessment.

Article 25, in particular, introduces an innovative conceptual approach that requires companies to launch a project by immediately providing the tools and correct settings to protect personal data (the principles of privacy by design and privacy by default, precisely).

In this sense psychologists and psychotherapists they will have to design the treatments in order to minimize risks, possibly by conducting a preventive impact assessment and adopting the appropriate security measures. The central role of the data controller is clear: in the light of the principles set forth in the regulation, he or she conducts these assessments himself or herself, subject to ex-post controls by the supervisory authority, and independently decides on the measures to be adopted, the methods, and the limits of processing.
Taking into account the nature, context and purpose of the processing, the owner – psychologist and/or psychotherapist – must guarantee, and be able to demonstrate it (precisely, give an account of it), that the processing is carried out not only in compliance with the legislation, but also in such a way as to do not determine risks.

The estate of the Register of treatment activities for psychologists and psychotherapists responds to these needs.

This goes far beyond the formal concept; simply having them is not enough to feel compliant. Today, a “mere” compliance with the regulation is no longer sufficient: the data controller remains responsible for protecting the data subject from the risks inherent in the processing. Nor is it enough to adopt compliance measures: it is also necessary to document (principle of transparency) and guarantee the effectiveness of the measures adopted.

Conclusions

The crop, therefore, is: responsibility.
The European Regulation speaks clearly: the Protection of Personal Data must not be trivialized, but must be the driving force for transforming the application of the GDPR for psychology from simple compliance to true innovation. To protect everyone’s privacy, of course.

And, for psychologists and psychotherapists first of all, privacy is an essential requirement for the profession.