GDPR and psychology, a topic often difficult to discuss for those not familiar with legal matters. This brief guide on the GDPR aims to understand what we psychologists/psychotherapists must do to comply with the General Data Protection Regulation.

But it is best to proceed in order, starting from the basic notions.

Basics for Psychologists: GDPR

GDPR is the acronym for the European Union General Data Protection Regulation (GDPR) no. 2016/679, which came into force on May 25, 2018, but which Italy implemented with Legislative Decree 10/2018, which came into full force on September 19, 2018.

Although several years have passed since its implementation, there is still a lot of confusion and uncertainty about the procedures that psychologists and psychotherapists are required to follow for the processing of personal data to avoid incurring any penalties (which are actually quite substantial).

In any case, if we learn to understand our “enemy,” we will be less afraid and will certainly be able to face it calmly and thus emerge “victorious” from this conflict, which adds to all the various problems we are forced to face daily in our professional lives. To do this, let’s first understand the meaning of some of the terms used in the GDPR.

To make it easy to understand the connection between GDPR and psychology We will limit ourselves to presenting some terms that are necessary for an adaptation of our professional studio:

THE GDPR PROTECTS THE RIGHTS OF NATURAL PERSONS AND DOES NOT CONCERN THE PROCESSING OF DATA RELATING TO LEGAL PERSONS

This concept is fundamental. We must be clear that all the activities we undertake are aimed solely and exclusively at processing the data of natural persons, not legal entities such as businesses, including sole proprietorships. Professionals, however, are, to all intents and purposes, natural persons.

To adapt to the GDPR, psychologists and psychotherapists They are required to protect patients’ personal data, inform them of how it is used, how and where it is processed, and safeguard it carefully to prevent its loss or theft by malicious individuals as much as possible.

Ultimately, we must understand the GDPR as a set of rules and concepts that govern the collection, management, and dissemination of personal data of natural persons. Its fundamental objective is to ensure that users are fully aware of the purpose and extent of their personal data collection and how it is managed. It may seem complex, but if we apply common sense, compliance with the GDPR rules, especially in our case, will be relatively simple.

GDPR and Psychology: Some Common Terms

Within the GDPR, there are numerous terms identified and specified that are useful for understanding it. Below we will list only those that are useful for psychologists and psychotherapists to manage the GDPR within your own studio:

  • PERSONAL DATA
    This is the information that all of the GDPR legislation focuses on, but what is it in practice? In short, it’s any information that identifies or allows for the identification of a person, directly or indirectly (for example, by cross-referencing it with other data). These are personal data, such as: name, surname, email address, home address, telephone number, credit card number, IP address, etc. Within this category, there are some data that are labeled SENSITIVE, which therefore require greater care and attention, and in general, their processing is even prohibited, unless certain conditions are met. These data include health data, genetic data, and biometric data. From this perspective, psychologists and psychotherapists are required to handle sensitive data.

  • DATA PROCESSING
    This term identifies any operation, or group of operations, carried out manually or with the aid of computerised procedures, aimed at processing of personal data (sensitive or not), such as collection, recording, organization, storage and dissemination. In practice the GDPR dictates the rules by which psychologists and psychotherapists process and use patient data. whether they do it with the classic pen and paper, or whether they turn to one or more IT tools understood in their broadest sense, therefore not only as a cloud service such as PsyCare, but also in relation to the PC, tablet or smartphone, as well as the pen drive, etc.

  • FIGURES INVOLVED
    Obviously the GDPR takes into account different interested figures within the data processing process. Here is a short list of those figures that are good to know for adapting the profession of psychologist to the GDPR.

    • Interested: is the natural person who is the object of the treatment, in our case the patient.

    • Data controller: it is the psychologist or psychotherapist understood as a natural person, or as a legal person if part of a joint practice or company, who establishes how patient data is processed

    • Data controller: in the vast majority of cases it is always the psychologist or psychotherapist, unless a third party (or external company) is appointed to manage the data on our behalf

    • DPO responsible for the protection of personal data: this is a figure that is invoked and deemed necessary only when personal data is processed on a large scale. Therefore, for the purposes of this brief Guideline on GDPR and psychology, and for the clinical work of the psychologist and psychotherapist, this is a figure we will not resort to.

Ultimately, the figures we will identify are only the interested party—comparable to our patient—and the data controller/responsible for the treatment, which is ourselves.

General principles of the GDPR

The GDPR guideline is that every processing of personal data by the psychologist and/or psychotherapist must be carried out, towards the patient, according to three cardinal principles, which are widely shared and fair:

  • LAWFULNESS

    As psychologists and psychotherapists, we can process data based on a legal basis, essentially if we have a legitimate justification for doing so. In our case, this is the relationship established between clinician and patient.

  • CORRECTNESS
    It is self-evident that we must behave and act with loyalty and good faith in respecting the information we obtain from the interested party (patient).

  • TRANSPARENCY
    All information we provide to our patients must be complete and easy to understand, even for those who are not particularly well-educated.

  • LIMITATION
    Since we collect data from our patients for analysis, therapy, etc., they must be used exclusively for that purpose and we are not permitted to use them for purposes other than those for which they were collected, unless the interested party has given further and more extensive consent.

  • MINIMIZATION
    All data we collect must be strictly necessary to carry out our work; we cannot therefore collect information that is not relevant to it.

  • UPDATE
    We must have accurate data and update it when necessary, including the timely deletion of any inaccurate data with respect to the purposes of the processing.

  • LIMITATION OF STORAGE
    The data must be kept for a time limited to that required by the purpose for which we collected it, in practice we cannot keep it for life.

  • INTEGRITY AND CONFIDENTIALITY
    We must ensure that all collected data subject to processing are stored in an adequately protected manner, this applies both to those in digital form (and here we also find help in this regard) PsyCare) both in paper form

At this point there would still be much to add, as the GDPR provides for a series of rules and mechanisms to be implemented, which however we will not examine in this short guide given that our only aim is to be able to prepare the necessary documents for the psychologist to the safe performance of the profession, so let’s get to the point without further delay.

GDPR and Psychology: Mandatory Documents

  • Register of processing activities

The Register of processing activities It is an internal document that is easy to complete (which we will show only upon specific request from the competent authorities) which psychologist and psychotherapist are obliged to carry out Both for paper and electronic data processing. We can create it in both ways, and it must first contain two important dates:

  1. Date of first establishment
  2. Last updated date
 

  • Data Protection Impact Assessment (DPIA)

Another document for internal use that psychologist and psychotherapist must use the DPIA. It is nothing more than a detailed description of the processing aimed at correctly assessing necessity and proportionality and consequently the related risks in order to identify appropriate measures to counter them. Consequently, the question arises: What are the possible violations that psychologists and psychotherapists may encounterLet’s look at them in more detail:

  1. Breach of CONFIDENTIALITY which consists in the unauthorized or accidental disclosure or access to our patients’ personal data

  2. Violation of INTEGRITY in the event that the aforementioned data may undergo unauthorized or accidental modification

  3. Violation of AVAILABILITY consisting of the accidental or unauthorized loss or destruction of data (as happens more and more frequently with cryptolockers)

This assessment must be performed for the data in our possession, taking into account that it is stored both in paper and digital form, which can therefore be subject to various forms of violation. This document must be drawn up based on analyses of our daily operations and may therefore vary, but generally speaking, it could be as follows:

  • Information for interested parties

Last but not least is the document relating to the so-called “informed consent” that psychologists and psychotherapists must submit and have signed, even digitally via the simple function integrated in PsyCare, to their patients, and this is the heart of the GDPR: through this attachment we will inform them about what data we will collect, the reason for this collection and how it will be stored.

As previously mentioned, we will observe the principles of the GDPR, basing data collection on common sense, but also on data minimization: that is, we will only acquire the data strictly necessary to perform the requested services.

You can find two files about this:

Containing only the information strictly necessary to obtain the patient’s consent

Containing the service contract and detailed information.

A questo punto per una aderenza basilare ai dettami del GDPR possiamo ritenerci soddisfatti. Ricordiamoci di tenere aggiornati i registri e di far firmare SEMPRE il consenso informato ai nostri pazienti il prima possibile, preferibilmente, e compatibilmente con le nostre esigenze, anche già al primo incontro in modo da non incorrere in eventuali contestazioni future.

Considerazioni Finali

Tutto quanto su esposto concerne l’adeguamento della professione di psicologo ai dettami del GDPR ipotizzando una configurazione standard (studio gestito direttamente dal titolare con al massimo una segretaria e/o un dipendente), ma in caso di studi di dimensioni maggiori, studi associati, cooperative di psicologi, ecc., il rispetto della normativa è più complesso e necessita di ulteriori approfondimenti, in tal caso e nel caso tu voglia comunque avere maggiori informazioni, ti invitiamo ad inviare una mail a gdpr@psycare.it

Featured

Online Informed Consent with Digital Signature

Virtual Whiteboard and Online Psychotherapy

Psychology in Schools: Between Present and Future

Online Psychology

Online Therapeutic Setting

Psychological Teleconsultation: Best Practices

Online Therapy: Advantages and Disadvantages

GDPR and Regulations for Psychologists

Code of Ethics for Italian Psychologists

GDPR and Record of Processing Activities

Personal Data Protection Policy

Guidelines for Telepsychology Services

Contact Us

Whatsapp

WhatsApp: +39 375 703 9065

Envelope

General Inquiries: info@psycare.it

Support: help@psycare.it

Follow Us

Facebook Instagram Linkedin Youtube



Support

FAQ

AI FAQ

Support

Initiatives

PsyCare for the Environment

We offset CO₂ emissions by planting a tree for every activated subscription: learn more.

Blog


PsyCare

Online Psychology

Ebook

Covid-19