GDPR and Case Manager

Intended Audience

Primarily any UK/EU based Case Manager customer, however, if you collect or process data of any individual in the UK/EU, GDPR will apply to you as a health provider, whether you’re based in the EU or not.

What is GDPR and how does it apply to me?

The General Data Protection Regulation (GDPR) is a set of rules aimed to streamline, update, simplify, and replace the many data protection policies that existed in the EU states. It aims to:

  • Give EU citizens back control of their data

  • Simplify regulatory environment

  • Provide a level playing field for businesses in the EU

Post Brexit, GDPR will still be enforced in the UK, however, in the UK it is now called the “Data Protection Act 2018 (DPA 2018)”.

If you are collecting personal information via Case Manager (and other means) you need to ensure you can uphold the rights of those individuals about whom you are collecting data. In Case Manager this will be the case contacts and patient information. GDPR data subject rights include:

  • The right to be informed about how their data is collected and processed. This usually comes in the form of a privacy policy and/or consent form.

  • The right to access a copy of the data you store about them

  • The right to correct inaccurate data you store about them

  • The right to delete data you store about them (unless you have a lawful basis to retain the data)

There are several other rights, however, these are outside of the scope of Case Manager. Please review the full list of rights here.

Becoming GDPR compliant is something every organisation handling UK/EU citizens data must fulfil themselves. This article aims to show how Case Manager can support your GDPR obligations.

Lawful basis for processing

At the time of collection or before collecting personal data for case contacts you must inform contacts of the following:

  • The types of personal data collected

  • The purposes of the processing

  • The data subjects rights with respect to their personal data

  • The data retention period

  • Any potential international data transfers

  • If data will be shared with third parties and the Company’s security measures to protect personal data.

The above information is usually included in a consent form and/or privacy policy that must be accepted before collecting the contacts data. Please ensure you have a privacy policy or consent form containing this information implemented.

How do I obtain consent from my Case Contacts to collect and process their details?

It is important to understand your lawful basis for processing personal information. There are several categories as described by the ICO, however, your lawful basis will typically be either Consent or Contract. This section will describe how you can record consent within Case Manager.

Consent can be obtained in different ways, however, here are some examples to follow:

  1. If obtaining referrals from your company website, ensure a consent form is accepted by the contact before they submit their referral details.

  2. Email the contact with a consent form for them to agree to either in writing (Email) or by a signed document. Please verify consent requirements specific for your industry. This consent document can then be uploaded to the appropriate Case Manager case.

How can I respond to a DSAR (Data Subject Access Request)?

Please use the following methods of data retrieval based on the type(s) of data requested:

Contact Data

  1. Open the Company List in Case Manager.
  2. Click the icon to open the Company List criteria
  3. Make sure that all the required contact columns have been added
  4. Filter the grid such that it only shows the requestor's details
  5. Export the grid to Excel.

Case Details

  1. Create a new Case List Criteria saved view
  2. Include the columns/data requested

    3. This may include standard case fields and your own custom fields

  3. Filter the grid such that it only shows the requestors case(s)
  4. Export the grid to Excel.

Documentation Data

Use the web version of Case Manager to perform this operation.

  1. Open the case(s) linked to the contact

For each case:

  1. Navigate to the Documentation tab
  2. Export selected documentation via the ZIP function:

  3. Be sure to exclude any irrelevant documentation.

Accounts Data

  1. Open the case(s) linked to the contact

For each case:

  1. Navigate to the Accounts tab
  2. Export the grid of invoices, payments, refunds, and adjustments to Excel:

How can I respond to a request to correct data?

Easy. Just use the Case Manager user interface to update the details as you normally would.

How can I respond to a request to delete data?

In the event that one of your clients or case contacts wants their data deleted, you will first need to ensure that you can legally delete their data. Different industries require you by law to retain data for a number of years. You do have the right to reject a request to delete data if you have a lawful basis.

If you do need to delete or erase a case, Case Manager has an “Erase Case” feature. This feature will remove all identifying information from the case and much more. Please find the details of what is deleted and how to use this feature at Erase or delete case.