With Brexit officially complete, the EU’s GDPR is no longer in ‘direct effect’ for UK businesses. Most of the regulations are still in place, though. Only now, they are part of domestic law and referred to as UK GDPR.

Despite the similarities, this shift will bring changes to how many practices need to manage their patients’ privacy both in and out of the UK.

Cliniko was already compliant with EU GDPR, and now we’ve taken additional steps to comply with the UK version of the law. This article outlines what we have done and how we’ve designed our software to make it as easy and stress-free as possible to meet your legal obligations.


GENERAL INFORMATION

Depending on the data in question, Cliniko can sometimes serve as the ‘processor’ or ‘controller’ of your clinic’s information. Topics related to both of these categories are discussed further down in this article.

But for now, we’ll cover some of the broader responsibilities we’ve taken care of, including the following:


Established a Data Processing Addendum (DPA).

The Data Processing Addendum is a signed agreement between you and Cliniko that supplements our Privacy Policy. It makes it possible for Cliniko (and our subprocessors) to legally manage your patient information, even though we aren’t physically located in the United Kingdom.

If you’ve already signed a DPA with us, you won’t need to sign another one. The UK government has said it intends to honour all previous agreements and standard contractual clauses. If you are opening a new Cliniko account for your UK practice, you will need to have a signed DPA on file with us.

If your practice is located in the UK and you haven’t already signed a DPA, you can download and sign our Data Processing Addendum whenever you’re ready, and the agreement will be valid once we’ve received it.


Updated our Privacy Policy and Terms of Service.

To account for the changes in privacy requirements brought on by Brexit, we have updated our Privacy Policy and Terms of Service. Since we were already GDPR compliant, we didn’t need to change much, just a few small updates. You may need to update your privacy policy as well if you haven’t already.


Appointed a Data Protection Officer (DPO).

We previously appointed an in-house Data Protection Officer (DPO) to make sure Cliniko is compliant with EU GDPR. This same person will also serve as the DPO for UK privacy regulations, acting as an advisor and contact person for data subjects and supervisory authorities.

You can contact our DPO by email at dpo@cliniko.com.


Appointed a UK privacy representative.

Since Cliniko doesn’t have a physical presence in the United Kingdom, Article 27 of UK GDPR requires us to appoint a domestic representative to be our point of contact for any questions or concerns about our privacy compliance.

Our UK representative is VeraSafe. You can reach them by email at support@verasafe.com or by postal mail at:

VeraSafe United Kingdom Ltd.

37 Albert Embankment

London SE1 7TL

United Kingdom


Our subprocessors also comply with UK GDPR.

Cliniko uses a number of third-party tools, known as ‘subprocessors’. These help our software stay efficient and dependable, including things like cloud-based data storage and cloud-based email delivery services.

Each one complies with UK GDPR—we’ve made sure of that. But if you’d like to get more info, we’ve written another help article on our subprocessors where you can learn more.


CLINIKO AS A PROCESSOR OF DATA

According to the legal definitions, you are the controller of your patients’ private information, and Cliniko is the processor. In other words, you determine the purpose and means for the processing we do on your behalf.

We’ve taken steps to give you the tools you need to fulfil some of your privacy obligations and requests from patients. Below is a list of requirements related to your use of Cliniko and how we help you comply with the regulations.


The GDPR gives patients the ‘Right to Object’. If a client asks you not to send marketing related materials, like emails and SMS texts, it’s your responsibility to make sure they don’t receive any.

Cliniko makes this easy. You can first unsubscribe patients from SMS marketing. Then, when sending a group SMS text, you’ll have the option of declaring a message as ‘marketing-related’ or ‘need-to-know’. If the text is marketing-related, only the appropriate patients will receive it. If it’s need-to-know, the message will be sent to your entire list.

Within the Mailchimp integration, deleting or archiving a patient’s details will automatically remove them from your email list, so you can be confident they won’t accidentally receive any marketing messages from you.


Double opt-in for the Mailchimp integration.

Adding patients to your marketing list without their permission can sometimes rub people the wrong way. Instead, setting up Mailchimp’s ‘double opt-in’ feature lets patients confirm that they actually want to receive your marketing emails before they ever get one. It’s a win-win, making sure you comply with the privacy laws and keeping your clients happy.


Modify a patient's details.

GDPR acknowledges people’s ‘Right to Rectification’. If a patient asks for a correction of their personal information in your records, Cliniko makes it easy to edit any personal details that need to be changed.


Provide a patient with a copy of their personal info.

Under GDPR, patients have a ‘Right to Access’ their personal information. They also have the ‘Right to Portability’, meaning that when they request a copy of their info, the data you provide should be easily transferred or imported into another system.

To help you with this obligation, each patient file in your Cliniko account has the option to retrieve all the personal data for a single person.


Delete a patient’s information from Cliniko.

A patient’s ‘Right to Erasure’ (aka their ‘Right to Be Forgotten’), requires you, upon request, to remove any of their information you that have stored. While it is possible to permanently delete a patient from your Cliniko records, we do not advise doing that if you are legally required to hold onto their info for a period of time. We recommend archiving their file instead.

If you’re unsure of your obligations to retain patient records, check with your professional organisation before deleting any patient information.


Under GDPR, you must obtain and record a patient’s ‘lawful consent’ before storing their personal information. Once you’ve received the consent, just tick the box in their Cliniko file to show that they have agreed to your clinic’s privacy policy.


By including a link to your privacy policy with your online bookings, patients will be required to accept it when booking an appointment online. They can’t complete the booking without giving their consent. Once they have, their file will be automatically updated to show that they agreed to your policy.

We do this because booking an online appointment would require that you store some of their personal information. This way, you can ensure your practice stays compliant no matter how a patient books their appointment.


CLINIKO AS A CONTROLLER OF DATA

We are not the controller of your patients’ data, but we do control your data—like your business details, email address, name, phone number, etc. This means we have the same responsibilities that you have for your patients’ information.

Below, you’ll find the details of how we comply with UK requirements for managing your information, including your right to a full deletion of your Cliniko account and opting out of marketing-related communications.


Delete your Cliniko account.

We can permanently delete your entire Cliniko account if you ask us to. But please note that this is irreversible. All of your information (including patient details) will be gone forever.

We’ve made sure you have the tools you need to download your data before we delete anything. However, we do not advise full account deletion if you are legally required to retain patient records for a period of time. Be sure to confirm your obligations through your professional organisation before deleting your account.


Opt out of marketing communications from us.

If you’d rather not receive marketing emails from us, that’s totally fine. You can opt out of messages that don’t relate to your account (like new feature announcements). Just head to the ‘My info’ section in the menu of your account dashboard and make sure the box under ‘Cliniko marketing’ is un-ticked.

This doesn't mean you'll never hear from us again. We’ll still contact you for other things specifically related to your account (like a past due balance or low SMS credits).


If you have any questions about how Cliniko helps you comply with UK GDPR, reach out to our support team. We’re always happy to help!

Did this answer your question?