What?

As part of the CSP Long Covid student engagement project, we planned to interview students who were working on LC placements, and patients who had been living with LC to ask them about their experiences. I realised I had never been personally responsible for collecting, handling, or processing personal data before, and I didn't know how to "stick to the GDPR rules", because quite honestly I didn't know what they were.

Notes and Files

Certificate

So what?

GDPR compliance was particularly pertinent in this case, as we planned to publish this data through the CSP website and therefore in to the public domain, which added both elements of pressure and corporate risk.

A good understanding of GDPR regulation in this case could help me to achieve KSF 3.1 a (risk), b (accountability) and c (Policy and legislation), and HCPC physiotherapy standard 7.2., which asks us to understand the principles of information governance. 

Not only are these factors important for media and publications, but they also apply to the handling of service user data in clinical contexts. 

I already had some awareness of the importance of keeping data secure and not breaching confidentiality, but I didn't know what the rules were on GDPR specifically, and what legal rights they afforded to data subjects.

Add comment Details

GDPR

Now what?

To try to get to grips with the basic principles of GDPR, I decided to start with an e-Learning for Health course. This helped me to learn how data should be collected and stored (1. transparently, 2. specifically, 3. minimally, 4. accurately, 5. kept no longer than necessary, 6. securely, and 7. with named accountability).

It also pointed me towards the rights that the subjects of data collection are granted through GDPR (1. to stay informed of its use, 2. to access it, 3. To rectify it, 4. to erase it, 5. to restrict its processing, 6. to object to it, 7. to its portability to another body, 8. to prevent its automated processing, and 9. to raise concerns about it)

To better understand the principles of GDPR, I decided to put them in to the context of our Long Covid project by completing the ICO self assessment toolkits for both controlling and processing data (reports attached). These guided me to create a data flow map, which both fulfilled the basic GDPR principles, and made it more clear to me what was needed in terms of providing information that informs our subjects' consent before going on to collect any data from them.

Using this structured approach, and using the data subjects rights as a checklist, I went on to create in interview invitation document to send out to respondents, that also served as a consenting document. 

By taking this step-wise approach to information gathering, mapping the flow of data processing and handling, then putting this in to practice by creating the invitation as a consenting checklist, I feel much more comfortable with appropriate compliance in data collection, handling and processing.

This is very much a "dry run" for this knowledge, as it is in a much more casual context, with the available assistance of teams at the CSP. In future I will need to develop an understand of how this applies to patient information and research, in order to develop towards a more advanced level of practice.

Links to toolkits

SMART goal - KSF Core 3

Updated on September 16, 2021; 401 page visits from 27 July 2021 at 11:48 to 4 October 2025 at 23:51