How to handle personal information in mental health treatment
Updated 27th of February 2023
When you treat patients you are normally handling sensitive personal data. It is important to be especially careful of this kind of information, both during and after treatment.
What is personal data?
Personal data is all types of data that can be indirectly or directly traced to an individual's identity. This can be direct data such as email addresses or names, or indirect data that can be traced to an individual, even if the individual's name or address is not explicitly stated. The format of the data can be both analog, like a paper or form, or digital like a PDF or an email. Personal data is regulated at EU level by the General Data Protection Regulation (GDPR), and its use in Swedish healthcare is regulated by the Patient Data Act (PDL).
Simple principles to follow when processing personal data
1. Only process necessary information
As a psychologist, you only need to collect the information necessary to carry out your treatment. Avoid collecting or storing unnecessary information, as this may increase the risk of inadvertent exposure of personal information. When you no longer need to store personal data, you should make sure to destroy it. However, if it concerns record keeping, the record must be saved for at least 10 years.
2. Inform the patient
Patients have the right to know what information is being collected about them, why it is being collected and how it will be used. Before starting treatment, you should provide patients with information about how their personal information will be handled and about their rights under the above data protection laws.
3. Do a Data Protection Impact Assessment
If you use several different systems to handle personal data and do not feel that you have a handle on how different subsystems handle personal data, you can do a consequence assessment (DPIA). This is a good way to systematically go through your task management so that you can explain your information management, and evaluate it continuously.
How to handle analog information
Analogue information such as paper and notes should be kept in a place that can only be accessed by authorized persons. To protect analog information, you should ensure that it is stored in a safe place, for example in a locked filing cabinet or room. When handing out papers or forms as a homework assignment or as part of case conceptualization - remember not to include personal information in the form unless necessary.
How to handle digital information
Digital information can be particularly difficult to protect, as it can be spread through various subcontractors, as well as the risk of cyber attacks. This makes it particularly important to know how digital programs handle data. If you use SMS, e-mail or other open communication channels, it is very important that you do not write personal data either directly or indirectly through the channels. SMS and email contact can work well for general information but should be avoided if you plan to send any treatment documents or a homework assignment. If you use a digital software as an aid in your treatment, you can make sure to review the software according to the following standard:
Is two-factor authentication used for login?
Two-factor authentication means that the software asks for more than just a password, such as a phone number. SITHS cards or Bank ID are examples of authorized authentication solutions.
Is personal data encrypted with industry standard methods?
Within healthcare solutions, there are special methods of encryption that are standardized, as they provide secure protection from unauthorized persons. AES 256 is one such example.
Are personal data handled Secure Socket Layers?
This is a method for a software to send information over the Internet without the information being seen by a third party.
Is personal transferred over borders?
A software normally has many different sub-suppliers that can be located in different countries. Although the information is mainly stored within Europe, it may be sent across national borders during certain phases of processing. In the event that a software uses several subcontractors, you can ensure that the subcontractors hold Standard Contractual Clauses (SCCs) with the EU Commissioner.