GDPR and data security - Psykolog Dea Franck

Your Data and GDPR

At Psychologist Dea Franck, we have a better handle on data security than most others in our market. This is because we have extensive professional experience from previous workplaces in both municipalities, regions, and the private IT sector. As a result, we have been involved in understanding and implementing GDPR within three important pillars that form the basis of our own policy in this area:

Business

We have a solid understanding of the legislation that underpins our business area and have designed our daily procedures accordingly. To ensure compliance with these procedures, all of our workflows are governed by software that we have developed, which works in conjunction with our journaling system. Additionally, we have actively addressed our data flow and have entered into data processing agreements with our subcontractors to ensure that both we and they comply with GDPR. Finally, we manage our own server solution in the clinic and perform backups based on a redundancy principle, ensuring that we can always restore lost data within 24 hours.

Security

We store your data from our journaling system in a database on a local server within our clinic, which is part of a closed network without internet access. The data is encrypted at rest using AES-256 and decrypted using a physical token. Our work computers are hardware encrypted with AES-256 via TPM 2.0. Our communication is handled by our subcontractor Proton AG, while Pearson PLC manages data from assessments conducted with WISC-V. We have entered into data processing agreements with both of our vendors in accordance with Article 28 of the General Data Protection Regulation (GDPR) and the Danish Data Protection Agency’s guidance on data controllers and processors, section 3.2.1.

Software

In our clinic, we utilize a journaling system that we develop and maintain ourselves. We do this to ensure that your data is stored and structured in a way that we understand and can stand behind. This enables us to confidently state that we comply with Regulation 567 of 2017 regarding authorized psychologists’ obligation to keep organized records of their clients for at least 5 years, as well as Article 5(1) of the General Data Protection Regulation (GDPR), which stipulates our duty to delete our clients’ data when it is no longer necessary for treatment purposes or in accordance with relevant administrative laws.

Our Subcontractors

While we use our own journaling system and store your data locally within the clinic on a closed network, there are instances where we need to expose your data. This applies when you need to undergo a test with WISC or WPPSI and when you exchange email correspondence with the clinic. In this regard, we have entered into data processing agreements with two subcontractors listed below.

In our clinic, we use the WISC-V and WPPSI test batteries, and the results, as well as the name and date of birth of the test subject, are exchanged with Pearson PLC through their programs Q-Interactive (WISC-V) and Q-Global (WPPSI). Data is managed by Pearson’s own data processor, Amazon AWS, with whom they have entered into a data processing agreement. The agreement stipulates that data is always stored in data centers located in Canada or Ireland. There has been considerable discussion on social media regarding whether Pearson complies with GDPR. We have thoroughly investigated this matter with both the Danish Data Protection Agency and Pearson and can confirm that Pearson fulfills its obligations under GDPR. Read more about our investigation here.

We have entered into a data processing agreement with Pearson PLC, where they commit to comply with Regulation (EU) 2016/ 679 of the European Parliament and of the Council of 27 April 2016, commonly known as GDPR.

When we communicate with our clients, it is done through email correspondence. We pay our subcontractor, Proton AG, to ensure that we always have the ability to communicate via an encrypted protocol. Depending on the email provider chosen by each individual client, this protocol will either be OpenPGP or TLS. Proton AG further stores our correspondence in a way that encrypts the data at rest, following a zero-access policy, which means that Proton AG does not have access to the data themselves. Proton AG also handles our calendar system, which is also encrypted. Moreover, the calendar system cannot be exposed through an API, unlike providers like Google Calendar, adding an extra layer of implicit security.

We have entered into a data processing agreement with Proton AG, where they commit to comply with Regulation (EU) 2016/ 679 of the European Parliament and of the Council of 27 April 2016, commonly known as GDPR.

In relation to counseling and therapy that does not take place within the clinic itself, we utilize the service Signal, which is end-to-end encrypted without an intermediary. This means that data is only stored by the communicating parties. All of our work computers are encrypted at the hardware level (TPM 2.0) with AES-256.