GDPR and security in daily work — onboarding for clinic staff

This document is written for staff — support workers, nurses, social and health care assistants, therapists — who use Validi every day. It is the kind of thing your clinic manager will quite reasonably ask you to read when you start, or six months in when a refresher is due.

It is not a legal guide. It is an everyday checklist: what GDPR means in practice for your work with the service user's record, and what you can do yourself so a small mistake doesn't become a big problem.

Reading time: 5-7 minutes. Print it or bookmark the page.

The basics — why it matters

Service users in addiction treatment and social psychiatry have given you access to some of the most sensitive information that exists about them. That isn't a formality. A leaked record can cost a service user their job, a relationship, or worse.

GDPR is the law that sets the frame for how you may work with that information. Validi handles most of the technical side (encryption, audit log, hosting, backup). But there are four or five things in daily work that no software can fix for you.

The password

The most important security action you take every day is choosing a good password and keeping it to yourself.

A few rules of thumb:

• Use a sentence, not a word. "My-cat-slept-on-the-keyboard-again" is harder to guess than "Summer2024!".
• Never reuse passwords from elsewhere. Your Validi password should not be the same as your Netflix password.
• Don't write it on a post-it on your screen. Not in a notebook on your desk either.
• Use a password manager if you struggle to remember several. 1Password, Bitwarden, or the built-in Apple/Google ones are fine.

If you think your password may have ended up in the wrong hands — for example because you clicked on a suspicious link — change it immediately and tell the clinic administrator. It isn't something you get fired for. It is something you get thanked for telling us about.

Two-factor login

Validi offers two-factor login (also called MFA). That means your password alone isn't enough — there also has to be a code from an app on your phone.

It sounds annoying. It is, for the first three days. After that it's automatic.

If you have the option to turn it on, do. If you are an administrator on Validi for your clinic, it is already on.

When you leave the computer

The rule is simple: if you leave the computer, you lock the screen.

That goes even if you're just popping out for a coffee. If a colleague — or worse, a service user — gets access to an unlocked computer with your login, it's your actions that get logged in the system.

Keyboard shortcuts:

• Mac: Ctrl + Cmd + Q
• Windows: Windows key + L

Validi will log you out automatically after a period of inactivity. But that period is longer than the time it takes a colleague to open a record she shouldn't see. Lock the screen.

When you have a service user on screen

Mind what is visible in open offices or meeting rooms.

A few small habits:

• Turn the screen away from the door
• Close service user windows when you stand up
• Don't use service user names or Civil Registration Numbers loudly in open rooms
• Be aware if you sit in a room with windows facing the street

This isn't about paranoia. It is about not letting sensitive information be read by chance by someone who has nothing to do with the case.

If you work from home

Validi can be accessed from home. But a few things to be aware of:

• Don't use public Wi-Fi (cafés, libraries, hotels) to open service user records. If it is absolutely necessary, use a VPN.
• Your home network should be password-protected (not the open one from the neighbour).
• Family members should not be able to see service user data on the screen — even in passing. Sit with the screen facing a wall, not the living room.
• Don't take screenshots of service user data and send them via SMS or WhatsApp. If you need to share something, use Validi's built-in SMS function.

Phishing — the most common trap

Phishing is fake emails that look like real ones — from a bank, a colleague, or Validi itself — trying to get you to enter your login or click a link.

Signs of phishing:

• The email comes from a strange address (validi-support@gmx.com instead of support@validi.eu)
• It asks you to enter your login "to confirm your account"
• It is urgent ("your account will be suspended today")
• It contains spelling mistakes or odd phrasing
• The link points to a strange URL when you hover the mouse over it

Validi will never ask you to enter your login via a link in an email. If in doubt: open a new browser tab, go to validi.eu yourself, and log in that way.

If you click anyway and enter your login: change the password immediately, and let the clinic administrator know. It happens. The important thing is that you say it.

If you notice something strange

Pass it on. Immediately.

Examples of "strange":

• You log in and see that there is already an active session you don't recognise
• A colleague says she received a strange email "from you"
• You discover that a record has been changed without you remembering having done it
• A service user mentions that they have seen their own record somewhere it shouldn't be

It may be nothing. But if it is something, it is important to catch it quickly. Write to the clinic administrator, or directly to Validi support if you are an administrator yourself.

When a colleague leaves

This is the clinic administrator's responsibility, but it's worth knowing as a staff member: when a colleague leaves, their Validi account must be closed immediately.

That goes for parental leave, long-term sickness or sabbatical too. The access can always be reopened, but in the meantime it should be closed.

If you are administrator, put it in your exit procedure: when the key, the access card and the phone come back in, you also close the Validi account. It takes 15 seconds from the "Staff" menu.

What you should never do

The short list of absolute no-gos:

• Log in with another staff member's account (even if she says it's fine)
• Share your login with a locum or trainee
• Take pictures of the screen with a private phone
• Put record material on Google Drive, Dropbox or other private cloud services
• Send service user data via ordinary email (use Validi's secure SMS or messaging function instead)
• Discuss identifiable service users on social media — not even in closed groups for colleagues

Most of these are probably intuitive. But they get broken — typically in a stressful situation — and they are typically what makes the papers when a clinic runs into trouble.

If you are in doubt

If you are in doubt about a specific situation, ask. The clinic administrator, a colleague who has been there longer, or Validi support directly at support@validi.eu. There are no stupid questions here. There are only questions asked too late.

---

For clinic managers: this document may be shared internally in its current form, or adapted to your own clinic reality. If you'd like an editable version (Word or Google Docs), contact us — we'll send it.

For staff: thanks for taking the time to read it. It isn't the most exciting reading, but it matters.