Dental Protection’s Brian Westbury asks: “Dentists – are you GDPR ready?”
25 May 2018 is “GDPR day” – from this date the new General Data Protection Regulation becomes the law in all European member states, replacing previous legislation. Brian Westbury (below) Senior Dentolegal Adviser at Dental Protection, explains how the GDPR will impact on the day to day work of the dental team and sets out some practical steps to help dentists get GDPR ready.
The GDPR affects those who control and process data, therefore all dental practices need to comply, and be able to demonstrate compliance. Failure to do so can result in serious penalties being imposed. The Information Commissioner’s Office (ICO) has issued some useful guidance on the new requirements, and there are number of key aspects for dental practices to note:
The processing of data includes collecting, storing, using, disclosing (and destroying) personal information such as dental records. The GDPR requires that there must be a “legal basis” (a valid reason) for holding personal information, and that this legal basis is made clear to patients.
In dental practice, the relevant legal basis is likely to be that such information is necessary for the provision of treatment by a registered dental professional. Another basis is the consent of the patient to the processing of their data.
As with any consent process, it is of course essential that the patient’s agreement is based upon an accurate understanding of the reason for the processing, that they have the freedom to choose and withdraw consent, and that the information is used only for the purposes for which it was given. For example, a patient must give specific consent to receive communications from the practice by phone or text.
The GDPR requires that compliance can be demonstrated, so it is essential that there is clear documentary evidence that the patient has given consent for their information to be used.
Transparency and fair processing
The regulations require that a dental practice must inform patients about what is done with their personal information. To comply with this, patients should be provided with a ‘privacy notice’ when information is collected.
The privacy notice should advise the patient about:
• Who the data controller is (i.e. who is responsible for safeguarding their information) and the relevant contact details
• The purpose for which the information is required
• The legal basis for processing the information
• The categories of personal data concerned
• Who might have access to the information
• How the information is protected
• Their rights, including that they can complain to the ICO if there are concerns about how their personal information is being used or managed.
The GDPR gives patients more rights with respect to their personal data.
As with the previous legislation, a patient will have the right to be provided with copies of the information held by the dental practice, however under the GDPR the period a practice has to comply with such a request is reduced from 40 days to one month.
Information must be provided without charge unless the request is deemed unreasonable or excessive. If the decision is made to refuse the request, the reason for doing so must be provided and the patient should be informed that they can raise the matter with the ICO if they wish.
Patients have greater rights in respect of rectifying, completing and erasing records. Individuals can make a request verbally or in writing, and dental practices have one month to respond to a request.
Patients can also object to and restrict processing. This is not an absolute right and only applies in certain circumstances, but if a request is permitted a practice would be able to store the personal data, but not use it.
There are also rights in terms of data portability. This right allows individuals to obtain and reuse their personal data for their own purposes across different services – or from one IT environment or another - in a secure way. The personal data should be provided in a structured, commonly used and machine-readable form – meaning the information is structured so that software can extract specific elements of the data, so organisations are able to use it.
The information must be provided free of charge.
Should there be a breach of patient confidentiality, the data controller must notify the ICO without delay and, if possible, within 72 hours of becoming aware.
The patient must also be informed if the breach has a high risk of affecting their privacy rights. The new regulations provide for higher penalties for data breaches – with a maximum fine of £17million or 4% of annual turnover.
Data protection impact assessment
A data protection impact assessment (DPIA) is a process to help you identify and minimise data protection risks. Such assessments are a means of demonstrating that measures are in place to safeguard patient information.
These assessments are legally required if the way in which information is handled has the potential to breach confidentiality. For example, you will need to do a DPIA if you install new patient record software, or a new system for sharing information or making referrals. The ICO has put together some useful DPIA screening and awareness checklists that should help.
Data Protection Officer
There is a requirement that a Data Protection Officer (DPO) should be appointed within any public organisation (e.g. a practice providing NHS services) or any other practice involved in processing patient information on a large scale.
What constitutes “large scale” is not defined but based upon the current guidance it seems that hospitals, large multi-clinics or chains of practices would require a DPO whereas an individual practitioner might not. Where the line is drawn however is not specified, but the number of individuals for whom information is held will clearly be a major factor.
If there is any doubt about the requirement for a DPO, until further clarification is available, it would be advisable to carry out a self-assessment of your own practice in terms of the amount of personal data (both patient and staff records) processed. Once this is done, the assessment should be documented including whether a DPO was considered necessary. This way, there is evidence that steps were taken to ensure compliance with the regulations.
If it is considered appropriate to appoint a DPO, the next step is to ensure that the relevant individual can carry out this role – which involves monitoring and advising on the practice’s compliance with data protection requirements.
The role should not be discharged by the same person who is responsible for decisions on and implementing data protection measures in the practice.
Practical steps to help practices get ready
1. Remember to document the nature of all personal data held plus:
• How it is collected
• How it is stored
• Who has access
• Who it is shared with
2. Ensure there is a legal basis for processing data. If based on consent there must be an appropriate system in place for recording this
3. Ensure privacy notices comply with the GDPR
4. Decide if a DPO is required. If so ensure he/she has appropriate knowledge
5. Have a process for providing copies of patient records promptly, and in an appropriate format, and dealing with other data requests from patients
6. Consider where you may need to do a data protection impact assessment
7. Have a clear procedure for reporting data breaches to the ICO
8. Make sure that all practice staff are aware of the need to comply with the GDPR
9. Review the ICO’s guide to the GDPR
The take-home message is that practices need to be completely open and transparent about why personal data is collected, what it is used for, and be able to clearly demonstrate how data is safeguarded and processed.
Support and useful resources:
The ICO’s Guide to the General Data Protection Regulation has dedicated sections on all the above requirements, along with check lists and other useful resources. It is continually updated, so keep an eye on the website www.ico.org.uk and ensure you are GDPR ready come 25 May.