Roger Matthews further examines the EU’s forthcoming General Data Protection Regulations and its potential impact on dental practices. Have you drawn up your privacy notice yet? Are you up to speed on how you can lawfully process the data you hold on patients?
In the first two articles in this series (part 1 and part 2) I’ve taken a look at how the new Data Protection Bill – incorporating the EU’s General Data Protection Regulation (GDPR) - is coming along. I’ve highlighted the importance of preparing by taking a good look at all the personal data you currently hold in the practice (a Data Audit). Where does it come from? With whom do you share it (or might disclose it to)? How long will you keep it? Do this as a practice team, because ultimately everyone is responsible for good Data Protection.
The Data Protection Bill is still working its way through the parliamentary system and further amendments are still possible, although unlikely to impact dentistry. We will continue to watch this progress closely and to update Simplyhealth Professionals practices as we move towards the implementation date of 25th May 2018.
I gave some clues as to future Data Protection fees payable by Data Controllers last month, and now we have a clearer idea, although still subject to Parliamentary approval. As predicted there are three ‘tiers’, but some careful thinking may be needed to know which one you fall into.
Firstly, if you do not do any electronic processing (at all – that includes computers, tablets, smartphones, CCTV or any form of digital equipment) – and that’s pretty unlikely I would say in 2018, or if you only use a computer for the purposes of staff employment, PAYE, business administration, and payment processing (i.e. only basic personal details) it might appear you are technically exempt from paying a fee. But, the ICO has stated that any personal data processed for the purposes of ‘healthcare administration’ you will still have to pay. (See The Data Protection Fee – A guide for Controllers at ico.org.uk)
If you have a small practice, with 10 or fewer staff (every part-timer counts as ‘one’ and that includes the cleaner, gardener, and self-employed associates, hygienists etc), and if your annual turnover is less than £632,000 then you are in Tier 1. The fee will be £40, or if you pay by direct debit, then £35. Yippee, no increase! You will get a reminder when your current registration runs out, and an opportunity to set up the direct debit then.
(A little complication: if you have an NHS contract, then you are regarded as a ‘Public Authority’ in respect of processing and fees from that contract only. Public Authorities are exempt from the turnover threshold above, so if your NHS contract turnover is more than £632,000, then you are rated only according to your sGDPRtaff numbers. So a very big NHS contract but low private fee income might keep you in Tier 1.)
Larger practices, who do not fall within the above criteria, will pay a Tier 2 fee of £60 (again presumably with a direct debit discount of £5). This covers Data Controllers with 250 or fewer staff and a turnover of less than £36 million. Large Corporates may need to do some calculating, but otherwise this Tier will cover just about every other large-ish practice or small chain.
Tier 3, at £2,900 annually, is probably not an issue for dentists!
If you are currently registered (‘notified’) with the ICO – as you almost certainly are – there is no need to take any action until you receive your reminder to renew after 25 May 2018.
Your fee level will, in most cases, be accurately anticipated by the ICO but you should check to make sure it is correct and either call or e-mail them if not. It seems likely that if your renewal date is shortly after the implementation of the new law, there will be significant delays in getting changes made, but so long as you can show you took all reasonable steps then this should not disadvantage you.
Remember that Associates will only need to register – as now – if they act as Data Controllers in their own right (see the ICO’s Information Governance in Dental Practices, September 2015).
Between now and 25th May, practices will need to:
- Complete their data audit (as above, if not already done)
- Check where back-ups are stored (ask your software provider/s)
- Consider how to present Privacy Notices to patients (see more below)
- Consider revising their Data Protection and Information Security policies
- Carry out and document a Legitimate Interest Assessment
- Draw up a Data Breach policy and procedure (if not already done)
- Appoint a Data Protection Officer
Helping Member dentists
To help with preparation, Simplyhealth Professionals will be publishing further guidance for members on all the above, including templates for the necessary policies and assessments. However, in every case, it will be necessary to consider how these templates should be adapted for your own particular circumstances and practice.
This information will be published on the web portal for member dentists to access and it is hoped that all the necessary policies will be in place by the end of March. However, the new law is still Parliamentary ”work in progress”, so you should keep aware of any updates in monthly newsletters and e-mails.
Although ICO has said they will take a “proportionate” approach to enforcement in the early days of the new legislation, we cannot be sure the healthcare regulators (or NHS Commissioners) will take a similarly sympathetic approach. So preparedness is necessary!
A Lawful Basis
As noted when writing about Privacy Notices in previous articles, a Data Controller can only process data under the new legislation if they have a Lawful Basis to do so. Sounds reasonable, and GDPR gives six options to choose from.
Consent sounds like a good idea and as dentists we are well versed in this topic. However, remember that consent can be withdrawn at any time, and whilst you might simply and rightly stop treating a patient who decides, for whatever reason, to exercise this ‘right’ it would make life difficult for all concerned.
Necessary to fulfil a contract would apply in the case of self-employed staff members, such as associates, hygienists and so forth, so is appropriate for those cases.
Necessary for a Public Task is actually appropriate for all processing to do with NHS Contracts, since if you have one, you are regarded as a ‘public authority’ and are carrying out processing as required by legislation. So that ticks off the NHS patients and their care.
Legitimate Interests of the Controller is really the catch-all that would be appropriate for most of your private patients’ care and treatment. A ‘legitimate interest’ is really any self-evident need that an organisation has in order to function, and where a ‘data subject’ (patient) would ‘reasonably anticipate’ that such processing is necessary, provided it does not undermine any of their rights.
In order to use Legitimate Interests as your Lawful Basis, the legislation requires that you complete a Legitimate Interests Assessment (LIA). This is not too difficult provided you follow the detail of the law: firstly do you need the information? Secondly is there any alternative? Thirdly can you balance your need against the patients’ rights? And finally what actions do you take to ensure the security and confidentiality of the data? There will be a template for an LIA provided on the member dashboard during March.
Why the fuss about ‘Lawful Basis’? The legislation requires that your full Privacy Statement, freely accessible to all those persons whose data you process, specifies clearly what this basis is. On a website this must be clearly signposted (not buried in the small print), and in the practice its availability can be pointed out within a brief statement given verbally or, I would suggest, added to medical history forms and updates.
A few odds and ends.
If your practice software provider stores or backs up your data, you should have a fully documented contract showing where the data is kept, and if it is overseas (especially if outside the European Economic Area) does it conform to GDPR requirements?
If you use patient data for marketing purposes, and also if you routinely contact patients by e-mail or text message, you will need to have specific marketing consents for these activities. Again, simple messages about forthcoming appointments can be consented with specific ‘opt-in’ boxes to be ticked and signed for. The medical history form is a good place for this too. ‘Opt-outs’ or other non-explicit methods will no longer be acceptable.
Do you need a Data Protection Officer? If you have an NHS contract (however small) the answer is “yes” as you are considered a ‘public authority’. However, authoritative guidance (from an EU Working Party) states that although ‘large scale’ processing of ‘special’ (e.g. health) data, such as by a hospital, does require the appointment of a DPO, processing of patient records by ‘an individual physician in practice’ does not. You may however feel that it is worth appointing one anyway: note that their identity will be shown in a public register held by the ICO. They are not ‘responsible’ for compliance (that remains with the Data Controller), but may be a source of expertise and advice, and may, if desired, be an external appointment.
Finally, make sure everyone in the team is aware of the changes coming up, of their increased responsibilities around data security (no more passwords on Post-It notes!), data breaches, and confidentiality, and review your training at regular intervals!
Part 1 of this blog
Part 2 of this blog
Errata - Postscript by Roger Matthews
A quick note before you read through my blogs on GDPR (or if you’re reading them again). The complexities of this new legislation (and the amendments taking place at the eleventh hour in Parliament) mean that my commentary has been “on the hoof” so to speak and based on available knowledge at the time of writing (starting last December). So there are a few points I now need to clarify and correct.
In Part 1 ‘GDPR - The New Millennium Bug?’ I mention specific consent from patients for processing data. It’s now clear that this is a bad basis to use since patients can withdraw consent. I correct it in Blogs 2 and 3. Oh, and the new law will be the Data Protection Act 2018 (not 2017).
In Part 2 'GDPR - Privacy Notices and Consent' I refer to patient consent possibly being needed for referrals. This arose from some EU commentaries on GDPR (The Section 29 Working Party if you must know) whose advice was rather vague. I now think that this is unnecessary by virtue of exemptions in the Act. I also got the new ICO fees wrong – but those were the ones she was suggesting to the Government at the time… plus ça change…
Finally in Part 3 'GDPR and Data Protection', written as recently as March, we have again been overtaken by events. It seems the ICO will ‘assume’ everyone is in Tier 3 for fees, so unless you want (or need) to pay £2,900 a year, make sure you correct her when your renewal notice comes around (on the anniversary of your current notification fee). The Report stage of the Data Protection Bill happened on Wednesday 9th May when there was a whopping 138 amendments to be considered. One of those of particular note was an amendment to exempt primary care providers with NHS contracts from appointing a Data Protection Officer. Sadly for NHS providers, the Government rejected this amendment.
The Bill now returns to the House of Lords for the final stages.
GDPUK thanks SimplyHealth Professionals and Roger Matthews for their permission to reproduce these three blog articles.
Image credit - Jon Worth under CC licence - not modified.