#GDPR [Image by Jon Worth]

Roger Matthews further examines the EU’s forthcoming General Data Protection Regulations and its potential impact on dental practices. Have you drawn up your privacy notice yet? Are you up to speed on how you can lawfully process the data you hold on patients?

In the first two articles in this series (part 1 and part 2) I’ve taken a look at how the new Data Protection Bill – incorporating the EU’s General Data Protection Regulation (GDPR) - is coming along. I’ve highlighted the importance of preparing by taking a good look at all the personal data you currently hold in the practice (a Data Audit). Where does it come from? With whom do you share it (or might disclose it to)? How long will you keep it? Do this as a practice team, because ultimately everyone is responsible for good Data Protection.

The Data Protection Bill is still working its way through the parliamentary system and further amendments are still possible, although unlikely to impact dentistry. We will continue to watch this progress closely and to update Simplyhealth Professionals practices as we move towards the implementation date of 25th May 2018.

Fees

I gave some clues as to future Data Protection fees payable by Data Controllers last month, and now we have a clearer idea, although still subject to Parliamentary approval. As predicted there are three ‘tiers’, but some careful thinking may be needed to know which one you fall into.

Firstly, if you do not do any electronic processing (at all – that includes computers, tablets, smartphones, CCTV or any form of digital equipment) – and that’s pretty unlikely I would say in 2018, or if you only use a computer for the purposes of staff employment, PAYE, business administration, and payment processing (i.e. only basic personal details) it might appear you are technically exempt from paying a fee. But, the ICO has stated that any personal data processed for the purposes of ‘healthcare administration’ you will still have to pay. (See The Data Protection Fee – A guide for Controllers at ico.org.uk)

If you have a small practice, with 10 or fewer staff (every part-timer counts as ‘one’ and that includes the cleaner, gardener, and self-employed associates, hygienists etc), and if your annual turnover is less than £632,000 then you are in Tier 1. The fee will be £40, or if you pay by direct debit, then £35. Yippee, no increase! You will get a reminder when your current registration runs out, and an opportunity to set up the direct debit then.

(A little complication: if you have an NHS contract, then you are regarded as a ‘Public Authority’ in respect of processing and fees from that contract only. Public Authorities are exempt from the turnover threshold above, so if your NHS contract turnover is more than £632,000, then you are rated only according to your sGDPRtaff numbers. So a very big NHS contract but low private fee income might keep you in Tier 1.)

Larger practices, who do not fall within the above criteria, will pay a Tier 2 fee of £60 (again presumably with a direct debit discount of £5). This covers Data Controllers with 250 or fewer staff and a turnover of less than £36 million. Large Corporates may need to do some calculating, but otherwise this Tier will cover just about every other large-ish practice or small chain.

Tier 3, at £2,900 annually, is probably not an issue for dentists!

If you are currently registered (‘notified’) with the ICO – as you almost certainly are – there is no need to take any action until you receive your reminder to renew after 25 May 2018.

Your fee level will, in most cases, be accurately anticipated by the ICO but you should check to make sure it is correct and either call or e-mail them if not. It seems likely that if your renewal date is shortly after the implementation of the new law, there will be significant delays in getting changes made, but so long as you can show you took all reasonable steps then this should not disadvantage you.

Remember that Associates will only need to register – as now – if they act as Data Controllers in their own right (see the ICO’s Information Governance in Dental Practices, September 2015).

Action Stations!

Between now and 25th May, practices will need to:

• Complete their data audit (as above, if not already done)
• Check where back-ups are stored (ask your software provider/s)
• Consider how to present Privacy Notices to patients (see more below)
• Consider revising their Data Protection and Information Security policies
• Update their Cookie policy if they have a website
• Carry out and document a Legitimate Interest Assessment
• Draw up a Data Breach policy and procedure (if not already done)
• Appoint a Data Protection Officer

Whew!

Helping Member dentists

To help with preparation, Simplyhealth Professionals will be publishing further guidance for members on all the above, including templates for the necessary policies and assessments. However, in every case, it will be necessary to consider how these templates should be adapted for your own particular circumstances and practice.

This information will be published on the web portal for member dentists to access and it is hoped that all the necessary policies will be in place by the end of March. However, the new law is still Parliamentary ”work in progress”, so you should keep aware of any updates in monthly newsletters and e-mails.

Although ICO has said they will take a “proportionate” approach to enforcement in the early days of the new legislation, we cannot be sure the healthcare regulators (or NHS Commissioners) will take a similarly sympathetic approach. So preparedness is necessary!

A Lawful Basis

As noted when writing about Privacy Notices in previous articles, a Data Controller can only process data under the new legislation if they have a Lawful Basis to do so. Sounds reasonable, and GDPR gives six options to choose from.

Consent sounds like a good idea and as dentists we are well versed in this topic. However, remember that consent can be withdrawn at any time, and whilst you might simply and rightly stop treating a patient who decides, for whatever reason, to exercise this ‘right’ it would make life difficult for all concerned.

Necessary to fulfil a contract would apply in the case of self-employed staff members, such as associates, hygienists and so forth, so is appropriate for those cases.

Necessary for a Public Task is actually appropriate for all processing to do with NHS Contracts, since if you have one, you are regarded as a ‘public authority’ and are carrying out processing as required by legislation. So that ticks off the NHS patients and their care.

Legitimate Interests of the Controller is really the catch-all that would be appropriate for most of your private patients’ care and treatment. A ‘legitimate interest’ is really any self-evident need that an organisation has in order to function, and where a ‘data subject’ (patient) would ‘reasonably anticipate’ that such processing is necessary, provided it does not undermine any of their rights.

In order to use Legitimate Interests as your Lawful Basis, the legislation requires that you complete a Legitimate Interests Assessment (LIA). This is not too difficult provided you follow the detail of the law: firstly do you need the information? Secondly is there any alternative? Thirdly can you balance your need against the patients’ rights? And finally what actions do you take to ensure the security and confidentiality of the data? There will be a template for an LIA provided on the member dashboard during March.

Why the fuss about ‘Lawful Basis’? The legislation requires that your full Privacy Statement, freely accessible to all those persons whose data you process, specifies clearly what this basis is. On a website this must be clearly signposted (not buried in the small print), and in the practice its availability can be pointed out within a brief statement given verbally or, I would suggest, added to medical history forms and updates.

Finally…

A few odds and ends.

If your practice software provider stores or backs up your data, you should have a fully documented contract showing where the data is kept, and if it is overseas (especially if outside the European Economic Area) does it conform to GDPR requirements?

If you use patient data for marketing purposes, and also if you routinely contact patients by e-mail or text message, you will need to have specific marketing consents for these activities. Again, simple messages about forthcoming appointments can be consented with specific ‘opt-in’ boxes to be ticked and signed for. The medical history form is a good place for this too. ‘Opt-outs’ or other non-explicit methods will no longer be acceptable.

Do you need a Data Protection Officer? If you have an NHS contract (however small) the answer is “yes” as you are considered a ‘public authority’. However, authoritative guidance (from an EU Working Party) states that although ‘large scale’ processing of ‘special’ (e.g. health) data, such as by a hospital, does require the appointment of a DPO, processing of patient records by ‘an individual physician in practice’ does not. You may however feel that it is worth appointing one anyway: note that their identity will be shown in a public register held by the ICO. They are not ‘responsible’ for compliance (that remains with the Data Controller), but may be a source of expertise and advice, and may, if desired, be an external appointment.

Check your website cookie policy and make sure it is compliant (a template is on the way!)

Finally, make sure everyone in the team is aware of the changes coming up, of their increased responsibilities around data security (no more passwords on Post-It notes!), data breaches, and confidentiality, and review your training at regular intervals!

Part 1 of this blog

Part 2 of this blog

Errata - Postscript by Roger Matthews

A quick note before you read through my blogs on GDPR (or if you’re reading them again). The complexities of this new legislation (and the amendments taking place at the eleventh hour in Parliament) mean that my commentary has been “on the hoof” so to speak and based on available knowledge at the time of writing (starting last December). So there are a few points I now need to clarify and correct.

In Part 1 ‘GDPR - The New Millennium Bug?’ I mention specific consent from patients for processing data. It’s now clear that this is a bad basis to use since patients can withdraw consent. I correct it in Blogs 2 and 3. Oh, and the new law will be the Data Protection Act 2018 (not 2017).

In Part 2 'GDPR - Privacy Notices and Consent' I refer to patient consent possibly being needed for referrals. This arose from some EU commentaries on GDPR (The Section 29 Working Party if you must know) whose advice was rather vague. I now think that this is unnecessary by virtue of exemptions in the Act. I also got the new ICO fees wrong – but those were the ones she was suggesting to the Government at the time… plus ça change…

Finally in Part 3 'GDPR and Data Protection', written as recently as March, we have again been overtaken by events. It seems the ICO will ‘assume’ everyone is in Tier 3 for fees, so unless you want (or need) to pay £2,900 a year, make sure you correct her when your renewal notice comes around (on the anniversary of your current notification fee). The Report stage of the Data Protection Bill happened on Wednesday 9th May when there was a whopping 138 amendments to be considered. One of those of particular note was an amendment to exempt primary care providers with NHS contracts from appointing a Data Protection Officer. Sadly for NHS providers, the Government rejected this amendment.

The Bill now returns to the House of Lords for the final stages.

Roger Matthews

GDPUK thanks SimplyHealth Professionals and Roger Matthews for their permission to reproduce these three blog articles.

Image credit - Jon Worth under CC licence - not modified.

Part of GDPR blog by Roger Matthews

Roger Matthews further examines the EU’s forthcoming General Data Protection Regulations and its potential impact on dental practices. Have you drawn up your privacy notice yet? Are you up to speed on how you can lawfully process the data you hold on patients?

Hopefully you’re reading this after digesting the first part of this GDPR blog. If so, then even more hopefully, you will by now have done a “data audit” as recommended by the Information Commissioner’s Office (ICO).

You haven’t? Then you should: it won’t take too long. Work out all the personal data you hold: on patients, staff and contractors (Associates etc.), where do you get it from? And with whom do you share it? If you export data to a third party (a laboratory, patient referrals or cloud storage for your Patient Management Software maybe), do they have good data security (can they describe it or have a policy you can see?) and where is it stored or backed up? In particular is cloud storage in the EEA or in another country?

When you’ve completed your audit, the next thing is to consider “why” you hold the data – the “purpose of processing”. For the vast majority of practices, this is blindingly obvious – to you at least! You process patient data in order to provide safe and effective dental healthcare, you process staff data for employment law purposes, and you process contractor data to maintain effective financial and performance records. Simples!

A few practices may undertake forms of marketing which go beyond those simple purposes. They may buy in mailing lists to attract new patients, or may offer additional services to existing patients. If you undertake direct marketing in this way, you should look at the advice given by ICO (Google: ’ICO direct marketing’).

One of the relatively few (for dental practices anyway) major changes that the General Data Protection Regulations (GDPR) will introduce is that ‘data subjects’ (i.e. living individuals) whose data you will hold, store, process and ultimately delete, must be given prior notice about the data you hold, the reason/s you hold it, who you disclose it to and what their rights under the new Data Protection regime will be. This is called a Privacy Notice.

If that sounds like a complicated document, it is! At least in the sense that it needs to be drawn up carefully. It must not read like a complicated document, since you must, by law, be transparent and clear in your communication.

The ICO helpfully suggests that you do not need to spell out the full details of your Privacy Notice when patients (or staff, or contractors) first engage with you, but you must signpost it to them so that they can easily find it. That’s easy on a website (“click here for further details”), but perhaps a little more difficult when patients telephone or present in person.

You could, for instance have a short Privacy Notice at reception, or on a practice information leaflet, and either display a full version on the premises or laminate one that is available for patients to read. However you do it, a Privacy Notice is a must!

Again, you can read about Privacy Notices on the ICO website, and/or you can sign up (for free) to www.dpnetwork.org.uk which is an open access website for small businesses and charities. They have good legal opinions backing them.

Now let’s have a closer look at “consent”. Don’t confuse this with the professional and dento-legal term: in this case, it is defined as one of six ways in which you can lawfully process personal data. I have seen it rumoured that you will need to have explicit, clear and unambiguous consent from every patient/employee/contractor before you can even access the personal data you already hold! Whilst possible (maybe), that’s a very big ask.

Fortunately, the GDPR allows other ways for organisations to lawfully process data. One of these is the “legitimate interest” test. Essentially, this means that if the data subject would reasonably expect you to collect, hold, etc., their data for, effectively, self-evident purposes, and you only collect and process data for such essential purposes, and you are not contravening or infringing their rights to privacy in the process, then that’s OK.

Well, it’s sort of OK!! It is recommended that in order to validate your choice of “legitimate interest” as a lawful basis for processing, you should carry out a Legitimate Interest Assessment (LIA). This would set out firstly, what those essential interests are; secondly,  identify the necessity for processing the data; thirdly, to balance the needs of the organisation against the rights of the data subject; and finally, what actions will be taken to ensure that processing is not excessive or invasive. 

Again, the ICO and DPNetwork have excellent advice on how to carry out an LIA and it’s strongly recommended that you do this before relying on this basis. But it does avoid the need for a blanket consent exercise.

All that having been said, it remains true under the new legislation that health-related data about an individual is regarded as more sensitive (“special” in GDPR-speak). Thus article 9 of the GDPR states that processing health-related data (and other categories, similar to the existing UK Data Protection law) is prohibited, unless one of a number of exceptions apply. One of these is ‘…medical diagnosis, the provision of health or social care or treatment …pursuant to contract with a health professional’. So again, that seems OK, but… the EU Working Party looking at consent still hasn’t produced its final guidance and in its final draft it gives an example which suggests that explicit consent is required, for instance, when transferring a patient’s health data to a referral practitioner or specialist.

So for caution’s sake, when getting updated medical histories, having patients sign treatment plans, or submitting treatment claims, it is probably advisable to get patients to clearly indicate that they consent to the use of data as in your Privacy Notice (which should be available to them to read if they wish). And refreshing that consent (e.g. at medical history updates) is a good idea too. The use of pre-ticked boxes, inaction or silence on the part of a data subject can no longer be relied on, either.

It’s anticipated that generic templates will be available for Privacy Notices, LIAs and other key components of the new Data Protection legislation in the coming months, but it’s a good idea to have some drafts in your mind now to stay ahead of the game.

In the third and final part of this GDPR blog, we’ll look at Data Security, dealing with Subject Access Requests and complaints, and an update on how the new Data Protection Act is going through Parliament.

PS: Annual Registration Fees with the ICO

Parliament hasn’t yet approved a new fee-scale for registering with the Information Commissioner after the new Data Protection Act becomes law in May 2018. But the ICO’s draft guidance to the Government has suggested a three-tier approach. Very small, or new dental practices which process fewer than 10,000 personal records will be Tier One with a fee “up to £55”; but those with larger patient bases will fall into Tier Two: “up to £80”. It’s likely that existing annual notifications will be valid until their expiry date. Watch this space!

Part 1 of this blog https://www.gdpuk.com/blogs/entry/2123-gdpr-the-new-millennium-bug

Part 3 of this blog https://www.gdpuk.com/blogs/entry/2125-gdpr-and-data-protection-part-three

Errata - Postscript by Roger Matthews

A quick note before you read through my blogs on GDPR (or if you’re reading them again). The complexities of this new legislation (and the amendments taking place at the eleventh hour in Parliament) mean that my commentary has been “on the hoof” so to speak and based on available knowledge at the time of writing (starting last December). So there are a few points I now need to clarify and correct.

In Part 1 ‘GDPR - The New Millennium Bug?’ I mention specific consent from patients for processing data. It’s now clear that this is a bad basis to use since patients can withdraw consent. I correct it in Blogs 2 and 3. Oh, and the new law will be the Data Protection Act 2018 (not 2017).

In Part 2 'GDPR - Privacy Notices and Consent' I refer to patient consent possibly being needed for referrals. This arose from some EU commentaries on GDPR (The Section 29 Working Party if you must know) whose advice was rather vague.  I now think that this is unnecessary by virtue of exemptions in the Act. I also got the new ICO fees wrong – but those were the ones she was suggesting to the Government at the time… plus ça change…

Finally in Part 3 'GDPR and Data Protection', written as recently as March, we have again been overtaken by events. It seems the ICO will ‘assume’ everyone is in Tier 3 for fees, so unless you want (or need) to pay £2,900 a year, make sure you correct her when your renewal notice comes around (on the anniversary of your current notification fee). The Report stage of the Data Protection Bill happened on Wednesday 9th May when there was a whopping 138 amendments to be considered. One of those of particular note was an amendment to exempt primary care providers with NHS contracts from appointing a Data Protection Officer. Sadly for NHS providers, the Government rejected this amendment.  

The Bill now returns to the House of Lords for the final stages.

Roger Matthews

GDPUK Thanks SimplyHealth Professionals and Roger Matthews for their permission to reproduce these three blog articles.

Roger Matthews looks at the significance to you of the EU’s forthcoming General Data Protection Regulations.

If it hasn't already happened to you, it will! Over the next few months you'll be approached with numerous offers to guide you (for a fee) through the 'demanding processes' of compliance with the EU's General Data Protection Regulations (GDPR).

"Aargh," you may say, as you read the doom-sayers' predictions of harsh fines and imprisonment (or both), here comes yet more compliance pressure on my overworked dental team!

However, you should be reassured by the Information Commissioner's statement that anyone (or any organisation that complies with the existing Data Protection law, is already well on the way to achieving compliance with the new requirements.

New Data Protection Act from 25th May

GDPR was issued by the EU in May 2016, giving all member states two years to comply. It's provisions will apply in the UK from 25th May this year. However, each country has some freedom to amend a few details and the UK Government has also decided to 'tidy up' and 'tighten up' on the existing law, the Data Protection Act 1998.

so, on 25th May there will be a new Data Protection Act 2018. This will encompass the GDPR requirements and the draft legislation is currently lumbering through Parliament. The

House of Lords has been debating it since October and it probably won't get the Royal Assent until sometime around Easter.

While we don't absolutely know what the final version will look like, we do know most of it, given that much of the discussion will not really be relevant to dentistry in particular, or primary healthcare in general.

12 step guide

The Information Commissioner's Officer (ICO) has already issued a '12 step guide' to the GDPR which is a useful start to check your current status. As a responsible practice you'll already be registered ('notified') with the ICO (don't be fooled by the earlier news that GDPR will abolish notification or annual fees!) Plus, you'll have a Data Protection Policy and an Information Security Policy (Information Governance compliance too, if you're an NHS contract-holder).

It is worth checking some things at this early stage, however. Do you obtain 'specific and explicit' consent from your patients to store their data? Do you have a privacy notice that tells patients (and prospective patients, for instance on your practice website) exactly what data you hold and who you share it with?

Data flows

It may seem simply - you keep their personal details and health records and because you know all about professional confidentiality, you

keep it all to yourselves. But what about your IT system? Is it backed-up in-house? Is it held in ‘the Cloud’? And if so, where exactly? Do you send patient information to any third

parties, such as insurance companies or Simplyhealth Professionals, for instance? You can be certain that Simplyhealth has rigorous security, but do others? Do you? Is any data taken home or stored on USB sticks or personal computers? It’s worth thinking it through and conducting an audit to look at all the data inflows and outflows.

When you know exactly where all your patient and staff data comes from and where it goes, you can rest assured that you’ll have ticked off one important stage in preparing for the 25th May deadline.

Read Part 2 of this blog

Read Part 3 of this blog

Errata - Postscript by Roger Matthews

A quick note before you read through my blogs on GDPR (or if you’re reading them again). The complexities of this new legislation (and the amendments taking place at the eleventh hour in Parliament) mean that my commentary has been “on the hoof” so to speak and based on available knowledge at the time of writing (starting last December). So there are a few points I now need to clarify and correct.

In Part 1 ‘GDPR - The New Millennium Bug?’ I mention specific consent from patients for processing data. It’s now clear that this is a bad basis to use since patients can withdraw consent. I correct it in Blogs 2 and 3. Oh, and the new law will be the Data Protection Act 2018 (not 2017).

In Part 2 'GDPR - Privacy Notices and Consent' I refer to patient consent possibly being needed for referrals. This arose from some EU commentaries on GDPR (The Section 29 Working Party if you must know) whose advice was rather vague. I now think that this is unnecessary by virtue of exemptions in the Act. I also got the new ICO fees wrong – but those were the ones she was suggesting to the Government at the time… plus ça change…

Finally in Part 3 'GDPR and Data Protection', written as recently as March, we have again been overtaken by events. It seems the ICO will ‘assume’ everyone is in Tier 3 for fees, so unless you want (or need) to pay £2,900 a year, make sure you correct her when your renewal notice comes around (on the anniversary of your current notification fee). The Report stage of the Data Protection Bill happened on Wednesday 9th May when there was a whopping 138 amendments to be considered. One of those of particular note was an amendment to exempt primary care providers with NHS contracts from appointing a Data Protection Officer. Sadly for NHS providers, the Government rejected this amendment.

The Bill now returns to the House of Lords for the final stages.

Roger Matthews

GDPUK Thanks SimplyHealth Professionals and Roger Matthews for their permission to reproduce these three blog articles.