Roger Matthews further examines the EU’s forthcoming General Data Protection Regulations and its potential impact on dental practices. Have you drawn up your privacy notice yet? Are you up to speed on how you can lawfully process the data you hold on patients?
Hopefully you’re reading this after digesting the first part of this GDPR blog. If so, then even more hopefully, you will by now have done a “data audit” as recommended by the Information Commissioner’s Office (ICO).
You haven’t? Then you should: it won’t take too long. Work out all the personal data you hold: on patients, staff and contractors (Associates etc.), where do you get it from? And with whom do you share it? If you export data to a third party (a laboratory, patient referrals or cloud storage for your Patient Management Software maybe), do they have good data security (can they describe it or have a policy you can see?) and where is it stored or backed up? In particular is cloud storage in the EEA or in another country?
When you’ve completed your audit, the next thing is to consider “why” you hold the data – the “purpose of processing”. For the vast majority of practices, this is blindingly obvious – to you at least! You process patient data in order to provide safe and effective dental healthcare, you process staff data for employment law purposes, and you process contractor data to maintain effective financial and performance records. Simples!
A few practices may undertake forms of marketing which go beyond those simple purposes. They may buy in mailing lists to attract new patients, or may offer additional services to existing patients. If you undertake direct marketing in this way, you should look at the advice given by ICO (Google: ’ICO direct marketing’).
One of the relatively few (for dental practices anyway) major changes that the General Data Protection Regulations (GDPR) will introduce is that ‘data subjects’ (i.e. living individuals) whose data you will hold, store, process and ultimately delete, must be given prior notice about the data you hold, the reason/s you hold it, who you disclose it to and what their rights under the new Data Protection regime will be. This is called a Privacy Notice.
If that sounds like a complicated document, it is! At least in the sense that it needs to be drawn up carefully. It must not read like a complicated document, since you must, by law, be transparent and clear in your communication.
The ICO helpfully suggests that you do not need to spell out the full details of your Privacy Notice when patients (or staff, or contractors) first engage with you, but you must signpost it to them so that they can easily find it. That’s easy on a website (“click here for further details”), but perhaps a little more difficult when patients telephone or present in person.
You could, for instance have a short Privacy Notice at reception, or on a practice information leaflet, and either display a full version on the premises or laminate one that is available for patients to read. However you do it, a Privacy Notice is a must!
Again, you can read about Privacy Notices on the ICO website, and/or you can sign up (for free) to www.dpnetwork.org.uk which is an open access website for small businesses and charities. They have good legal opinions backing them.
Now let’s have a closer look at “consent”. Don’t confuse this with the professional and dento-legal term: in this case, it is defined as one of six ways in which you can lawfully process personal data. I have seen it rumoured that you will need to have explicit, clear and unambiguous consent from every patient/employee/contractor before you can even access the personal data you already hold! Whilst possible (maybe), that’s a very big ask.
Fortunately, the GDPR allows other ways for organisations to lawfully process data. One of these is the “legitimate interest” test. Essentially, this means that if the data subject would reasonably expect you to collect, hold, etc., their data for, effectively, self-evident purposes, and you only collect and process data for such essential purposes, and you are not contravening or infringing their rights to privacy in the process, then that’s OK.
Well, it’s sort of OK!! It is recommended that in order to validate your choice of “legitimate interest” as a lawful basis for processing, you should carry out a Legitimate Interest Assessment (LIA). This would set out firstly, what those essential interests are; secondly, identify the necessity for processing the data; thirdly, to balance the needs of the organisation against the rights of the data subject; and finally, what actions will be taken to ensure that processing is not excessive or invasive.
Again, the ICO and DPNetwork have excellent advice on how to carry out an LIA and it’s strongly recommended that you do this before relying on this basis. But it does avoid the need for a blanket consent exercise.
All that having been said, it remains true under the new legislation that health-related data about an individual is regarded as more sensitive (“special” in GDPR-speak). Thus article 9 of the GDPR states that processing health-related data (and other categories, similar to the existing UK Data Protection law) is prohibited, unless one of a number of exceptions apply. One of these is ‘…medical diagnosis, the provision of health or social care or treatment …pursuant to contract with a health professional’. So again, that seems OK, but… the EU Working Party looking at consent still hasn’t produced its final guidance and in its final draft it gives an example which suggests that explicit consent is required, for instance, when transferring a patient’s health data to a referral practitioner or specialist.
So for caution’s sake, when getting updated medical histories, having patients sign treatment plans, or submitting treatment claims, it is probably advisable to get patients to clearly indicate that they consent to the use of data as in your Privacy Notice (which should be available to them to read if they wish). And refreshing that consent (e.g. at medical history updates) is a good idea too. The use of pre-ticked boxes, inaction or silence on the part of a data subject can no longer be relied on, either.
It’s anticipated that generic templates will be available for Privacy Notices, LIAs and other key components of the new Data Protection legislation in the coming months, but it’s a good idea to have some drafts in your mind now to stay ahead of the game.
In the third and final part of this GDPR blog, we’ll look at Data Security, dealing with Subject Access Requests and complaints, and an update on how the new Data Protection Act is going through Parliament.
PS: Annual Registration Fees with the ICO
Parliament hasn’t yet approved a new fee-scale for registering with the Information Commissioner after the new Data Protection Act becomes law in May 2018. But the ICO’s draft guidance to the Government has suggested a three-tier approach. Very small, or new dental practices which process fewer than 10,000 personal records will be Tier One with a fee “up to £55”; but those with larger patient bases will fall into Tier Two: “up to £80”. It’s likely that existing annual notifications will be valid until their expiry date. Watch this space!
Part 1 of this blog https://www.gdpuk.com/blogs/entry/2123-gdpr-the-new-millennium-bug
Part 3 of this blog https://www.gdpuk.com/blogs/entry/2125-gdpr-and-data-protection-part-three
Errata - Postscript by Roger Matthews
A quick note before you read through my blogs on GDPR (or if you’re reading them again). The complexities of this new legislation (and the amendments taking place at the eleventh hour in Parliament) mean that my commentary has been “on the hoof” so to speak and based on available knowledge at the time of writing (starting last December). So there are a few points I now need to clarify and correct.
In Part 1 ‘GDPR - The New Millennium Bug?’ I mention specific consent from patients for processing data. It’s now clear that this is a bad basis to use since patients can withdraw consent. I correct it in Blogs 2 and 3. Oh, and the new law will be the Data Protection Act 2018 (not 2017).
In Part 2 'GDPR - Privacy Notices and Consent' I refer to patient consent possibly being needed for referrals. This arose from some EU commentaries on GDPR (The Section 29 Working Party if you must know) whose advice was rather vague. I now think that this is unnecessary by virtue of exemptions in the Act. I also got the new ICO fees wrong – but those were the ones she was suggesting to the Government at the time… plus ça change…
Finally in Part 3 'GDPR and Data Protection', written as recently as March, we have again been overtaken by events. It seems the ICO will ‘assume’ everyone is in Tier 3 for fees, so unless you want (or need) to pay £2,900 a year, make sure you correct her when your renewal notice comes around (on the anniversary of your current notification fee). The Report stage of the Data Protection Bill happened on Wednesday 9th May when there was a whopping 138 amendments to be considered. One of those of particular note was an amendment to exempt primary care providers with NHS contracts from appointing a Data Protection Officer. Sadly for NHS providers, the Government rejected this amendment.
The Bill now returns to the House of Lords for the final stages.
GDPUK Thanks SimplyHealth Professionals and Roger Matthews for their permission to reproduce these three blog articles.