Simplyhealth Professionals has produced a range of templates and draft policies to support its practices in preparation for meeting the enhanced data protection requirements, coming into force on Friday 25 May 2018. The company has also been providing detailed information and guidance on the implication for practices of the new data regulations with a three part blog written by Roger Matthews, Honorary Life President and former Chief Dental Officer (https://www.denplan.co.uk/dentists/blog).
Between now and Friday 25 May, the recommendations are that practices will need to:
Complete their data audit (as recommended by The Information Commissioner’s Office (www.ico.org.uk/gdpr)
Check where back-ups are stored (ask your software provider/s)
Consider how to present Privacy Notices to patients
Consider revising their Data Protection and Information Security policies
Carry out and document a Legitimate Interest Assessment (in simple terms how you lawfully process personal data)
Draw up a Data Breach policy and procedure (if not already done)
Appoint a Data Protection Officer
As the new law is still a Parliamentary ‘work in progress’ and subject to some further amendments, Simplyhealth Professionals intends to keep members fully updated on any further developments.
Henry Clover, Chief Dental Officer at Simplyhealth Professionals, said: “We shouldn’t forget that confidentiality, consent and security of sensitive information – to name but three factors – have already been an integral part of dental practices for a long time. This is the embodiment of data protection in our professional lives, so much of this is not actually new.
“However, there is still some preparation required by practices and they will need to become familiar with some different language. Similar to the support we provided with regards to CQC inspections, we have again attempted to simplify the complex and make generic data protection requirements relevant to dental practices.”
About Simplyhealth Professionals:
In February 2017, Denplan rebranded as Simplyhealth Professionals.
Simplyhealth Professionals is the UK’s leading dental payment plan specialist with more than 6,500 member dentists nationwide caring for approximately 1.7 million patients registered to a Denplan product.
Simplyhealth Professionals provides the following range of leading Denplan dental payment plans under the Denplan name:
Denplan Care: all routine and restorative care + worldwide dental injury and dental emergency cover
Denplan Essentials: routine care only + worldwide dental injury and dental emergency cover
Denplan for Children: routine and other agreed care + worldwide dental injury and dental emergency cover
Denplan Membership: registered with the dentist + worldwide dental injury and dental emergency cover
Denplan Hygiene: A dental payment plan without dental insurance for all types of practice from NHS, mixed and private to support patients commit to a consistent hygiene programme.
Denplan Emergency Insurance: worldwide dental injury and dental emergency cover only
Simplyhealth Professionals also provide a wide range of professional services for its member dentists and their practice teams, including the Denplan Quality Programme and Denplan Excel Accreditation Programme. Plus regulatory advice, business and marketing consultancy services and networking opportunities.
Dentist enquiries telephone: 0800 169 9962.
For patient enquiries telephone: 0800 401 402
For details of all of our products, visit www.denplan.co.uk
The GDPR is a new set of rules which will apply to all organisations that collect or retain personal identifiable data from any European individual. The idea behind it is to standardise data privacy laws and mechanisms across industries, and to ensure that fundamental rights of individuals are protected in today’s increasingly data-driven digital economy.
6 Things you need to know now
It is extremely important that everyone in your dental practice is made aware of the rules surrounding the new data regulation. Preparing for the GDPR will require changes in the practice’s culture, which you should start to plan in advance of the May 2018 deadline. Keeping everyone informed will ensure that your practice follows the proper procedure, and the GDPR is handled with the utmost care.
Here are 6 steps that will help your practice prepare for the changes today.
Under the new regulation, dental practices will be required to keep a record of how and when the patient gives consent to store and use their personal data. Consent will need to be clear and distinguishable from other matters and provided in an intelligible and easily accessible form, using clear and plain language. Consent cannot be inferred from silence or inactivity of the user.
Further requests for consent will need to be separate from other terms of engagement. In practical terms this means you will need to clearly explain to your patients what you are intending to do with their personal data.
It must be borne in mind that consent once given can be revoked, and it must be made equally easy to withdraw consent given.
The GDPR also introduces a requirement for parental consent. Where services are offered directly to a child, practices will need parental consent to process the data of under 16s.
To do list:
– Identify the categories of personal data processed within your practice.
– Consider the legal basis applicable to the processing of personal data within your practice, and make sure these grounds will still be complied with the GDPR.
– Where consent is relied on, check that it will be: freely given, specific, informed, and unambiguous.
– Consider introducing processes to promptly honour any withdrawals of consent.
– Make sure you keep a record of consents given to demonstrate compliance.
Aside from the need to obtain consent, your practice will be under an obligation to ensure that the processing of data is fair and lawful. Also, appropriate information must be given to your patients as to how their data is to be used. This is normally done in the form of a privacy notice. The GDPR has a mandatory list of the information which must be given to patients where data is obtained directly or indirectly from them. You will be expected to explain to your patients what data relating to them will be collected, how it will be used, the purposes for which it will be used and how their data may be shared.
To do list:
– Get to know your data. Consider what information is being collected, who is collecting it, how and why it is being collected.
– Consider how the information obtained will be used and who will it be shared with.
– Consider what possible effect the information obtained could have on the patients concerned.
– Consider building a data catalogue (if you haven’t got one in place) and drafting a meaningful privacy notice.
There will be a significant change to records of processing activities. The GDPR does not distinguish between internal and external records anymore. Dental practices will now require only one kind of record: an on-demand internal record. A practice will be required to maintain records of the entire practice’s processing activities internally. Moreover, these will need to be available to supervisory authorities upon request.
To do list:
– Consider introducing a full compliance program for your practice incorporating features such as regular audits, HR policy reviews, and training.
You will be required to appoint a Data Protection Officer (DPO) if the dental practice is:
– A public authority (except for courts acting in their judicial capacity) (Art. 37(1)(a));
– Carrying out systematic monitoring of individuals on a large scale (Art.37(1)(b)); or
– Carrying out processing of special categories of data or data relating to criminal convictions and offences on a large scale (Art.37(1)(c)).
Dentists providing NHS care will be regarded as public authorities. Thus, even a small NHS practice will require a DPO. It is anticipated that the Clinical Commissioning Groups (CCGs) will be providing Data Protection Officers in primary care settings.
If you don’t want to recruit, it will be possible to appoint a single DPO to act for a group of practices, provided that a DPO is easily accessible from each establishment. Alternatively, you can contract the services out.
For those organisations to whom the requirements do not apply, they may still choose to appoint a DPO.
– Assess whether your practice is obliged to appoint a DPO.
– Consider who will be your DPO.
– Consider whether your practice should appoint an internal or external DPO.
– Compile information on data processing activities within the practice.
– Ensure that those to whom you have designated responsibility, their duties do not lead to a conflict of interests of their own role.
The rights of individuals under GDPR are the same as those under the Data Protection Act 1998 with a significant enhancement of the right to data portability. Under the GDPR, patients will have the right to receive the personal data which they have previously provided in a ‘commonly used and machine readable format’, and have the right to transmit that data to another controller. This information will need to be provided free of charge, thus removing the previous £50 subject access fee for dental records. This will apply only to data processed by automatic means, and not to paper files.
To do list:
– Consider whether the technical capabilities of your practice will comply with data portability requests.
– Make your patients aware of their right to data portability. Does your company send out e-bulletins and/or newsletters? Let your subscribers know by including a short paragraph at the end of the article.
Any practice in breach of GDPR can be fined up to 4% of annual global turnover (not profit) or €20 million – whichever is greater. This fine can be imposed for the most serious infringements, for example for not having sufficient customer consent to process data. The practice can also be fined 2% for not having their records in order, or for not notifying the supervising authority and data subject about a breach, or not conducting impact assessment. In the case of a breach, practices will be required to report the breach to relevant authorities within 72 hours. The practice will be obliged to give full details of the breach and offer proposals for mitigating its effects.
You should be preparing for the new requirements that will affect your practice. Considering the above steps in the context of your practice is the very first step you can take in order to prepare for the upcoming legal changes. Do not assume that you will be able to claim innocence through ignorance of the rules – the whole point of the GDPR is to keep your company better protected and able to deal with breaches in security. If preparation is approached in the right way, your practice will be well-prepared in time for the regulation coming into force, and your business will be secured for years to come.
We will be running a workshop on 22nd February aimed at dental practices to help them prepare for the new GDPR requirements.