Any company in Europe that stores data and can personally identify individuals is subject to the GDPR principles – and of course dental practices fall into this category.
Most practices are in a good position to deal with the requirements of GDPR as dentistry is already a highly-regulated profession.
But when was the last time you reviewed your data storage, protection, privacy policies and staff training on the subject? Getting caught out by the regulator can prove costly.
Data protection lawyer and healthcare specialist Holly Dobson from Wake Smith Solicitors looks at how dental practices should keep their records in check or face hefty fines.
Holly said: “Failure to do this in the healthcare sector was highlighted recently when a London pharmacy was fined £275,000 by the regulator for a data protection breach.
“The Information Commissioner’s Office imposed penalty and enforcement notices on Edgeware-based Doorstop Dispensaree which supplied medicines to customers and care homes.
“The business was found to have left approximately 500,000 documents in unlocked containers at the back of its premises. Some were wet suggesting they had been stored in this way for some time.
“The documents included data about customers such as names, addresses, dates of birth, NHS numbers, medical information and prescriptions. Information concerning a person’s health is ‘special category personal data’, as per dental records, and is given extra protection. There are more stringent requirements on its processing.
“Doorstep now has to take the steps required within three months of the date of the notice. As well as the substantial administrative fine, the required steps include updating all of its data handling policies and operating procedures to comply with GDPR, provide data protection training to its staff, update its privacy policy and provide evidence to the regulator that such steps have been taken.”
A reminder about GDPR
GDPR is the General Data Protection Regulations, a set of rights and obligations around data protection that provide more rights for individuals to control the data that is held about them, and more responsibilities for data controllers to manage data in a responsible way. The GDPR regulations were published in May 2016 and came in force on 25 May 2018.
The key points of the GDPR framework are:
- Personal data must be processed fairly and lawfully, kept securely, and stored for no longer than necessary
- This data must be collected and processed for a specific, legitimate purpose, and the data must be relevant to that purpose
- The data must be accurate and kept up to date, and individuals have the right for their data to be erased.
Does GDPR mean I can send marketing to my own patients? Are recalls covered by GDPR?
It is likely that recalls would be considered a legitimate use of a patient’s data, and therefore you will not need to obtain explicit consent for this. However, this depends on the circumstances and we would advise taking legal advice to confirm this.
If you want to send marketing information to patients, by email you will need to consider another set of regulations (the Privacy and Electronic Communications Regulations PECR) as well as GDPR. The law relating to any kind of electronic marketing is detailed, but, essentially, you need informed, explicit consent that is not out of date and that is opt-in, rather than opt out. It should also be easy to change marketing preferences and opt out at any time.
For marketing by post only then you need only consider GDPR and it is possible to market similar services without demonstrating express consent in quite the same way. However, you should check your specific plans carefully with your legal advisors in this case. In practice, most organisations decide that they wish to keep specific marketing databases and to use email so obtain consent and keep records of this.
Part of the national NHS response to GDPR was to introduce the ‘National Data Opt-Out’. This gives patients more control over their identifiable health data.
What happens if I have purchased a practice and obtained patient records with it? Can I use them to inform them of a change in ownership of the practice?
GDPR prohibits the processing of special category data unless an exception to this prohibition (referred to as the conditions for processing special category data) applies. Special category personal data includes “Data concerning health” which means “personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status”. This includes patient data, such as information about the provision of healthcare services which reveal information about the data subject’s health.
These special data conditions catch the transfer and disclosure of patient special category data by the seller to the buyer.
Part of the buyer’s due diligence should be to ensure that a condition applies to legitimise the disclosure and transfer of special category data as part of the transaction. If the seller of the Practice has had GDPR advice they will already have notified patients (probably in the privacy notice/data information notice to patients) that certain data may be disclosed in the course of a proposed sale, but the buyer and seller should be looking into ensuring that they have the explicit consent of each patient to process their special category data.
In any event the new owner is likely to want to refresh the privacy notices and informed patient consents as in many cases they are unlikely to meet the far more stringent GDPR standard of consent.
Complying with the fairness, transparency and provision of information requirements is important but processing special category data without having obtained explicit consent, or having the benefit of another of the conditions for processing special category data, will be a serious breach of the GDPR.
To summarise, have you got up to date:
Data protection policies tailored to your practice rather than standard templates?
Privacy notices?
Any automated decision making processes?
Fully trained staff on data protection issues?
Consent from each patient to protect personal data for marketing purposes?
For further information on data protection contact our Healthcare team at [email protected]