Data protection and your dental practice

Holly Dobson Holly Dobson 02 March 2020

Any company in Europe that stores data and can personally identify individuals is subject to the GDPR principles – and of course dental practices fall into this category.

Most practices are in a good position to deal with the requirements of GDPR as dentistry is already a highly-regulated profession.

But when was the last time you reviewed your data storage, protection, privacy policies and staff training on the subject? Getting caught out by the regulator can prove costly.

Data protection lawyer and healthcare specialist Holly Dobson from Wake Smith Solicitors looks at how dental practices should keep their records in check or face hefty fines.

Holly said: “Failure to do this in the healthcare sector was highlighted recently when a London pharmacy was fined £275,000 by the regulator for a data protection breach.

“The Information Commissioner’s Office imposed penalty and enforcement notices on Edgeware-based Doorstop Dispensaree which supplied medicines to customers and care homes.

“The business was found to have left approximately 500,000 documents in unlocked containers at the back of its premises. Some were wet suggesting they had been stored in this way for some time. 

“The documents included data about customers such as names, addresses, dates of birth, NHS numbers, medical information and prescriptions.  Information concerning a person’s health is ‘special category personal data’, as per dental records, and is given extra protection.  There are more stringent requirements on its processing.

“Doorstep now has to take the steps required within three months of the date of the notice. As well as the substantial administrative fine, the required steps include updating all of its data handling policies and operating procedures to comply with GDPR, provide data protection training to its staff, update its privacy policy and provide evidence to the regulator that such steps have been taken.”

A reminder about GDPR

GDPR is the General Data Protection Regulations, a set of rights and obligations around data protection that provide more rights for individuals to control the data that is held about them, and more responsibilities for data controllers to manage data in a responsible way. The GDPR regulations were published in May 2016 and came in force on 25 May 2018.

The key points of the GDPR framework are:

  • Personal data must be processed fairly and lawfully, kept securely, and stored for no longer than necessary
  • This data must be collected and processed for a specific, legitimate purpose, and the data must be relevant to that purpose
  • The data must be accurate and kept up to date, and individuals have the right for their data to be erased.

Does GDPR mean I can send marketing to my own patients? Are recalls covered by GDPR?

It is likely that recalls would be considered a legitimate use of a patient’s data, and therefore you will not need to obtain explicit consent for this. However, this depends on the circumstances and we would advise taking legal advice to confirm this.

If you want to send marketing information to patients,  by email you will need to consider another set of regulations (the Privacy and Electronic Communications Regulations PECR) as well as GDPR. The law relating to any kind of electronic marketing is detailed, but, essentially, you need informed, explicit consent that is not out of date and that is opt-in, rather than opt out. It should also be easy to change marketing preferences and opt out at any time.

For marketing by post only then you need only consider GDPR and it is possible to market similar services without demonstrating express consent in quite the same way. However, you should check your specific plans carefully with your legal advisors in this case. In practice, most organisations decide that they wish to keep specific marketing databases and to use email so obtain consent and keep records of this.

Part of the national NHS response to GDPR was to introduce the ‘National Data Opt-Out’. This gives patients more control over their identifiable health data.

What happens if I have purchased a practice and obtained patient records with it? Can I use them to inform them of a change in ownership of the practice?

GDPR prohibits the processing of special category data unless an exception to this prohibition (referred to as the conditions for processing special category data) applies. Special category personal data includes “Data concerning health” which means “personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status”. This includes patient data, such as information about the provision of healthcare services which reveal information about the data subject’s health.

These special data conditions catch the transfer and disclosure of patient special category data by the seller to the buyer.

Part of the buyer’s due diligence should be to ensure that a condition applies to legitimise the disclosure and transfer of special category data as part of the transaction. If the seller of the Practice has had GDPR advice they will already have notified patients (probably in the privacy notice/data information notice to patients) that certain data may be disclosed in the course of a proposed sale, but the buyer and seller should be looking into ensuring that they have the explicit consent of each patient to process their special category data.

In any event the new owner is likely to want to refresh the privacy notices and informed patient consents as in many cases they are unlikely to meet the far more stringent GDPR standard of consent.

Complying with the fairness, transparency and provision of information requirements is important but processing special category data without having obtained explicit consent, or having the benefit of another of the conditions for processing special category data, will be a serious breach of the GDPR.

To summarise, have you got up to date:

Data protection policies tailored to your practice rather than standard templates?

Privacy notices?

Any automated decision making processes?

Fully trained staff on data protection issues?

Consent from each patient to protect personal data for marketing purposes?

For further information on data protection contact our Healthcare team at [email protected] 

Tags

Archive

December 20245November 20245October 20246September 20245August 20245July 20243June 20243May 20245April 20242March 20247February 20242January 20248December 20236November 20232October 20233September 20232August 20234July 20232June 20235May 20237March 20234February 20235January 20233December 20225November 20224October 20224September 20223June 20221May 20227April 20223March 20223February 20223January 20224December 20214November 20213October 20214September 20216August 20212July 202111June 20218May 20216April 20212March 20218February 20218January 20219December 20208November 202013October 20208September 20208August 20203July 20208June 202016May 202011April 20206March 202016February 20208January 202011December 20199November 20199October 201911September 20195August 20194July 20196May 20198April 20196March 20193February 20195January 20194December 20186November 20185October 20182September 20185August 20184July 20189June 20184May 201810April 20185March 20184February 20184January 20183December 20175November 20178October 20177September 20179August 20175July 20176June 201710May 20175April 20178March 201711February 20176January 201710December 20169November 20167October 201610September 201610August 20166July 20167June 20163May 20162April 20166March 20162February 20164January 20165December 20153November 20155October 20156September 20156August 20157July 20157June 20157May 20156April 20159March 20156February 201510January 20156December 20145November 20144October 20142September 20143May 20144March 20146February 20144January 20142December 20132November 20133September 20134July 20132June 20132May 20133April 20131March 20133February 20133January 20136December 20121November 20123October 20122August 20122July 20128June 20123April 20123March 20121January 20124December 20112November 20111October 20112September 20113August 20113July 20117June 20119May 20117April 20115March 20119February 20118January 20111December 20101October 20102September 20102August 20103July 20106June 20101May 20102April 20106March 20102February 20103January 20102December 20095November 20092October 20092September 20092August 20091July 20095June 20095May 20093April 20093March 20093February 20091January 20092November 20082October 20082September 20081August 20083July 20081January 20082

Featured Articles

Contact us