Tougher data protection laws will strengthen the rights of patients as data subjects. Leo Briggs answers some common questions on how the GDPR is likely to affect your practice.
The run-up to the change in data protection procedures created a certain amount of concern and confusion among dental professionals. However, the good news is that the General Data Protection Regulation (GDPR), which took effect on 25 May, and the Data Protection Act 2018 represent evolution rather than revolution in data protection law.
The Information Commissioner has acknowledged that there may still be some work to do in ensuring GDPR readiness. However, it is important to be aware of some key changes, to identify what still needs to be done and to have a plan in place to address any outstanding issues in your practice. The DDU recommends you ask yourself the following questions.
- The identity and contact details of the data controller, and the data protection officer where relevant
- The purpose of the processing and the legal basis for it
- Any recipient of data or categories of recipients
- The existence of the data subject rights
- The right to withdraw consent at any time
- The right to lodge a complaint with the Information Commissioner’s Office (ICO)
- Retention periods
- The existence of automated decision-making, including profiling and information about how decisions are made, their significance and consequences
- Details of transfers to countries outside the EU and safeguards.
The ICO has further information on its website.
Do we need a data protection officer?
All practices providing NHS treatment are considered public authorities and are required to appoint or arrange to share a DPO who can monitor compliance, advise on legal obligations and be a contact point on data protection matters.
If you are a wholly private practice, you still need a DPO if ‘your core activities consist of processing on a large scale of special category data’ (which includes healthcare information). The ICO does not define large scale processing but says that relevant factors can include numbers of data subjects, the volume of personal data being processed and the duration or permanence of the activity. An EU working group has said processing data by a single clinician isn’t classed as large scale but processing by a hospital, for example, is.
DPOs must have proven expert knowledge of data protection law and practice. It is recognised they will not fully understand all the ramifications of the new legal requirements and they will need to keep up to date with any changes and clarifications and understand the impact of these changes.
Further information about DPOs can be found on the ICO website, including a useful questionnaire about whether you need a DPO.
On what basis can we process personal data?
The GDPR applies to ‘personal data’ meaning any information relating to an identifiable person who can be directly or indirectly identified by reference to an identifier. You must identify a valid lawful basis for processing (Article 6) and inform the subject of the basis or bases you are relying on.
Health data is considered to be special category data and therefore you will also need an additional condition for processing (Article 9).
Consent is one lawful basis for processing; however, it may not be the best category for health care records and it may be better to choose a different basis.
Do we need to change our procedures for subject access requests?
People may request access to their own records and the criteria for subject access requests under GDPR will be the same as now; however, there are some changes to the procedure including:
- The subject access request does not have to be in writing
- Data subjects cannot be charged for copies of records unless the request is ‘manifestly unfounded, excessive or repetitive’ when you can charge a reasonable fee. There is currently no agreed definition of what constitutes a manifestly unfounded or excessive request, or what a reasonable fee is
- You need to provide the information within one month
- You will need to get consent where records relate to children aged 13 years or older, as well as children younger than 13 with capacity
- Requests that are unfounded or excessive can be refused but this should be explained and the subject told of their right to complain to the ICO and to seek judicial remedy
- Access requests must be documented, including details of any delay in providing the information and when requests have been refused.
Ensure these changes are reflected in your procedure and that these are communicated to the team. As is the case now, you should redact any third-party information from records or anything that you believe may cause serious harm to the patient.
What action should we take if there is a data breach?
A personal data breach is a security incident that has affected the confidentiality, integrity or availability of personal data.
If a breach is likely to result in a risk to the rights and freedoms of individuals it must be reported to the ICO no later than 72 hours after you become aware of it. In practice, it is likely that a security breach of a patient’s personal data would have to be reported to the ICO.
You should also inform the data subject if a breach is likely to result in a high risk to their rights and freedoms eg an accidental disclosure of patient records.
There are still some uncertainties about aspects of the GDPR so it is worth regularly reviewing the ICO website and getting advice from the DDU or you own dental defence organisation if you are unsure.