Pat Langley explains the dangers practices can encounter with GDPR and data protection, and how they can stay safe.
Safe from what? Surely the General Data Protection Regulation (GDPR) and data protection aren’t unsafe, are they?
GDPR and data protection regulations have many requirements we must all comply with, and not complying can mean your practice is unsafe. Breaching these requirements can incur significant penalties, but there are even more risks when it comes to the digital world we all now live in.
This article seeks to explore how best to make your practice as safe as possible in the digital era. We will look at the potential data protection pitfalls and how to avoid them with guidance on implementing safe methods of protecting all data in your practice.
We will also look at how best to protect practices that are using paper-based systems.
Digital dangers
Whilst the digital world brings many benefits and advantages, it is also true to say that it also brings many risks that we need to be aware of and mitigate if we are to make our practices as safe as possible.
The media in recent months has been awash with potentially dangerous data breaches in which the identities and personal details of thousands of people have been leaked, with far-reaching consequences.
Add to that the high-profile hacking of such stalwart institutions as M&S, the Co-op, and Harrods that caused months of chaos and concern, and it adds up to a scary digital world.
It is imperative that we understand the threats and risks and do all we can to mitigate them. In addition, it also means having robust regulations to protect us all.
Safety – what should we think about?
- Practice systems
- Financial security
- Practice data
- Personal data (patients and team members)
- Sensitive personal data
- AI – clinical risks
- Fake news
- Social media
- Hackers
- Cyber threats and risks
- Data breaches
- Ransom demands
- Identity theft
- Intellectual property theft.
Protecting personal data
GDPR is entirely focused on protecting personal data, and before we talk about protecting personal data, we need to understand what this is.
Put simply, it is any information about an individual from which that person can be identified.
There are two distinct types of personal data:
- Personal data (eg name, address, phone number)
- Sensitive personal data (eg medical information, ethnic origin)
If someone who is not entitled to see these details can obtain access without permission, it is unauthorised access.
Data processing
The words ‘data processing’ are seen and heard often, so it’s important to understand what the term encompasses.
In the context of GDPR, data processing includes:
- Collecting personal data
- Using it
- Storing it
- Securing it
- Disclosing it
- Deleting or destroying it.
In short, all measures needed to ensure personal data and sensitive personal data is handled safely and is protected.
Personal data
Think about what personal data you hold on your patients and what personal data you hold on your team members. This is all the information you need to ‘process’ safely in line with GDPR.
Personal data inventories
You should maintain two personal data inventories: one for patients and one for team members. In addition to being a requirement under GDPR and the Data Security and Protection Toolkit (DSPT), they are a great reminder of the significant amount of personal data you hold and therefore of all the information that needs to be protected.
You must ensure your personal data inventories are accurate and up to date, and any inaccurate data must be updated or deleted.
Policies and paperwork required to comply with GDPR and data protection
- Data protection policy, including GDPR
- Personal data inventories for patients and team members
- Privacy policy
- Privacy notices for patients and team members
- DSPT registration
- Robust agreements with third parties
- Referral policy.
In addition, you should have consent forms for:
- Sending marketing information
- Sending email/text reminders
- Taking photos
- Referrals
- Sending information to third parties.
Personal data storage
Personal data must be stored securely, and this applies whether you store personal information electronically or in paper format, with each format having risks that must be mitigated.
Paper records risks
- Paper records are stored in an unlocked filing cabinet, with a risk of unauthorised access
- Storage is not fireproof, with a risk that you could lose it all if you have a fire
- Misfiling of records, with a risk that data could be lost
- Data in some records is out-of-date or incorrect, with a risk that you are in breach of GDPR requirements.
Digital records risks
All the digital risks outlined earlier, and in addition:
- Password sharing
- Insecure password
- Password never changed
- Leaving screens unattended
- Screens visible to anyone at the desk.
All of these bring with them the risk of unauthorised access.
Reducing the risks of digital storage
- Do not leave data displayed on a screen – use a screensaver
- Do not leave your computer logged on and unattended
- Change your password frequently
- Don’t choose a password that’s easy to guess
- Don’t give your password to anyone, ever
- Back everything up
- Ensure you have excellent virus protection.
Disclosing personal information
You should not disclose any personal information without the data subject’s consent. If you receive an inquiry about someone’s personal data, eg an appointment time or the purpose of an appointment, verify the enquirer and ensure you have the data subject’s consent to disclose the information.
This can be problematic though. For example, when a couple has been attending your practice for many years and one partner is asking for information about the other because the other partner is suffering from memory loss or dementia. Ideally, you should get consent from the partner in question so that you can share their personal information. This isn’t always possible, so in this situation compassion, common sense and proportionality are key.
Email risks
Email is not secure, so treat it with caution. Always check an email before you send it to ensure you have sent it to the right person at the right address.
Ensure you don’t:
- Send a ‘reply all’ when you don’t mean to
- Forward the email to anyone you don’t mean to send it to
- Copy people who have not given their permission for you to share their personal details with third parties
- Send referrals via email unless your service is encrypted.
Subject access risks
All data subjects (that’s you and me and everyone you know and everyone you don’t know!) have the right to access all personal data held about them in any format.
This means:
Data subjects can request copies of everything you hold, including:
- Their clinical records
- Photographs/videos
- Emails
- Text messages/Whatsapp messages
- All correspondence
- Recorded phone calls
- Anything that counts as personal data.
Clinical records
Make sure:
- They are kept safely and securely
- They can only be accessed by those with authority to access them
- You don’t leave paper records lying around at reception, in surgeries, or where they are at risk of unauthorised access.
And finally, never write anything derogatory or defamatory about anyone under any circumstances whatsoever, because we all have the right to access all our personal data.
Referrals
When referring a patient for treatment, advice, or a second opinion, you must ensure you protect their personal information while it is in transit.
The majority of referral information will be sent and received by post or electronically. Alternatively, it could be hand-delivered by the patient.
The NHS is phasing out paper-based referrals and has a secure system for receiving referrals. Practices that refer to an NHS provider should follow local guidelines from the hospital/facility they are referring to.
Private referrals can usually be made by post, in which case you should use first class post, ideally registered post.
Ensure you have an agreement in place to protect your patient’s data ‘at the other end’ in line with GDPR requirements.
Referrals by email
Email can be hacked even with security in place. Send the referral via an encrypted service – the major software suppliers all have an encryption service. Alternatively, you could send information anonymously using the patient’s unique identification number or an allocated code for that patient and advise the referee of the identity of the patient via a different method.
If you send identifiable personal data via insecure email (ie without encryption) and your email is hacked, this would need to be reported to the ICO as a data breach.
The Data Security and Protection Toolkit (DSPT)
All dental practices that have access to NHS patient data and systems must complete the DSPT annually. The DSPT advisors are of the view that all private practices should also complete the DSPT annually.
The deadline for completion every year is 30 June.
Cybersecurity threats and risks
These are evolving and becoming more threatening all the time. Ensure you have appropriate protections in place to keep your data and your practice as safe as possible, and make sure you have cyber insurance in place.
Checklist for achieving ongoing GDPR compliance
- Appoint a data protection lead – ideally, this should not be the practice owner
- Provide induction and ongoing training to all team members
- Risk assess your current GDPR and data protection compliance
- If necessary, introduce enhanced data protection measures
- Make a list of things that could cause a data or security breach in your practice and put measures in place to reduce the risks
- Have robust contracts with practice management software suppliers and all other external data processors, such as laboratories, that ensure they comply with UK GDPR.
Follow Dentistry.co.uk on Instagram to keep up with all the latest dental news and trends.
