I think it is fair to say that everyone I have recently spoken to is a bit overwhelmed by the new regulations for data protection that are being implemented from the 25th May 2018. It’s not surprising that people are finding it daunting – this legislation is the largest overhaul in data protection rules in twenty years. It’s essential that each business complies fully with the new regulations, otherwise they are at risk of receiving a fine.
This article will explain the basic idea of the new framework to help every dental professional understand what the regulations are all about and how this will affect them in the workplace.
Firstly, what does ‘GDPR’ stand for, and what is it?
‘GDPR’ stands for General Data Protection Regulation. The purpose of the legislation is to update and modernise how businesses and public-sector organisations handle information relating to their patients, staff members and third-party companies. This new framework gives the individual greater protection and rights in relation to how their personal information is handled.
Communication has dramatically changed over the last two decades, with people using online referrals, e-mailing, social media and texting as ways of communicating with others. The way that we back up our information (using the cloud and/or back-up discs) has also changed. New legislation is therefore needed to make sure everyone’s personal information is safe and secure. Even though the law is in the form of an EU Regulation, it will remain law in the UK after Brexit, so it’s essential that businesses comply. Your practice will be implementing new policies and procedures and updating old ones to meet GDPR requirements, and staff training will be essential.
What changes should we expect to see?
Every dental health professional knows that data protection and confidentiality are key aspects of our daily duties, and ensuring them comes as second nature to many of us. We therefore just need to update some of our current policies and procedures to ensure that these new guidelines are being met. The ICO (Information Commissioner’s Office) has released a document detailing the twelve steps to take. These are:
1, Awareness: Everyone within your practice should be aware of what is going on and the impact it is likely to have.
2. Information you hold: Dental practices hold a huge amount of personal information, ranging from patient records to staff personal development folders. It’s therefore important that an audit is carried out to ensure that this information is safe and secure at all times. In addition, if patient information is shared with third parties, for example with other health professionals through referrals or with laboratories, it’s essential that your practice both knows that the third party is also following the new regulations and guidelines, and has gained each patient’s consent to share information in this way.
3. Communicating privacy information: This means that your practice needs to review its privacy notices and must explain to patients why you need their personal data. For instance, the practice needs patients’ medical histories to ensure that it is providing them with safe, correct treatment and care and that it has essential information in case of an emergency. The ICO has created a code of practice for privacy notices, so your practice can use this to make sure it is meeting all requirements.
4. Individuals’ rights: You can no longer charge patients to access their personal records, and they have the right to access their personal information. As we are in a medical profession, we are unable to delete patient records, as we need to cover ourselves if the patient ever takes legal action against the practice. All practices therefore need to have a policy in place on how they are going to handle this matter.
5. Subject access requests: How these are handled may differ from practice to practice, so it’s important that your practice has a new or updated policy which reflects individual rights.
6. Lawful basis for processing personal data: Practices must identify the lawful basis for their processing activity, document it, and update their privacy notices to explain it. This will ensure that everyone knows their rights to their personal information and how we process it.
7. Consent: We already gain consent on a daily basis through things like treatment plans, so making sure that these are signed and gaining consent in every appointment is essential. This is already part of our GDC standards, so should be being completed to a high standard, but practices should review their relevant policies to ensure they comply with GDPR too.
8. Children: It’s important to safeguard children’s information. The current law states that a child can give their own consent once aged sixteen. However, this might change at a later date to thirteen, so you need to keep up to date on these regulations. It is important for practices to consider issues surrounding verification of individuals’ ages and parental/guardian consent for data processing.
9. Data breaches: Your practice should ensure it has new/ updated policies to detect, report and investigate any personal data breaches if they occur.
10. Data Protection by Design and Data Protection Impact Assessments: It is important that your practice is familiar with the ICO’s code of practice in this area and the latest guidance, and finds out how to implement these.
11. Data Protection Officers: Each practice should have a Data Protection Officer who is responsible for data protection compliance, so if there are any concerns or complaints then there is someone that can deal with this problem effectively.
12. International: Generally, this aspect of the GDPR will not apply to dental practices. However, if it does affect your practice, your practice manager will ensure that there is a policy in place to implement any changes.
It’s essential that if you are ever unsure about how to implement the new regulations, you go to your practice manager and ask for additional support and training. Many businesses will have already started implementing the required changes, but it could be a bit overwhelming if your practice is implementing a lot of changes in a short period in time.
I have attached the ICO document in full so you can read the whole document if you wish. https://ico.org.uk/media/1624219/preparing-for-the-gdpr-12-steps.pdf
I hope you found this information helpful.
Emma Leather RDN, PTLLS, IQA, TAQA