Who “Owns” Patient Consent for Marketing? The Dental Practice or the Associate?
The GDPR and Data Protection Act 2018 have created a new level of protection for patients regarding their personal data and the way that dental practices store and process personal data. However, in this increasingly competitive environment the ability to show case a dentist’s skills is becoming more and more important. Is it possible to balance the patient’s right to privacy against the dentist’s need to promote their services?
The answer is yes, and the key to achieving this is excellent communication.
If a dental practice wants to post pictures of a satisfied patient on their web page, they are only able to do this if they obtain the consent of the patient. But what happens if the self-employed associate wants to use the same images to promote their skills on their own web or social media page? Can the practice object to these images being used?
This will depend on two things; a) what does the consent say about the extent to which the images can be used? And, b) is there any contractual agreement between the associate dentist and the practice that prohibits the associate from using images taken of patients of the practice, during contracted clinical hours.
Practices cannot rely on “owning” the consent obtained from the patient to use the image. If practices want to restrict the way that associates can market their clinical skills away from the practice, then this should be done by drafting carefully considered restrictive covenants within the associate contract.
In the absence of any such agreement, the key to who can use the images lies in the content and extent of the consent obtained from the patient, not who took it.
In order to use an image of a patient, highlighting their dental treatment for marketing purposes the practice will need to obtain the consent of the patient; GDPR Article 6(1)(a). We talk a lot about the “Legitimate Interests” of the practice to market to their patients under Article 6(1)(f), however, it is not a legitimate interest of the practice to use an image of a patient for the purposes of marketing. Therefore, consent at this stage is essential.
However, once that image has been made public, what rules then apply?
Article 9(2)(e), dealing with the processing of special, or sensitive, data is permitted where the data subject has “manifestly made public” the data. Arguably, once a patient has consented to their image being used on a practices’ website, an associate could then seek to rely upon legitimate interest (i.e. to promote their practice) and the fact that the image has been made public by the patient as their lawful basis for processing the image on their own Facebook page.
Of course, whilst you may have a legal defence if a complaint is made to the Information Commissioner’s Office about the use of the image, the poor PR is almost certainly not worth the risk.
Therefore, when a patient’s consent is sought, seek it for all layers of the intended use. If the practice has the image, best practice would be for the associate dentist to seek the consent of the patient to be used across other mediums or platforms.
If you want to discuss the content of this dental bulletin, email Julia Furley on firstname.lastname@example.org.
Click here to read Henriette Kaerger’s, Paralegal at JFH Law, guide on how to obtain GDPR compliant consent.