The Data Protection Act and Dentistry
DENTAL BULLETIN, ISSUE 31
Important Legal Update: on 25th of May 2018 the GDPR (General Data Protection Law) enters into force and it will apply to all organisations that collect or retain personal identifiable data from any European individual.
Do I need to register with the ICO?
The very nature of dentistry requires the practitioner to obtain the personal data of their patients; by obtaining and retaining this information they are deemed information processors. Failure to register is a criminal offence. For information to be personal it must relate to a living person and allow that person to be identified from it.
So who specifically within the practice will need to register?
- Practice Principles – Yes; with overall control and responsibility for patient records at the practice principles do need to register with the ICO.
- Associates – Probably; if you are registered as self-employed, trading as a separate legal entity from the practices you work in, work at a number of practices and are responsible for the control and security of patients’ records you should register with the ICO.
- Hygienists – Maybe; if you are responsible for the control and security of patient records, if you have your own patient list separate from the practice, if you treat the same patient at different locations and would be responsible for dealing with complaints, then registration will be required.
- Practice Managers – Unlikely; despite handling data, practice managers are generally employees and as such are covered by the principle’s registration.
What is data protection?
The Data Protection Act 1998 (DPA) places responsibilities upon all those who use and store data during the course of their business; regardless of whether you work in the public or private sector. Information should only be collected for a specific purpose, must be kept secure and only for as long as it is needed.
Do I have to give my patients access to their records?
Patients have a right to see their personal information and can make a “subject access request” (SAR) requiring their dentist to disclose the information that is held about them and to be provided with a copy. There is no prescribed format for the request, save it must be made in writing. In principle a valid SAR could even be made via Twitter, although you would be wise to check the identity of the user first before responding. To avoid confusion, practices can consider preparing a standard form and inviting patients to complete them once a query has been raised. However, bear in mind this cannot be made a compulsory requirement for disclosure. Reasonable adjustments should be made for disabled patients who may not be able to communicate in writing.
Bear in mind that subject access confers a right to see the information contained within personal data, not to be given copies of documents. As such you can consider providing a transcript of relevant information; although it may be easier to simply provide copies.
An SAR can be sent to any member of staff within an organisation; so staff members should be made aware of their responsibilities under the DPA and who in the business will ultimately be dealing with the request.
Requests must be answered within 40 days from the date the request has been received or applicable fee paid; although there is an implied obligation to act without unreasonable delay. If you hold no personal data about the individual, you still need to inform them of this.
For more information regarding patient requests for data see our Dental Bulletin, Issue 14.
How secure should data be?
The DPA says that the security used should be appropriate to the nature of the information in question and the harm that might result from improper use, or its accidental loss or destruction. There is no definition of appropriate, but one must weigh the balance between technological developments and the costs involved. Due to the sensitive nature of medical records security measures should be appropriately robust.
In short, all records must be kept securely and safely at all times. Practices should assess their information risk and assess how valuable or sensitive it is. Failure to take proper precautions may result in significant fines imposed by the ICO and disciplinary proceedings by the GDC. Information should be regularly backed up and backup media should be locked away wherever possible.
What steps can be taken to minimise risk?
Appoint one person in the practice responsible for data security. Ensure all those working in the practice understand what is required of them.
Where a dentist is required to share a patient’s medical records with another medical professional it will be necessary to inform the patient of the nature of the information, why it is being disclosed and what the consequences will be. Care must be taken to record that permission was obtained.
When patient records are being transferred between professionals for the purposes of continued treatment, then the method of transfer must be secure. If you are sending confidential notes or information about a patient then the information should be encrypted. Do not use third party web-based applications or file sharing systems such as iCloud or Dropbox to share or transfer sensitive data.
If you use a personal or home computer, laptop or tablet to work on you should ensure that the work is contained within a secure encrypted folder, or a password controlled area on an encrypted device. Similarly, when using a smart phone to email patients or dentists the ICO recommends that encryption programmes are used and all devises are password protected. Bear in mind that password protection alone is not sufficient as hard drives can be removed from devices and installed in another computer.
If working at home you should ensure that your internet connection is secure and that any “admin” password provided by the router has been changed.
The ICO provide “IT Security Top Tips” which is well worth reading if you haven’t reviewed your practices technological security before now.
If you have any questions about the content of this e-bulletin, or are facing criminal or regulatory proceedings as a result of data breaches call Julia Furley on 020 7388 1658 or email at email@example.com.
If you find this article interesting, please like, comment and share it!
Julia Furley, Barrister
Please note that the information contained in this article was correct at the time of writing. There may have been updates to the law since the article was written, which may affect the information and advice given therein.