The Data Protection Act and Dentistry
GDPR (General Data Protection Regulation) came into place in May 2018 and applies to all organisations that collect or retain personal or identifiable data from any European Individual.
This means that the Data Protection Act (DPA) will have an impact on your dental practice. It’s absolutely essential that these laws are followed, so read on to discover everything you need to know about GDPR dental laws
GDPR Dental Frequently Asked Questions
What is data protection?
The Data Protection Act 2018 (DPA) places responsibilities upon all those who use and store data during the course of their businesses, regardless of whether they work in the public or private sector.
Information should only be collected for a specific purpose, it must be kept secure, and it must only be retained for as long as it is needed.
How secure should data be?
The DPA says that the security used should be appropriate to the nature of the information in question and the harm that might result from improper use or its accidental loss or destruction.
There is no definition of appropriate, but one must weigh the balance between technological developments and the costs involved.
Due to the sensitive nature of medical records, security measures should be appropriately robust.
In short, all records must be kept securely and safely at all times. Practices should assess their information risk and determine its value or sensitivity.
Failure to take proper precautions may result in significant fines imposed by the ICO and disciplinary proceedings by the GDC.
Information should be regularly backed up, and backup media should be locked away wherever possible.
Do dental practices need to register with the ICO?
Yes. For data to be considered personal, it must be information that relates to a living person and allow that person to be identified from it.
The very nature of dentistry requires the practitioner to obtain their patients’ personal data. By obtaining and retaining this information, they are deemed information processors – and as such, failure to register with the Information Commissioner’s Office is a criminal offence.
Who specifically within the practice will need to register?
Practice Principals – Yes. With overall control and responsibility for patient records at the practice, Principles do need to register with the ICO.
Associates – Probably. If you are registered as self-employed, trading as a separate legal entity from the practices you work in, or work at a number of practices, and/or are responsible for the control and security of patients’ records, you should register with the ICO.
Hygienists – Maybe. If you are responsible for the control of security and patient records, if you have your own patient list that is separate from the practice, if you treat the same patient at different locations and would be responsible for dealing with complaints, then registration is required.
Practice Managers – Unlikely. Despite handling data, Practice Managers are generally employees and, as such, are covered by the Principal’s registration.
Do I have to give my patients access to their records?
Patients have a right to see their personal information and can make a “subject access request” (SAR) requiring their dentist to disclose the information held about them and be provided with a copy.
There is no prescribed format for the request, save that it must be made in writing. In principle, a valid SAR could even be made via Twitter, although you should check the user’s identity first before responding.
To avoid confusion, practices can consider preparing a standard form and inviting patients to complete them once a query has been raised.
However, this cannot be made a compulsory requirement for disclosure, and reasonable adjustments should be made for disabled patients who cannot communicate in writing.
Bear in mind that subject access confers a right to see the information contained within personal data and not to be given copies of documents.
As such, you can consider providing a transcript of relevant information, although it may be easier to provide copies.
An SAR can be sent to any member of staff within an organisation, so staff members should be made aware of their responsibilities under the DPA and who in the business will ultimately be dealing with the request.
Requests must be answered within one month of the date the request has been received ,received, although there is a no obligation to act without unreasonable delay.
If you hold no personal data about the individual, you still need to inform them of this.
For more information regarding patient requests for data, see Issue 14 of our Dental Bulletin.
What steps can be taken to minimise risk?
There are a number of steps that can be taken to minimise risk. In the first instance, it is best to appoint one person in the practice to be responsible for data security. Next, ensure all those working in practice understand what is required of them.
When a dentist is required to share a patient’s medical records with another medical professional, it will be necessary to inform the patient of the nature of the information, why it is being disclosed and the consequences. In addition, care must be taken to record that permission was obtained.
When patient records are being transferred between professionals for the purposes of continued treatment, then the method of transfer must be secure. For example, if you are sending confidential notes or information about a patient, then the data should be encrypted.
Do not use third-party web-based applications or file-sharing systems such as iCloud or Dropbox to share or transfer sensitive data unless you are satisfied that the data is being securely transferred.
If you use a personal or home computer, laptop or tablet to work on, you should ensure that the work is contained within a secure encrypted folder or a password-controlled area on an encrypted device.
Similarly, when using a smartphone to email patients or dentists, the ICO recommends that encryption programmes are used, and all devices are password protected. However, bear in mind that password protection alone is not sufficient, as hard drives can be removed from devices and installed on another computer.
If working at home, you should ensure that your internet connection is secure and that any “admin” password provided by the router has been changed.
The ICO’s IT Security Top Tips is well worth reading if you haven’t reviewed your practices technological security before now.
If you are a dentist and need further advice on GDPR dental laws, JFH Law’s team of specialist dental solicitors can help.
In fact, our Data Protection Officer (DPO) Service addresses advanced data protection issues to protect your corporate and patient data for GDPR compliance.
If have any questions about the content of this e-bulletin, or are facing criminal or regulatory proceedings as a result of data breaches, call on 020 7388 1658 or email.
For further information, expertise, and support for dentists, we publish a regular bulletin with the latest updates and developments in the dental sector.
If you find this article interesting, please like, comment, and share it!
Julia Furley, Barrister
Please note that the information contained in this article was correct at the time of writing. There may have been updates to the law since the article was written, which may affect the information and advice given therein.