Pat Langley, Chief Executive Officer from Apolline, shares some thoughts on the EU General Data Protection Regulation (GDPR) which becomes effective on 25th May 2018.
The Data Protection Act 1998 (DPA) was designed to protect personal data stored on computers or in an organised paper-filing system. The Act was passed by Parliament to control the way information is handled and to give legal rights to people who have information stored about them.
The world has moved on considerably since 1998, with widespread use of the internet, commercial internet services and the emergence of social media platforms, but many of the same principles of the 1998 Act do still apply, which means that if you comply with existing Data Protection regulation, you may already be quite well along the road to complying with the new regulations. Our experience at Apolline has been either that practices don’t always fully understand the 1998 Act, or they haven’t fully thought through how they apply to their practice. That means there may be quite a bit of work to do to comply with GDPR.
Currently there is relatively little information available about what dental practices must do to comply and perhaps we should expect this given the fact that they are new regulations and are yet to be tested. That means that any and all information there is could change and it is best to regard all current ‘advice’ as a best guess at what is required rather than something that is clear and written in stone. It is true to say that no one has all the answers at the present time, which makes it very difficult for dental practices that want to be sure they are doing the right things.
In the absence of definitive guidance, I have attempted to distil what little information there is into practical steps practices can and should be taking to help them prepare for GDPR.
Why should your practice bother with this?
Put simply, the consequences of non-compliance are enough of a reason to focus the mind – fines of up to 4% of turnover or €20 million for the most serious infringements! Doing nothing is not a wise option! However, it is also important to keep it all in perspective. The intention is not to paralyse businesses and it is also worth noting that there won’t be a whole army of GDPR inspectors calling on dental practices from 25th May! Issues are more likely to arise as a result of a data breach that could have been avoided or from a vexatious patient or team member (either current or previous). It is also worth remembering that the data protection authorities have made considerable efforts to educate the public about their rights.
Under GDPR, some things change, but not everything. In general, GDPR builds on existing principles and adds tighter obligations and restrictions on businesses.
The GDPR requires that personal data must be:
- Processed lawfully, fairly and in a transparent manner
- Collected for specified, explicit and legitimate purposes
- Adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed
- Accurate and kept up to date (inaccurate personal data must be erased or rectified without delay)
- Kept in a form which permits identification of data subjects for no longer than is necessary
- Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage.
The 12 steps
The Information Commissioner’s Office (ICO) has identified 12 steps all organisations are advised to take to prepare for GDPR.
- Become aware
This first step is all about risk management. Think about everything that could cause a data breach or security problem in your practice and what you need to do to mitigate the risk and then record this.
- Become accountable
The key to this step is being able to demonstrate the ways in which you comply with GDPR principles. Make an inventory of all the personal data you hold on patients & staff and then make a list of all the risks associated with each piece of data. Also record why you are holding it, how long you will retain it, how secure it is in terms of encryption and accessibility, whether you share it with third parties and on what basis and what your legal basis is for processing the information. Keep records of this.
- Personal privacy rights
All individuals who have personal data held about them have the following rights.
- Access to the data held about them
- Have any inaccuracies deleted
- Have information erased
- Object to direct marketing
- Restrict the processing of their information, including automated decision-making
- Transfer their data e.g. to another practice.
Practices should review their current procedures to ensure they cover these rights.
- Access requests changes
There have been significant changes to access rights for data subjects (patients and staff). You must now respond and conclude the process within one month and you are no longer permitted to charge for access to or copies of personal records.
- Legal basis
There are six legal bases for processing personal data and you must be able to justify and articulate the legal basis on which you collect and process all personal data that you hold. You must also document the legal basis on which you collect and process all personal data that you hold.
Consent is one of the legal bases for processing personal data. Due to the complexities involved in obtaining consent and the specific requirements attached to consent, it is not usually appropriate to use consent as the legal basis for providing patient care or employing staff.
- Processing children’s data
This step is principally concerned with protecting children’s data in relation to social media and commercial internet services.
- Reporting data breaches
All breaches must be reported to the Data Protection Commissioner (DPC) within 72 hours unless the data was anonymised or encrypted. Breaches that might cause harm to an individual (e.g. identity theft or breach of confidentiality) must also be reported to the individual(s) concerned. You must ensure you have the right procedures in place to detect, report and investigate a personal data breach because a failure to report a breach could result in a fine that is in addition to the fine for the breach.
- Impact assessments and data protection by design and default
You should aim to ensure that all projects or initiatives are always designed with privacy in mind and that should be your default position. Before starting the project or initiative you should systematically consider the potential impact that it might have on the privacy of individuals. This will allow you to identify potential privacy issues before they arise and come up with a way to mitigate them.
- Data Protection Officers (DPO)
Information governance describes practices that provide NHS treatment as public authorities, despite currently there apparently being no definition of a public authority. GDPR requires public authorities to appoint a DPO. Practices that only provide private treatment do not have this obligation; however, it may make sense to designate overall responsibility for complying with GDPR to one person in the practice, even though maintaining compliance will be a team responsibility. DPOs must be free of any conflict of interest when it comes to GDPR compliance, but that does not mean that it could not be a task undertaken by a suitably trained practice manager.
This relates to organisations that operate outside the EU. Practices that send laboratory work outside the EU should consider anonymising identifiable patient data by using a unique patient identifier. This is probably advisable for all lab work sent within the UK too.
The Information Commissioner’s Office has a website for updates and it is advisable to check this regularly for further guidance and supporting documents: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/
Please note this blog does not contain exhaustive information on GDPR nor does it represent definitive guidance on GDPR. It provides background information and practical suggestions for starting to demonstrate compliance with the new regulations.