Your questions answered

How does GDPR impact our ability to refer patients to other practices?

Nigel Jones Practice Management Leave a Comment

The end of November marks six months since the introduction of the General Data Protection Regulation (GDPR). It’s probably fair to say it’s been a learning curve for everyone, including dental practice teams, in terms of how to ensure compliance with these new rules.

As new circumstances concerning patients’ data arise, practices continue to seek answers about their best way forward. I asked Pat Langley from Apolline, who support practices in compliance, to answer one of the queries we’ve received: How does GDPR impact our ability to refer patients to other practices?

Pat: ‘The simple answer is: in a number of ways, and it’s important that practices take appropriate action to ensure they have protected their patients’ data and themselves.

You need to:

  • Inform all patients that you may share their personal data with third parties
  • Get an individual patient’s consent to sharing their data with a named practice
  • Protect the data in transit
  • Ensure you have an assurance from or agreement with the receiving practice that they will protect your patients’ data in line with GDPR principles.
Inform all patients that you may share their personal data with third parties

Patients’ personal data is confidential information and must not be disclosed to anyone who does not need to see it.

The personal data you hold on your patients also includes their personal healthcare information and this is classified as special category information. Special category information is sensitive information, including medical history and all medical and dental records such as radiographs, study models and photographs.

From time to time you may need to share patients’ personal data (including sensitive information) with a third party. This may be necessary in a number of situations, including when you refer a patient for specialist advice and/or treatment.

Your privacy notice should explain that you may share your patients’ personal health information with third parties and it should detail who those third parties may be. In the case of referrals to a third party, your privacy notice need only state that you may share information for the purposes of obtaining specialist advice or treatment, it need not specify a named individual.

Get an individual patient’s consent to sharing their data with a named practice/individual

GDPR requires all organisations, including dental practices, to have a legal basis for processing personal data. ‘Processing’ includes obtaining the information, using it, storing it, sharing it and deleting it. That means that you need to have a legal basis for sharing personal data with a third party, such as a practice or individual to whom you wish to refer a patient for specialist advice and/or treatment.

Consent is one of the legal bases for processing personal information and could be used as the legal basis for sharing information with a referral practice or an individual.

Gaining consent is a complex process and it’s important to ensure that the following conditions are satisfied:

  • Consent must be freely given, specific, informed and unambiguous
  • Patients must never be forced into consent, and they must know exactly what they are consenting to
  • Consent must always be obtained by a positive indication of agreement, and never inferred from silence, pre-ticked boxes or inactivity
  • Consent must be verifiable, and you should have an effective audit trail
  • Patients must be made aware that they can withdraw their consent at any time.
Protect the personal data in transit

To comply with General Dental Council Standards and GDPR, it is essential that confidential information is always sent using a secure method.

The majority of referral information will either be sent and received by post or electronically. In some circumstances, it may be appropriate for the patient to hand deliver their referral information themselves.

When sending by post you should use first class post and, ideally, this should be by registered post.

The NHS has a secure system for receiving referrals and practices that wish to refer to an NHS provider should follow local guidelines pertaining to the hospital or facility they wish to refer to.

Sending personal data electronically

Sending personal data electronically is complex under GDPR requirements and practices should choose a secure method, such as the following options:

  1. Send the referral via an encrypted service – the major software suppliers offer such services.
  2. Send the referral anonymously using either the patient’s unique identification number from the practice management software or an allocated code for that patient. Then send the patient’s name separately, either by phone or a secure method, so that the receiving practice or individual can link the identification number or code to that specific patient.
The inherent dangers in email

Practices should be aware that email is insecure because it can be hacked even with security in place. If your email is hacked and you have sent personal patient-identifiable data via email, you will have breached GDPR requirements and would need to report this to the Information Commissioner’s Office as a data breach.

The risks of sending personal patient-identifiable data via email are not limited to your emails being hacked, because email is easy to ‘get wrong’. Observing the following email etiquette should go a long way to protecting you, your practice and your patients:

  • Do not mix work emails with personal emails – have separate accounts
  • Ask for the recipient’s permission to send an email
  • Address emails as private and confidential
  • Avoid sending sensitive personal data via email such as medical history
  • Use encrypted emails when sending personal data
  • Password protect your emails
  • Change your password regularly
  • Do not choose a password that’s easy to guess
  • Do not give your password to anyone, ever
  • Be careful when responding to email, e.g. using ‘reply all’ or ‘send to all’ or when forwarding email
  • Do not open suspicious email.
Protect your patients’ data ‘at the other end’

Ensure you have an assurance from or agreement with the receiving practice or individual that they will protect your patients’ data in line with GDPR principles.’


My thanks to Pat for explaining how practices can safely refer patients to other services, and for sharing her practical advice. GDPR has had implications for businesses in every sector since its introduction, and while it can be viewed as another layer of bureaucracy, it is also a consequence of the data-rich, digital-heavy world we now live in and is an important part of ensuring the safety of our, and others, personal information.

Undoubtedly, new situations involving GDPR will arise and dental practices, along with other businesses, will need to continue adapting the way they work to ensure they remain compliant. If you have any questions about GDPR, or another element of running a dental practice, you can email them to us and we will seek the answers.