When & Why?
- General Data Protection Regulation (GDPR) will come into play on 25 May 2018. It will have a direct effect in every EU country, superseding the current Data Protection Act 1998.
- GDPR will still apply after Brexit.
- It has been written to: reflect the increasingly digital climate in which organisations now operate, introduces additional data protection obligations on organisations and increase rights for individuals, giving them more control over their personal data.
- GDPR applies to all individuals and organisations that have day-to-day responsibility for data protection i.e. everyone in the dental team.
What are the 6 Main Privacy Principals?
- Lawfulness, fairness and transparency – relating to the way data are processed
- Purpose limitations – specified and litigate purposes and not further processed in a manner not compatible with original purposes e.g. cannot send marketing material without consent
- Data minimisation – data collected adequate and relevant for purposes set
- Accuracy – data must be updated promptly and kept accurate
- Storage limitation (retention) – personal data should only be kept for as long as is necessary
- Integrity and confidentially – necessary measures to protect data from unlawful processes, accidental loss/destruction/damage.
The Nitty Gritty
- The definition of personal data has changed. It relates to any information relating to an identified (directly/indirectly) or unidentifiable natural person. For GDP practices: names, addresses, telephone number, DOB etc. Both patient and staff information. It now also includes: online identifiers and IP addresses.
- Special categories of data replaces “sensitive data” under the DPA 1998. Includes: race, ethnicity, political views, religion, health records, sexual records, processing of genetic and biometric data.
- Data processing means is anything you do with your patient data. Disclosing is a process but only one of many. It covers a wide range of data handling: collection, recording, organisation, structuring, storage, adaptation, retrieval, consultation, disclosure, restriction, erasure and destruction.
- There must be a valid lawful basis for processing personal data. Consent or processing that is necessary. Processing: For the provision of service/performance of contract, in relation to a legal obligation, in vital interest of data subject, for task carried out in public interest or for the purpose of legitimate interest, unless overridden by rights and freedoms of data subjects.
- Practice need to identify and document their lawful basis for processing patients’ personal data. They also need to let patients know this reason.
- Privacy notices are now needed to inform individuals at the time of collecting what their data is being used for. The notice must cover: data controllers identify, DPOs contact details, categories of personal data processed, purpose of processing, lawful basis for processing, potential recipients of personal data, details of retention periods and list of data subject’s rights. The language needs to be easy to understand and concise. It should also be available in different languages as necessary for non-English speaking patients.
- All NHS practices are required to appoint a DPO to: advise on and monitor compliance with GDPR, provide advice regarding data protection impact assessments (DPIAs) and act as a contact point for patients/ ICO. The DPO may be existing employee so long as conflicts of interest are avoided or can be externally appointed. BDAs advice is if you don’t provide NHS care, the appointment of DPO is discretionary.
- The Data protection Fee will be payable at renewal of current registration. It is likely to be £40 for micro-organisations (no more than 10 members of staff) and £60 for small-medium sized organisations (no more than 250 staff).
- If a patient makes a Subject Access Request (SAR) i.e. asks for records, need to now respond within a month. This can be extended by 2 months if the request is complex or numerous but the practice must inform the patient within one month of request and explain why an extension is required. The practice could refuse a request only if: the request is manifestly unfounded or excessive or the patient is informed within one month of request. The patient has the right to make a complaint to the ICO.
- You can no longer charge for SARs unless the requests are unreasonable or excessive and repetitive. In these unusual circumstances you may charge a “reasonable fee” i.e. copying and postage (not an admin charge).
- Data breach – may be accidental or deliberate. Personal data breach: destruction, loss, alteration, and unauthorised disclose/access, which must result in risk to the rights and freedoms of individuals. The ICO must be notified within 72 hours. Fines can be significant and Data Protection will not reimburse fines. Practices must have: internal reporting procedures, robust methods of breach of detection and records of ALL data breaches. Data processors will be required to notify data controllers, without undue delay if there is a data breach.
- Right for erasure only applies in certain circumstances. Do not delete medical/dental records before consulting Dental Protection.
- The ICO encourages organisations to undertake Data Protection Impact Assessments (DPIAs) to assess the level of protection in place to safeguard personal data and to identify and rectify emerging data protection issues. DPIAs must be carried out when new technologies are introduced or when processing of personal data is likely to have high risk to the rights and freedoms of individuals. If unsure whether a DPIA is required, seek advice from your DPO.
- Practices must be comply with GDPR and demonstrate compliance.
- Maintain accurate records of all data processing activities.
- Document all advice provided by DPO and any DPIA undertaken.
- Revise and update internal data protection policies, ensure these are complaint with GDPR.
- Ensure all staff aware of their responsibilities.
10 Take-Home Points:
- Fully familiarise yourself with the ICO guidance: https://ico.org.uk.
- Identify the extent your data processing and document: what data you hold, how it is collection, how it is stored, who has access and who the information is shared with.
- Compare current practice with GDPR requirements and make a list/delegate responsibility for making changes.
- Identify the lawful basis for processing personal data and special category data – document these in your data protection protocol.
- Prepare your privacy notices in good time.
- Update your Subject Access Request procedure.
- Develop a policy for data breach reporting.
- Choose your data protection officer and put them on training if needed.
- Arrange training for all your staff.
- Update your protocols and procedures.
*Please keep an eye out on the Dental Protection and BDA website for any changes*