Last week we started our “Demystifying GDPR for Dental Practitioners” series from the very beginning, the establishment of the Hippocratic Oath. This week we’ll tackle some newly brought up changes by GDPR that concern the day-to-day practices of dental practitioners.
The implementation of the GDPR last May brought additional and enhanced considerations for the dental industry in the protection of dental patients’ and employee personal data. The GDPR is the biggest overhaul of data protection law in 20 years. Some of the suggested requirements are revolutionary, and some are only building up already established requirements. Regardless of the size of the dental practice, the GDPR has a direct impact on the way personal information is being stored, processed and retained.
1. The Power Given to Data Subjects
Over the last 9 months, we witnessed an increase in data subjects’ complaints about violations of their rights under GDPR. At the same time, regulatory bodies are understaffed and are unable to carry out wide spread enforcement actions and thus have invested in educating the general public of their rights to data protection under GDPR (through advertisements on radio, TV, newspapers etc.). This newly piqued interest in data subjects has made them more wary when it comes to dealings with organisations and has already resulted in enforcement actions from regulators. Every organisation, and in this case the dental practice especially should be quite diligent in implementing GDPR compliant practices when dealing with patient’s data, because non-compliance may result in dental firms losing their practise license or reputation within their community which would be devastating for the survival of the practise.
It was widely proclaimed prior to the effective date of the GDPR about the increased fines. It is true, that under the GDPR the scope and nature of administrative fines imposed by the data protection agencies is significantly higher. Such fines may be up to €20 million or 4% of total worldwide annual turnover (whichever is greater).
3. Data Breach Reporting Elements
The GDPR establishes specific breach notification rules. The Information Commissioner’s Office (ICO) has published the following statement in regards to the data breach notifications: “You only have to notify the relevant supervisory authority of a breach where it is likely to result in a risk to the rights and freedoms of individuals. If unaddressed such a breach is likely to have a significant detrimental effect on individuals – for example, result in discrimination, damage to reputation, financial loss, loss of confidentiality or any other significant economic or social disadvantage.”
In regards to this, the relevant supervisory authority must be notified within 72-hours of the company becoming aware of the data breach.
Let’s break this down a bit more: Imagine a data breach took place in 2018 but you only found out about it in 2019. The 72-hours’ time frame is clearly come and gone, but that is ok, as you are obliged to notify the relevant supervisory authority 72 hours after you become aware of the data breach. Furthermore, you may have to provide information in phases as your investigation proceeds. If the breach is serious you may have to notify patients, and if so you must do so without delay. Failure to notify a breach can result in a hefty fine under the GDPR.
4. Privacy Impact Assessment
Privacy Impact Assessments (PIAs) is a tool widely proclaimed by the GDPR. Essentially it is a tool that helps practices identify the most effective way to comply with the obligations under the GDPR. The assessment sets out the options for addressing each identified risk and whether the options for addressing the result in the risk being:
- Reduced; or
The PIAs that take place in dental practices and the rest of the organisations, processing personal information, are essentially the same.
5. The Rise of Data Subject Rights
The data subjects’ rights established within Articles 12 to 23 of the GDPR. These rights can limit an organisation’s ability to lawfully process personal data. The rights provided by GDPR are as follows:
- Articles 12–14: Right of transparent communication and information
- Article 15: Right of access
- Article 16: Right to rectification
- Article 17: Right to erasure (‘right to be forgotten’)
- Article 18: Right to restriction of processing
- Article 19: Obligation to notify recipients
- Article 20: Right to data portability
- Article 21: Right to object
- Article 22: Right to not be subject to automated decision-making (including profiling)
In practice this means that dental practises need to update and/or create internal policies and procedures in order to show that data subjects’ rights are carried out within the practices’ everyday operations.
An important aspect of the GDPR is the requirement to offer people choice and control over how their data is used. For clinical records, there is a legal basis for processing special data. But if you are sending out email newsletters, for example, you will need to consider the consent requirements, which include:
- The details about the different ways data will be used and the ability to choose between them e.g. email newsletters and/or printed newsletters
- The consent statement must be clear and specific, and the indication to give consent must be unambiguous
- Tick boxes must never be pre-ticked, this is called a ‘positive opt-in’
- Consent must be easy to withdraw with a clear way to withdraw it at any time
- Evidence of consent is kept, including who, when, how, and what you told people
- The consent process is kept under review and updated if anything changes
Thus Consent has many different aspects and they will all be further looked into in the following parts of our series “Demystifying GDPR for Dental Practitioners”.
8. Personal Data and Sensitive Personal Data
Sensitive personal data is in the core of the processing activities of any dental practice. The reason for this is the fact that medical information is in fact a sensitive type of personal data. In order to understand the definition of sensitive personal data we should first take a look at the definition of personal data:
Article 4(1) of the GDPR defines it as “Any information relating to an identified or identifiable natural person”.
- “Any information” is understood to be literal.
- “Relating to” refers to the information’s purpose and impact on someone’s privacy rights. Its connection with other content is also important. For example, a job title would not necessarily relate to a person, but a job title combined with a name likely would.
- “Identified” means that an individual person has been named or singled out-for example, by specific characteristics. Within Recital 26 of the GDPR, “identifiable” refers to indirect identification, taking into account all the means reasonably likely to be used’ to identify the person.
- A “natural person” is a real human being, as distinguished from a corporation. This person is referred to as the data subject and does not relate to deceased persons.
At the same time, here is the definition of the sensitive personal data:
Article 9(1) of the GDPR: “Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade-union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation shall be prohibited”. – it could be noticed that the definition of sensitive data is very specific.
Thus, Sensitive Personal Data is subject to greater protections than other forms of personal data. The data subject must give “explicit consent” to the processing of such data, which may prove difficult in the case of children or vulnerable patients.
GDPR states that organisations who deal with such sensitive personal data will need to appoint a Data Protection Officer (DPO). Thus, given the nature of dental practices, there is the added complication to comply with both the requirements of sensitive and personal data that they control and/or processing which requires detailed administrative attention. Given the broad application of sensitive personal data in the dental field, special attention will be paid to this matter.
Disclaimer: The content of this article is intended to provide a general guide to the subject matter, it is not legal advice and should not be treated as one. Specialist advice should be sought about your specific circumstances.