The GDPR has introduced significant changes in the way dental practitioners can process personal information of patients, for example, the larger amount of administrative work that is now required, clarifications on how personal and sensitive personal data is processed etc. The purpose of this article is to give you relevant and up-to-date information regarding Consent as an obligation, stemming from GDPR, as well as practical examples on the topic.
What is Personal Data?
Article 4(1) of the GDPR defines it as “Any information relating to an identified or identifiable natural person”. The definition can be broken into four parts, which outline a four-step process for identifying personal data. In determining if something is personal data, the criteria don’t have to be considered in any particular order, yet all must be met.
- “Any information” is understood to be literal. Information could be anything from a person’s name to her/his location.
- “Relating to” refers to the information’s purpose and impact on someone’s privacy rights. Its juxtaposition with other content is also important. For example, a job title would not necessarily relate to a person, but a job title combined with a name likely would.
- “Identified” means that an individual person has been named or singled out (e.g by specific characteristics).
- Within Recital 26 of the GDPR “identifiable” refers to indirect identification, taking into account all the means reasonably likely to be used to identify the person.
A “natural person” is a real human being, as distinguished from a corporation. This person is referred to as the data subject and does not relate to deceased persons.
In the case of a dental practice, the patient’s personal file is, in fact, the processed personal information (name, address, personal number, email, phone number etc). The forms that patients are required to fill out are in their essence a personal information holder and the security of this personal data should be taken extremely seriously from now on. GDPR gives the methods and techniques to do so.
What is Meant by Sensitive Personal Data?
Article 9(1) of the GDPR: “Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade-union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation shall be prohibited”.
Summarising this definition into sections, distinct categories emerge: personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade-union membership; genetic or biometric data for the purpose of uniquely identifying a natural person; and data concerning health, sex life or sexual orientation.
In practice, it turns out that most of the data, needed in the every-day work of a dentist or dental specialist/manager is, in fact, sensitive type of personal information – health status and medical history, race, biometric data, sex life, and sexual information. The reason for this data to be categorised as sensitive is the fact that this type of data could create more significant risks to a person’s fundamental rights and freedoms, for example, by putting them at risk of unlawful discrimination. Asking the patient for his previous medical conditions is actually obtaining sensitive personal data. Therefore the strongest safeguard mechanism should be applied to the dentist himself.
Consent in the Dental Profession
Without a doubt, the role of Consent in the dental field is significant, however, over the last months, it has been overexposed and therefore over complicated at certain times by those within and outside the healthcare profession.
Consent in the context of the GDPR means any freely given, specific, informed and unambiguous indication of the patient’s wishes his / her personal data to be processed for a specific reason.
- Explicit consent is the tool that should be used when legitimising the use of special category data, which in this case, is the use of the medical related information of the patients.
- Genuine consent should put individuals in control, build patient trust and engagement, and enhance your reputation.
Relying on inappropriate or invalid consent could destroy trust and harm the reputation of your practice – and could result in hefty fines. However, it should become clear that a practice doesn’t have to rely on consent and can collect and use health data if the processing is necessary for the purposes of preventive or occupational medicine, medical diagnosis, provision of health or social care or treatment, management of health or social care systems and services, under a contract with a health professional or another person subject to professional secrecy under law (the ‘medical care’ ground).
Consent is not required if the processing is necessary for the public’s interest for public health reasons (the ‘public health’ ground), or if the practice can argue that the processing is necessary for scientific research. The same requirements exist in the new UK’s Data Protection Act 2018 and the Irish Data Protection Act which incorporate GDPR into national law.
Consent and Children
One of the most unclear articles in the GDPR is the article regarding the age of consent relating to children/minors. The GDPR states that the age should be somewhere between 13 to 16, and Member states are the empowered to decide on the exact age a minor reaches the age of consent in providing his/her personal data and how it is used. The reason for this is simple – different member states have different views on what the correct age should be and the difference stems from a cultural perspective.
Most member states have already decided, whether by introducing a legal act or in its draft legal act version what the particular age of consent should be when it comes to minors in their jurisdiction. The following graphics will make this matter very clear:
For example, if the given minor is based in Ireland the dental practices should collect Consent form their patients who are minors if they are 16 or above and would not need parental consent, and the dental practices in the UK could do this if the patients are 13 or above and would not need parental consent.
It’s also important to highlight when relying on parental consent you need to also demonstrate the “reasonable efforts” your practice has taken to verify that the person providing that consent is indeed a parental figure.
Minors have autonomy over any data that’s collected “in the context of preventative or counseling services offered directly to a child”. This means that, for example, if a child/minor tells a dentist that they are being abused, the dentist doesn’t need consent from the parental figure to report the incident to the authorities.
Disclaimer: The content of this article is intended to provide a general guide to the subject matter, it is not legal advice and should not be treated as one. Specialist advice should be sought about your specific circumstances.