GDPR makes data subject's rights much more explicit. Your obligations to data subjects are summarised in the following eight rights.
1: The right to be informed
The GDPR sets out the information that practices need to supply to data subjects. This could be done by displaying a privacy notice (for example, in the practice and on the website) including the following information:
- the identity and contact details of the data controller, and the data protection officer where relevant
- the purpose of the processing and the legal basis for it
- any recipient of data or categories of recipients
- the existence of the data subject rights
- the right to withdraw consent at any time
- the right to lodge a complaint with the supervisory body (ICO)
- retention periods
- the existence of automated decision-making, including profiling and information about how decisions are made, their significance and consequences.
- details of transfers to countries outside the EU and safeguards.
The information should be concise, transparent, intelligible and easily accessible. It should be written in clear and plain language, particularly if meant to be read by a child.
The GDC's Standards for the Dental Team includes the following:
4.2.5 You must explain to patients the circumstances in which you may need to share information with others involved in their healthcare. This includes making sure that they understand:
- what information you will be releasing;
- why you will be releasing it; and
- the likely consequences of you releasing the information.
You must give your patients the opportunity to withhold their permission to share information in this way unless exceptional circumstances apply. You must record in your patient's notes whether or not they gave their permission.
4.2.6 If a patient allows you to share information about them, you should ensure that anyone you share it with understands that it is confidential.
Most patients understand and expect information to be shared within the direct care team, which includes administrative staff. If patients object to any or all of their information being shared, you should respect this decision unless disclosure is in the public interest or is of overall benefit to a patient who lacks capacity.
2: The right of access
There will be less time to respond to patients' requests for access to their records than under the DPA. Information must be given to patients without delay and at the latest within one month of the request. This can be extended by a further two months if requests are complex or numerous. If you need an extension you will need to tell the patient why within one month.
Under GDPR, patients can no longer be charged for subject access requests unless the request is 'manifestly unfounded or excessive'. You could then charge a 'reasonable fee' based on administrative costs of providing the information. There is no definition of unfounded, excessive or reasonable fee, and the onus of establishing this is on the data controller.
If the request is unfounded or excessive you can refuse to act on it, but you must explain this to patients and tell them of their right to complain to the ICO and to seek judicial remedy.
3: The right of rectification
Data subjects have the right to correct data if it is inaccurate or incomplete. You must respond to such requests within a month and inform any third parties with whom you have shared data, if possible. The one month period may be extended by a further two months when the request is complex.
A clinical opinion is not inaccurate data, even if it later turns out not to have been correct. You are not required to remove clinical opinions but can allow the patient to add a note to the records to indicate they disagree with the opinion.
If you refuse a request for rectification, you must explain why to the patient and tell them of their right to complain to the ICO and to a judicial remedy.
4: The right of erasure - the right to be forgotten
This allows an individual to request removal or deletion of personal data where (for example) the data is no longer necessary for the purpose it was collected.
You can refuse to comply with a request for erasure of records if processing is necessary:
- in the public interest
- in the exercise of official authority vested in the controller, for health or social care purposes
- for public health purposes in the public interest1.
These are the legal basis for most NHS processing (see below) and it is unlikely the right to erasure will apply to health records that need to be maintained.
5: The right to restrict processing
Individuals can request that you stop processing their data for the following reasons, including if:
- the accuracy of the data is contested by the individual for a period while the controller verifies its accuracy
- processing is unlawful and the data subject opposes erasure and requests restriction instead
- the data controller no longer needs the data but the subject needs it to establish, exercise, or defend legal claims
- the data subject has objected to the data processing necessary for the performance of a public interest task or purpose of legitimate interests and you are considering whether your organisation's legitimate grounds override those of the individual.
This means you can store the personal data, but not process it further. You will need to establish procedures to receive and assess requests to restrict processing. You should discuss with your systems provider how to do this technically; for example, by removing access to the whole or part of a record, prevention of changes or deletion of the data.
You will need to inform the data subject when you decide to lift a restriction on processing.
You should include information about this right in your information notices.
6: The right to data portability
This allows individuals to obtain and reuse their data across different services. Data must be provided in a structured, commonly-used and machine readable format.
The right only applies to the following data:
- personal data provided by an individual…
- …where the legal processing is based on consent, or for the performance of a contract, and
- where processing is automated.
The information must be provided free of charge within a month.
7: The right to object
Data subjects have a right to object to your processing their data even if you believe it is legitimate to do so. The grounds for their objection must relate to their particular situation.
Controllers must stop unless they can demonstrate compelling legitimate grounds for processing that override the interests, rights and freedoms of the individual (such as performance of a task in the public interest or exercise of official authority); or the processing is for the establishment, exercise or defence of a legal claim.
8: Rights related to automated decision making and profiling
Individuals have the right not to be subject to a decision based on automated processing that results in a legal effect on them or significantly affects them in some other way.
The GDPR defines 'profiling' as any form of automated processing of personal data to evaluate certain personal aspects of an individual, in particular to analyse or predict certain things, including health.
Automated decisions can be made with or without profiling and profiling can take place without making an automated decision.
Lawful basis for data processing
In order to process personal data you need to consider the lawful basis you are relying upon. You should document and be able to justify your decision. There is a further requirement if you wish to process special category data (which includes health data) and you will need to have a lawful basis to carry out that processing of the GDPR and, in addition, you will need to satisfy one of the specific conditions for processing health data.
The lawful bases for processing personal data (ie, the lawful bases required in order to process personal data generally) are:
The GDPR sets the bar high for this basis, and consent must be freely given, specific, informed, unambiguous, current and requires a positive opt-in (pre-ticked boxes are not permitted). The standards required to rely upon consent are onerous and therefore it may be preferable to rely (where possible) on an alternative lawful basis.
In addition, consent can be withdrawn at any time which means that if you rely on consent and that consent is withdrawn then you must stop processing the personal data concerned.
You can rely on this lawful basis if you need to process someone's personal data to fulfil your contractual obligations to them or because they have asked you to do something before entering into a contract (eg, provide a quote). This basis may be relevant for private practice.
Compliance with legal obligations
You can rely on this lawful basis if it is necessary for you to process the personal data in order to comply with a common law or statutory (as opposed to a contractual) obligation. Examples of this would be NHS Regulations and GDC Standards.
You are likely to be able to rely on vital interests as your lawful basis if you need to process the personal data to protect someone's life. This is unlikely to be the case in respect of dental practices.
You can rely on this lawful basis where the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority. This may apply to the processing of personal data in the delivery of publicly funded direct care and providers' administrative purposes. Practices providing NHS care may be able to rely on this basis.
Public authorities, including practices providing NHS treatment, cannot rely on this basis in respect of processing carried out in the performance of their official tasks (delivery of NHS care) but may be able to do so in certain limited circumstances - for example, to send out appointment reminders.
Legitimate interests may include commercial, individual or societal benefits however in order to rely on this basis you must be able to show that the processing is necessary to achieve the interest identified and that your interest has not been overridden by the interests, rights and freedoms of the individual concerned.
A legitimate interest might exist in a situation where there is a relevant and appropriate relationship between you and the individual concerned.
The relevant special conditions for processing health data are (ie, you will also need to satisfy one of the following special conditions in order to process health data):
- the individual has given explicit consent to the processing of that data for one or more specified purposes
- the processing is necessary to protect the vital interests of someone where they are physically or legally incapable of giving consent
- the processing is necessary for the purposes of preventive or occupational medicine, for medical diagnosis, for the provision of health or social care or treatment or the management of health or social care systems and services or pursuant to a contract with a health professional (this is most likely to be the condition on which you will need to rely)
- the processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices.
Remember that you will need to rely on a lawful basis for carrying out your processing and you will also need to satisfy a special condition in order to process health data.
1The General Data Protection Regulations; What’s New. Information Governance Alliance p22
This guidance was correct at publication 20/06/2018. It is intended as general guidance for members only. If you are a member and need specific advice relating to your own circumstances, please contact one of our advisers.