We have placed cookies on your device to help make this website better.
If you choose to customise the site it will help you to find the most relevant content for your needs. You will still be able to access all content on the site.
Don't have an account?
Click here to register
20 June 2018
GDPR makes data subject's rights much more explicit. Your obligations to data subjects are summarised in the following eight rights.
The GDPR sets out the information that practices need to supply to data subjects. This could be done by displaying a privacy notice (for example, in the practice and on the website) including the following information:
The information should be concise, transparent, intelligible and easily accessible. It should be written in clear and plain language, particularly if meant to be read by a child.
The GDC's Standards for the Dental Team includes the following:
4.2.5 You must explain to patients the circumstances in which you may need to share information with others involved in their healthcare. This includes making sure that they understand:
You must give your patients the opportunity to withhold their permission to share information in this way unless exceptional circumstances apply. You must record in your patient's notes whether or not they gave their permission.
4.2.6 If a patient allows you to share information about them, you should ensure that anyone you share it with understands that it is confidential.
Most patients understand and expect information to be shared within the direct care team, which includes administrative staff. If patients object to any or all of their information being shared, you should respect this decision unless disclosure is in the public interest or is of overall benefit to a patient who lacks capacity.
There will be less time to respond to patients' requests for access to their records than under the DPA. Information must be given to patients without delay and at the latest within one month of the request. This can be extended by a further two months if requests are complex or numerous. If you need an extension you will need to tell the patient why within one month.
Under GDPR, patients can no longer be charged for subject access requests unless the request is 'manifestly unfounded or excessive'. You could then charge a 'reasonable fee' based on administrative costs of providing the information. There is no definition of unfounded, excessive or reasonable fee, and the onus of establishing this is on the data controller.
If the request is unfounded or excessive you can refuse to act on it, but you must explain this to patients and tell them of their right to complain to the ICO and to seek judicial remedy.
Data subjects have the right to correct data if it is inaccurate or incomplete. You must respond to such requests within a month and inform any third parties with whom you have shared data, if possible. The one month period may be extended by a further two months when the request is complex.
A clinical opinion is not inaccurate data, even if it later turns out not to have been correct. You are not required to remove clinical opinions but can allow the patient to add a note to the records to indicate they disagree with the opinion.
If you refuse a request for rectification, you must explain why to the patient and tell them of their right to complain to the ICO and to a judicial remedy.
This allows an individual to request removal or deletion of personal data where (for example) the data is no longer necessary for the purpose it was collected.
You can refuse to comply with a request for erasure of records if processing is necessary:
These are the legal basis for most NHS processing (see below) and it is unlikely the right to erasure will apply to health records that need to be maintained.
Individuals can request that you stop processing their data for the following reasons, including if:
This means you can store the personal data, but not process it further. You will need to establish procedures to receive and assess requests to restrict processing. You should discuss with your systems provider how to do this technically; for example, by removing access to the whole or part of a record, prevention of changes or deletion of the data.
You will need to inform the data subject when you decide to lift a restriction on processing.
You should include information about this right in your information notices.
This allows individuals to obtain and reuse their data across different services. Data must be provided in a structured, commonly-used and machine readable format.
The right only applies to the following data:
The information must be provided free of charge within a month.
Data subjects have a right to object to your processing their data even if you believe it is legitimate to do so. The grounds for their objection must relate to their particular situation.
Controllers must stop unless they can demonstrate compelling legitimate grounds for processing that override the interests, rights and freedoms of the individual (such as performance of a task in the public interest or exercise of official authority); or the processing is for the establishment, exercise or defence of a legal claim.
Individuals have the right not to be subject to a decision based on automated processing that results in a legal effect on them or significantly affects them in some other way.
The GDPR defines 'profiling' as any form of automated processing of personal data to evaluate certain personal aspects of an individual, in particular to analyse or predict certain things, including health.
Automated decisions can be made with or without profiling and profiling can take place without making an automated decision.
In order to process personal data you need to consider the lawful basis you are relying upon. You should document and be able to justify your decision. There is a further requirement if you wish to process special category data (which includes health data) and you will need to have a lawful basis to carry out that processing of the GDPR and, in addition, you will need to satisfy one of the specific conditions for processing health data.
The lawful bases for processing personal data (ie, the lawful bases required in order to process personal data generally) are:
The GDPR sets the bar high for this basis, and consent must be freely given, specific, informed, unambiguous, current and requires a positive opt-in (pre-ticked boxes are not permitted). The standards required to rely upon consent are onerous and therefore it may be preferable to rely (where possible) on an alternative lawful basis.
In addition, consent can be withdrawn at any time which means that if you rely on consent and that consent is withdrawn then you must stop processing the personal data concerned.
You can rely on this lawful basis if you need to process someone's personal data to fulfil your contractual obligations to them or because they have asked you to do something before entering into a contract (eg, provide a quote). This basis may be relevant for private practice.
You can rely on this lawful basis if it is necessary for you to process the personal data in order to comply with a common law or statutory (as opposed to a contractual) obligation. Examples of this would be NHS Regulations and GDC Standards.
You are likely to be able to rely on vital interests as your lawful basis if you need to process the personal data to protect someone's life. This is unlikely to be the case in respect of dental practices.
You can rely on this lawful basis where the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority. This may apply to the processing of personal data in the delivery of publicly funded direct care and providers' administrative purposes. Practices providing NHS care may be able to rely on this basis.
Public authorities, including practices providing NHS treatment, cannot rely on this basis in respect of processing carried out in the performance of their official tasks (delivery of NHS care) but may be able to do so in certain limited circumstances - for example, to send out appointment reminders.
Legitimate interests may include commercial, individual or societal benefits however in order to rely on this basis you must be able to show that the processing is necessary to achieve the interest identified and that your interest has not been overridden by the interests, rights and freedoms of the individual concerned.
A legitimate interest might exist in a situation where there is a relevant and appropriate relationship between you and the individual concerned.
The relevant special conditions for processing health data are (ie, you will also need to satisfy one of the following special conditions in order to process health data):
Remember that you will need to rely on a lawful basis for carrying out your processing and you will also need to satisfy a special condition in order to process health data.
1The General Data Protection Regulations; What’s New. Information Governance Alliance p22
This guidance was correct at publication 20/06/2018. It is intended as general guidance for members only. If you are a member and need specific advice relating to your own circumstances, please contact one of our advisers.
Be the first to comment
We have detected you are in and some website content may have been personalised to be more relevant to you.
You can change your region setting here or at the top of the page.