The Data Protection Bill, which will need to be considered with GDPR, received Royal Assent on 23 May 2018.
Although there are uncertainties about how some aspects of GDPR and the new data protection law will apply in practice, here is a list of things practices should have already done to prepare. Practices that haven't yet taken these steps should identify what they still need to do and have a plan in place to do so.
1. Dental practices providing NHS treatment must have a Data Protection Officer (DPO)
All practices providing NHS treatment are considered as public authorities and are required to appoint a DPO, or have in place arrangements to share one, by 25 May 2018.
This individual must have proven expert knowledge of data protection law and practice. It is recognised that they will not fully understand all the ramifications of the new legal requirements from 25 May, and they will need to keep up to date with any changes and clarifications (for example from the ICO) and understand how the changes impact the practice, as the law becomes embedded.
There are several options regarding appointment of a DPO:
a) Employ a new member of staff with specific knowledge, qualifications and experience.
b) Appoint somebody who already works in the practice with all the above. This person can add the DPO's requirements to other responsibilities, for example maintaining records of processing activities. DPOs must not be the final decision-makers regarding data processing, for example they cannot be the data controller and must avoid any conflicts of interest.
c) You can share a DPO with one or more practices. NHS Commissioners locally may be able to help facilitate this, but are unlikely to be able to fund such a person.
In deciding upon a shared DPO you will need to consider factors such as:
- the sizes of the practices
- numbers of patients
- whether the DPO is genuinely going to be in a position to understand and advise each individual practice and monitor compliance.
You should document these considerations and the justification for your decision.
Further information about DPOs can be found on the ICO website and the IGA website, which will be updated as matters are clarified.
2. Update privacy notices
You must provide patients with information including:
- explaining the lawful purpose for which you are processing their personal data (for healthcare organisations this may be Article 6(1)(e) that it is '…necessary for the performance of a task carried out in the public interest or in the exercise of official authority…' and Article 9 for special category data, which includes personal data about health)
- the retention periods for the data
- who it will be shared with.
The ICO has a useful checklist explaining the information privacy notices need to contain.
If you are relying on other legal bases, you will need to specify these in the privacy notice. See the IGA's guidance for more information.
3. Update procedures for subject access requests
The criteria for subject access requests under GDPR will be the same as now, and individuals may request access to their own records. As is the case now, you should redact any third party information or anything that you believe may cause serious harm to the patient.
GDPR and the forthcoming DPA will only cover living individuals. Deceased patients' records are still subject to the Access to Health Records Act 1990. Dental professionals also need to be aware of the GDC's guidance, Maintain and protect patients' information.
Under the new data protection regime there are some differences to the subject access request process:
a) The subject access request does not have to be in writing.
b) The subject cannot be charged for copies of records unless the request is 'manifestly unfounded, excessive or repetitive'. You could then charge a reasonable fee. There is currently no agreed definition of what constitutes a manifestly unfounded or excessive request, or what a reasonable fee is. It is hoped this type of request will be rare and when considering them dental professionals should bear in mind their obligations under paragraph 4.4 of the GDC's Standards for the dental team. It may be helpful to discuss such cases with the DPO and/or to seek advice from the DDU.
c) You need to provide the information within one month.
d) The presumed age of consent for children for this purpose is 13 years and you will need to get consent from children aged 13 years or older. However, children younger than 13 may have capacity to consent and if they do, they should be asked for consent.
e) You should document access requests and include information about any delay in providing the information, requests that are 'manifestly unfounded or excessive', and also the information you have provided regarding the right to complain to the ICO or judicial remedy.
Insurance companies, solicitors or other third parties should not be charged if requesting records, with patient consent, under a subject access request. However, other requests for information or reports by third parties should be dealt with in the normal way.
4. Review checklists
The ICO and IGA have provided useful checklists which you should review.
5. Review new data protection fees
The Data Protection (Charges and Information) Regulations come into force on 25 May. These regulations introduce new fees for data controllers. The regulations set the charge period in which the fee is due for payment and fix the fee to be paid. The amount you need to pay will depend on how many people you have in your organisation.
The ICO produced guidance when the regulations were in draft, and we expect this to be updated.
This guidance was correct at publication 25/05/2018. It is intended as general guidance for members only. If you are a member and need specific advice relating to your own circumstances, please contact one of our advisers.