The General Data Protection Regulation (GDPR) is a new law that replaces the Data Protection Act 1998. The GDPR is now in force (from 25th May 2018).
The GDPR applies to any and all “personal data” which basically covers any information relating to a person who can either directly or indirectly be identified from that information.
All dental practises should be appointing a data protection officer (DPO) as core activities include the large scale processing of health records.
A dental practice must have a “valid lawful basis” in order to process personal data and consent is one of those lawful bases, but there are six others. It is worthy of note that consent to dental treatment is not the same as GDPR consent to the processing of personal data.
The six lawful basis for processing information are contained in Article 6 of the GDPR and at least one of the following must apply whenever data is processed:
(a) Consent: the individual has given clear consent for you to process their personal data for a specific purpose.
(b) Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.
(c) Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).
(d) Vital interests: the processing is necessary to protect someone’s life.
(e) Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
(f) Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.)
Which lawful basis applies?
It is clear from the above list that more than one lawful basis may existing for dentists. Clearly a signed consent form (for data processing and not dental treatment) is the best option. In fact arguably, all six lawful basis may be applicable, the ICO in their guidance suggest that you should clearly identify and document all of them from the start if more than one basis for processing is applicable.
Dentists must bear in mind that the principle of accountability requires you to be able to demonstrate that you keep a record of which basis you are relying upon for each processing purpose and a justification for why you believe it applies.
Interestingly, there is no absolute right to be forgotten. Patients can ask for their date to be erased but only when there is no compelling reason for its continued processing. Dentists will arguably have a good reason for processing data they hold for the purposes of providing medical care.
Also worthy of note is that fact that dentists cannot now charge for the provision of notes and records once a request has been made. The GDPR does not allow any fees to be charged save for when repeat requests for the same information is made.
See https://ico.org.uk for more information.