Dentists have a duty of care for their patients that extends beyond the procedures they carry out. They also need to ensure patients’ private and confidential data is handled sensitively. Since May 2018, that means complying with the EU’s General Data Protection Regulations.
In this post, we will look at what GDPR means for dentists and what, if any, steps you should take if you are concerned that you do not currently comply with this.
GDPR was introduced to update and standardise data protection laws across the European Union, bringing the rules up to speed with the digital age.
It established the following key principles:
- That data should be processed fairly and lawfully
- That the data taken should not be stored for any longer than is necessary
- Any private data should be stored securely
- Data has to be collected for a legitimate reason
- Individuals should have the right to know what data is held and ask for this to be erased
The biggest change – that we have probably all noticed – is that people have to clearly ask for permission when taking data and have to be clear about what they intend to use it for.
GDPR for dentists
Dentistry was in a good position to comply with GDPR – and the vast majority of practices already had robust systems in place to sensitively collect, store, maintain, update and use private data. The General Dental Council’s Standards for the dental team states ‘maintain and protect patients’ information’ as one of its nine key principles.
In practice, the advent of GDPR means that dentists need to have explicit permission for any marketing communications or messages they wish to send to patients – and that patients must feel like they have control to select a level of communication they are happy with.
All dental practices providing NHS treatment are considered as public authorities and, under GDPR, these are required to appoint a Data Protection Officer (DPO). This person could be a new employee hired specifically for the role, an existing employee who takes on new responsibilities or a shared DPO with another practice.
Review GDPR activity to date
By now, every practice should be up to speed with the requirements of GDPR. They should have:
- Updated privacy notices to make it clear how data will collected, processed, stored and used
- Updated forms and procedures for collecting data that make the reason for the request clear
- Reviewed the process through which subject access requests can be made so that you can comply with requests from patients
If none of these has been done – or you are unsure if it was done to the correct standard – then it should be carried out as a matter of urgency to avoid breaking the law. It may now also be appropriate to review changes made in the immediate aftermath of May 2018 to ensure they are still relevant.
The key aspect to be aware of is that dentists must be as clear as possible with their patients when it comes to the data they hold and how they hold it. Provided they make this clear – and ask for explicit permission for use that goes beyond their care – then they will abide by GDPR to ensure they look after patient data as well as their oral health.
If you have any questions about looking after the data of your patients, contact DDS today.