Roger Matthews looks at the significance to you of the EU’s forthcoming General Data Protection Regulations.
For the latest position on GDPR please refer to the GDPR Blogs Errata.
If it hasn't already happened to you, it will! Over the next few months you'll be approached with numerous offers to guide you (for a fee) through the 'demanding processes' of compliance with the EU's General Data Protection Regulations (GDPR).
"Aargh," you may say, as you read the doom-sayers' predictions of harsh fines and imprisonment (or both), here comes yet more compliance pressure on my overworked dental team!
However, you should be reassured by the Information Commissioner's statement that anyone (or any organisation that complies with the existing Data Protection law, is already well on the way to achieving compliance with the new requirements.
New Data Protection Act from 25th May
GDPR was issued by the EU in May 2016, giving all member states two years to comply. It's provisions will apply in the UK from 25th May this year. However, each country has some freedom to amend a few details and the UK Government has also decided to 'tidy up' and 'tighten up' on the existing law, the Data Protection Act 1998.
so, on 25th May there will be a new Data Protection Act 2018. This will encompass the GDPR requirements and the draft legislation is currently lumbering through Parliament. The House of Lords has been debating it since October and it probably won't get the Royal Assent until sometime around Easter.
While we don't absolutely know what the final version will look like, we do know most of it, given that much of the discussion will not really be relevant to dentistry in particular, or primary healthcare in general.
12 step guide
The Information Commissioner's Officer (ICO) has already issued a '12 step guide' to the GDPR which is a useful start to check your current status. As a responsible practice you'll already be registered ('notified') with the ICO (don't be fooled by the earlier news that GDPR will abolish notification or annual fees!) Plus, you'll have a Data Protection Policy and an Information Security Policy (Information Governance compliance too, if you're an NHS contract-holder).
It is worth checking some things at this early stage, however. Do you obtain 'specific and explicit' consent from your patients to store their data? Do you have a privacy notice that tells patients (and prospective patients, for instance on your practice website) exactly what data you hold and who you share it with?
It may seem simply - you keep their personal details and health records and because you know all about professional confidentiality, you keep it all to yourselves. But what about your IT system? Is it backed-up in-house? Is it held in ‘the Cloud’? And if so, where exactly? Do you send patient information to any third parties, such as insurance companies or Simplyhealth Professionals, for instance? You can be certain
that Simplyhealth has rigorous security, but do others? Do you? Is any data taken home or stored on USB sticks or personal computers? It’s worth thinking it through and conducting an audit to look at all the data inflows and outflows.
When you know exactly where all your patient and staff data comes from and where it goes, you can rest assured that you’ll have ticked off one important stage in preparing for the 25th May deadline.
About the Author:
Roger Matthews MBE - Former Chief Dental Officer and Honorary Life President at Simplyhealth Professionals.