GDPR 6 months on

Posted by Dr Roger Matthews on 20/12/2018
Roger Matthews

Roger Matthews looks at what’s changed following the introduction of General Data Protection Regulation

We’re now six months on from ‘GDPR Day’, after which, allegedly, dentists could no longer communicate with their patients and we’d all stop getting those spam e-mails. Hmm, the power of mythology, eh?

It’s gratifying to note that:

  • Over 3,100 Denplan member dentists and practice managers have accessed or downloaded the GDPR Resources Pack from the membership Dashboard
  • Nearly 1,700 followed the blogs
  • 500 joined or reviewed the Simplyhealth Professionals GDPR webinar

So, was it a case of ‘doom averted’? Well, the Information Commissioner has noted a huge increase in breach notifications and concerns reported since the new Act became law. The £0.5 million fine levied on Facebook has sent a strong message to social networks that the new law has teeth, and overall it is no bad thing that Data Protection has become a front-of-mind topic for everyone who processes personal data.

For healthcare practitioners and teams, our professional obligations around confidentiality already meant that we were perhaps ahead of the game. But I do note that in the last few months there have been three separate sanctions applied against individual members of healthcare teams who have inappropriately accessed patient notes for non-health purposes. It’s maybe worth reminding all team members that looking at data (which is processing it) purely to satisfy curiosity or for social or personal reasons is a serious disciplinary matter.

So far, the Professional Support team at Simplyhealth Professionals have not received any serious concerns or challenges on the topic of GDPR, and to date it does not appear that removal of the ‘reasonable charge’ for providing patients with copies of their notes has, as yet, caused any major issues.

So, if nothing else, the renewed attention given to data security and confidentiality has meant that the days of passwords on sticky notes attached to monitors are truly behind us, and that can be nothing but a good thing.

Email ‘hacks’ are still relatively common, however. It’s essential to have good passwords which are changed regularly, and never, never to open any email attachments unless you are absolutely sure they are genuine (if an email is from an apparently trustworthy source, but is not expected, always check the full email address - username and domain name - by clicking next to the sender’s name).

Additionally, never leave an open terminal unattended; ensure back-ups are secure and don’t allow any unauthorised USBs, disks or other accessories anywhere near your clinical system;  make your staff aware of ‘phishing’ phone calls and emails; don’t send any clinical data by email unless it is encrypted, even if the patient says it’s OK. And check your anti-virus software and firmware updates are all installed, promptly applied and documented.

Legitimate interests

We recommended this as the lawful basis for any non-NHS clinical records and associated patient data (NHS records would be processed on the basis of Public Task). The authoritative web forum has published updated advice on Legitimate Interests, what it is, and what it means. This advice has been ‘welcomed’ by the Information Commissioner.

Although some sources recommend ‘consent’ as a legal basis, we believe this is unwise. As the updated advice states, the withdrawal of consent by a patient means that their right to erasure (and immediate cessation of processing) is powerful. You’d probably agree that deletion of clinical records is very unwise.

Under Legitimate Interests, the Data Controller has a much more powerful defence against erasure demands, and significantly, the advice also notes that the ‘right to portability’ is not an automatic requirement using this lawful basis.

The advice also confirms our strong recommendation to conduct a Legitimate Interest Assessment (LIA). Whilst you may feel that it is obviously ‘legitimate’ to keep clinical records, the use of a template LIA, such as the one we have provided, is really important.

Finally, Legitimate Interest does not apply to other processing of patient data, such as direct marketing. So it is wise to have patients’ specific consent for this: we recommend a short note above the patient signature on Medical History forms or updates.

As ever, the Professional Support team at Simplyhealth Professionals are happy to answer any queries or concerns you may have, and Insight will continue to keep you up to date on Data Protection and other compliance matters.

Roger Matthew, MBE

Former Chief Dental Officer and Honorary Life President at Simplyhealth Professionals