Data protection – getting it right
Dentists across the UK will be all too familiar with the Data Protection Act 1998 (DPA) but possibly not yet accustomed to the EU’s General Data Protection Regulation (GDPR) which will apply from 25 May 2018. Notwithstanding Brexit, the UK government has indicated that it will implement the new regime and, even if this were to change, dental practices dealing with data relating to EU citizens would still be required to comply whenever an EU resident’s personal data is processed in connection with good/services offered to him/her.
Whilst the principles of the new Regulations are similar to those in the DPA, there are some additional requirements that dentists need to be aware of, one of the most significant of which is accountability. Processes and controllers of personal data will need to ensure that they have adequate systems, contractual provisions, documented decisions about processing and training in place to ensure that they can demonstrate compliance with the GDPR.
So why would one be concerned with this now when the new Regulations will not apply until May 2018? Put simply, because the penalties which may be imposed are extremely draconian. Depending on the “tier” of the breach, fines can be up to €20million (£17,375,600) or 4% of the total global turnover, not profit, based on the preceding financial year, whichever is the greater.
So whilst 2018 may seem like a long way off, there is a huge amount that dental practices can do now to ensure that they have robust systems in place to meet the new requirements, once introduced.
The Information Commissioner’s Office (ICO), the regulator responsible for ensuring that organisations comply with data protection legislation, recognises that the health sector handles some of the most sensitive personal data and to this end, it has audited a broad range of health organisations in order to identify some of the main pitfalls in complying with data protection legislation.
An obvious area in which to begin is records management. The ICO reports that across a range of organisations they have visited, to include dental practices, they often see ineffective logging, tracking or movement of manual records, with over 200 self-reported breaches of paperwork lost or stolen in the last year. The harsh reality is that such breaches can lead to ICO investigations and under the new regime, very punitive fines. However, there are a number of steps that dental practices may take to ensure better management of data and vigilance of compliance with the rules, to include:
- Developing records management policies and procedures – It is important to ensure such policies and procedures are kept up to date, based on a measurable risk assessment and the information is disseminated to all staff members at the practice with access to or handling sensitive personal data;
- Training – It is vital that there is a formal records management training programme in place comprising of mandatory induction training as well as periodic refresher training for all staff with access to personal data;
- Records inventories – It is advisable to have a comprehensive and up to date inventory that shows what records are held, what they contain, in what format, and what value they have for the practice. Any index used should enable accurate retrieval and tracking;
- Tracking and off site storage – If there is any movement of personal data outside of the practice, implement controls to log the physical movement of such records, giving an audit trail of records transactions;
- Security – Ensure that there is appropriate security in place to prevent personal data held being accidentally or deliberately compromised. Ensure that staff understand the requirements of data protection and confidentiality. Also ensure that the security system in place is in line with the GDC’s Standards for the Dental Team and CQC’s Outcomes Framework;
- Retention – As a starting point, the DPA states that personal data should be retained for no longer than is necessary, but it does not go on to specify how long is necessary for different categories of data. The BDA has established the following recommendation for retention of dental records:
- 11 years for adults;
- 11 years for children or up to their 25th birthday, whichever is longer.
Dental practitioners should implement a retention policy scheduling when personal data should be destroyed, taking into account industry standards and any other relevant legislation which may require personal data to be retained. Careful consideration needs to be given to the safe disposal of manual and electronic records at the end of the retention period;
- Business continuity – Check that the record management policy and procedures in place are effective. Undertake compliance checks to ensure the effectiveness of tracking mechanisms. Monitor the effectiveness of the system. Do not wait until a problem arises to learn what to do.
It is important to take steps as early as possible to prepare for the new regulatory framework on its way in May 2018. Hopefully some of the pointers in this article will help you to take control and lead from the front in preparation for the introduction of the new Regulations next year.
Please contact us if you would like to discuss how any of the above affects you or your practice.