Switch to Dark theme

References

Data protection is changing − the new general data protection regulations (GDPR)

From Volume 11, Issue 3, July 2018 | Pages 110-114

Authors

Nicholas Hemmings

BDS, MSc, MOrth RCS(Ed), FDS RCS(Ed)

Consultant Orthodontist, Ashford and St Peter's Hospitals, London WC1X 8LD, UK

Articles by Nicholas Hemmings

Abstract

Abstract: The General Data Protection Regulations (GDPR) govern the use of personal data within the European Union as from 25th May 2018. This supersedes the legislation of the Data Protection Act (DPA). Whilst it has many similarities to the DPA, it has significant enhancements that require active engagement to ensure compliance. It is a requirement for practices to appoint a Data Protection Officer, pay the Information Commissioners Office (ICO) fee, update their privacy notices, create written contracts between controllers and processors, identify and document the lawful basis for processing data, and comply with the rights of individuals.

CPD/Clinical Relevance: Data protection regulations have changed as part of EU legislation. These changes applied from 25th May 2018 and are applicable to all.

Article

Nicholas Hemmings

Personal data can be defined as ‘any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier’.1 Further to this, ‘sensitive’ personal data, now known as ‘special categories’ of personal data include:

  • Racial/ethnic origin;
  • Political opinions;
  • Religious/philosophical beliefs;
  • Trade union memberships;
  • Data concerning health or sex life and sexual orientation;
  • Genetic data (added by GDPR);
  • Biometric data where processed uniquely to identify a person new (added by GDPR).1

    • The new General Data Protection Regulations supersede the Data Protection Act (DPA), to standardize data privacy laws and protect an individual's rights in a modern data-driven digital economy.2 It comprises 99 articles grouped into 11 chapters. It is applicable to all organizations operating within the European Union (EU), and to non-EU organizations offering goods and services to individuals within the EU.1 Britain's decision to leave the EU does not affect the implementation and enforcement of this European legislation,3 which came into force on 25th May 2018. The Information Commissioners Office (ICO) has stated that ‘if you are complying properly with the current law then most of your approach to compliance will remain valid under the GDPR and can be the starting point to build from’.4 There are, however, new elements and significant enhancements which are applicable to both automated and manual systems.1

    The existing Data Protection Act came into force in 1998, and has been the legislation that has governed the use of personal data since that date. As many will know, it comprises 8 basic principles.5 Principle 6 describes the individual rights of the data subject.6 Similarly, GDPR has 6 basic principles,7 plus individual rights of the data subject.8 Please refer to Table 1 for details of both the DPA and GDPR principles and rights.


    DPA 1998 − Principles5 GDPR 2018 − Principles7 (from 25/05/18) Article 5 (1)
  • Personal data shall be processed fairly and lawfully.
  • Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.
  • Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.
  • Personal data shall be accurate and, where necessary, kept up to date.
  • Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
  • Personal data shall be processed in accordance with the rights of data subjects under this Act.
  • Appropriate technical and organizational measures shall be taken against unauthorized or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
  • Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
  • Processed lawfully, fairly and in a transparent manner. (Lawfully, fairness and transparency).
  • Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes. (Purpose limitation).
  • Adequate, relevant and limited to what is necessary in relation to the purpose(s). (Data minimization).
  • Accurate and where necessary kept up to date; every reasonable step taken to ensure inaccurate data is erased or rectified without delay. (Accuracy).
  • Kept in a form which permits identification of data subjects for no longer than necessary for the purposes for which the personal data are processed. (Storage limitation).
  • Processed ensuring appropriate security of personal data, including protection against unauthorized/unlawful processing, and accidental loss, destruction or damage, using appropriate technical or organizational measures. (Integrity and confidentialitysecurity).
    • Article 5(2) requires that: ‘the controller shall be responsible for, and be able to demonstrate compliance with the principles'.
    DPA 1998 − Rights of the Individual6 GDPR 2018 − Rights of the Individual8
  • A right of access to a copy of the information comprised in their personal data;
  • A right to object to processing that is likely to cause or is causing damage or distress;
  • A right to prevent processing for direct marketing;
  • A right to object to decisions being taken by automated means;
  • A right in certain circumstances to have inaccurate personal data rectified, blocked, erased or destroyed;
  • A right to claim compensation for damages caused by a breach of the Act.
  • The right to be informed;
  • The right of access;
  • The right to rectification;
  • The right to erasure (‘right to be forgotten’);
  • The right to restrict processing;
  • The right to data portability;
  • The right to object;
  • Rights in relation to automated decision-making and profiling.

    • There are two types of designated data handlers that are defined in the GDPR; controllers and processors:

  • Controller: ‘someone who determines the purposes and means of processing personal data’.1
  • Processor: any person (other than an employee of the data controller) who is responsible for processing personal data on behalf of a controller (including third parties such as cloud storage companies).9

    • A written contract with specific minimum terms is a general requirement between controllers and processors10 (Table 2). Whilst there has been a suggestion of ‘standard contractual clauses from the EU Commission or supervisory authorities (eg ICO) to be used in contracts, none has been drafted so far’.10 Similarly, the suggestion of an approved code of conduct or certification scheme for processors to adhere to are not currently available.10 Controllers are liable for their compliance with the GDPR, but processors will also have direct responsibilities and liabilities (Table 3), and may be subject to fines, penalties or paying compensation.10


  • Only act on the written instructions of the controller (Article 29).
  • Not to use a sub-processor without prior written authorization of the data controller (Article 28.2).
  • To co-operate with supervisory authorities (eg ICO) in accordance with Article 31.
  • To ensure the security of its processing in accordance with Article 32.
  • To keep records of processing activities in accordance with Article 30.2.
  • To notify personal data breaches to the data controller in accordance with Article 33.
  • To employ a data protection officer if required in accordance with Article 33.
  • To appoint (in writing) a representative within the EU if needed in accordance with Article 27.

  • Only act on written instructions of the controller.
  • Ensure people processing the data are subject to a duty of confidence.
  • Take appropriate measures to ensure the security of processing.
  • Only engage sub-processors with prior consent of the controller and under a written contract.
  • Assist the controller in providing subject access and allowing data subjects to exercise their rights under the GDPR.
  • Assist the controller in meeting its GDPR obligations in relation to security of processing, notification of personal data breaches and data protection impact assessments.
  • Delete/return all personal data to the controller as requested at the end of the contract.
  • Submit to audits and inspections, provide the controller with whatever information it needs to ensure that they are both meeting their Article 28 obligations, and tell the controller immediately if it is asked to do something infringing the GDPR or other data protection law of the EU or a member state.

    • The Information Commissioners Office (ICO) is the ‘UK's independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals’.11 To ensure its continued funding, there will be a new charging structure for data controllers which is awaiting parliamentary approval.12 Note that this will be in force by the time that the GDPR is rolled out. Controllers with current registration under the 1998 Act do not have to pay the new fee until their existing registration has expired.13 The new fees are:13

  • Tier 1: £40 − micro-organizations (with a maximum annual turnover of £632,000, or less than 10 members of staff employed).
  • Tier 2: £60 − small/medium organizations (with a maximum annual turnover of £36million, or less than 250 members of staff).
  • Tier 3: £2900 − large organizations. (Note that the ICO assume that as a controller you fall into Tier 3 unless you inform them otherwise.13)

    • The ICO has kindly created a PDF document entitled ‘Preparing for the General Data Protection Regulation (GDPR) 12 steps to take now’;4 please see the following link. https://ico.org.uk/media/1624219/preparing-for-the-gdpr-12-steps.pdf

    The remainder of this article will expand on these 12 steps in the same order.

    1. Awareness

    GDPR is new law active from 25 May 2018.

    2. Information you hold

    Article 30 requires you to record your processing activities, ie document what personal data you hold, where it's from, who it's shared with,4 the purpose, retention schedules, and security measures. Performing an information audit will help ensure that you understand how data flows through your practice.14 Other useful documentation includes: Information for privacy notices, consent, GDPR contracts, location of personal data, Data Protection Impact Assessment (DPIA) reports, and records of data breaches.15

    3. Communicating privacy information

    Articles 12−15 relate to ‘Privacy Notices’,16 and list mandatory information that needs to be given to patients as a ‘written notice’, free of charge where data is obtained from them, in clear plain language that is concise, transparent, intelligible and easily accessible17 (refer to ICO website for table https://ico.org.uk/for-organisations/guide-to-data-protection/privacy-notices-transparency-and-control/privacy-notices-under-the-eu-general-data-protection-regulation/)

    To ensure compliance you should review your current privacy notices (ie your identity, what data will be collected, how you intend to use it, the purpose for which it will be used, how it may be shared). For good practice, patients should be asked for their preferred method of receiving appointment reminders, and the privacy notice should be updated to state that the practice will be communicating with patients via this method(s).14

    4. Individual's rights

    It is important to check practice procedures to ensure that they cover all individuals' data rights, particularly how to delete personal data, and how to provide data electronically and in a commonly used format.4

    ‘A significant enhancement compared to the DPA is the GDPR's right of Data Portability’ (Article 20). Patients must be made aware of this right, and the information must be provided free of charge18 (removing the previous maximum £50 subject access fee for dental records). Note that this is only applicable to:4

  • Personal data an individual has provided to a controller;
  • Where the processing is based on the individual's consent or for the performance of a contract;
  • When processing is carried out by automated means (ie electronic data).

    • 5. Subject access requests

    Individuals can make requests at any time, and procedures must be updated for handling requests within the new timescales:19

  • One month to comply compared with the existing 40 days. This can be extended by two months for complex/numerous requests; the individual must be informed within one month of receipt of the request, explaining why the extension is required.
  • Most cases cannot be charged for complying with a request.
  • Charges for requests that are manifestly unfounded or excessive can be refused, particularly if repetitive. If refused, the individual must be informed of why (within one month) and he/she has the right to complain to the supervisory authority and to a judicial remedy.

    • 6. Lawful basis for processing personal data

    Article 6 details the conditions for processing personal data; one of the 6 listed below must apply.20 Note that an individual's rights will be modified depending on the lawful basis:

  • Consent (NB this can be withdrawn at any time, and the subject request all data to be erased);
  • Contract;
  • Legal obligation (to comply with a statutory obligation, not contractual obligation);
  • Vital interests (processing is necessary to protect someone's life);
  • Public task;
  • Legitimate interests, eg patient recalls (this cannot apply if you are a public authority processing data to perform your official tasks).

    • The different categories of personal data processed within the practice should be identified and the applicable legal basis should be considered, documented, and a privacy notice to explain it updated.4 The lawful basis will have to be explained when a subject access request is answered.4

    The BDA advise that the most common bases for processing data that GDPs will rely upon are:14

  • ‘Provision of dental care and treatment’ − for processing information, including sensitive personal data, about patients and their health.
  • ‘Establishment, exercise and defence of legal claims’, is a lawful basis for retaining patient records for 10 years, and employee records for 6 years.
  • ‘Purposes of employment and social security law’ − for processing employee information.

    • 7. Consent

    This must be specific, given freely, informed and unambiguous, have a positive opt-in, separate from other terms and conditions, and have simple ways for people to withdraw it.4 How the practice seeks, records, and manages it should be reviewed.4 It would be sensible to ‘refresh existing consents now if they do not meet the GDPR standard’.4 ‘Processes to honour withdrawals of consent promptly’ should be introduced.2

    8. Children

    The GDPR age of consent to processing is 16 years;4 lowering it to 13 years in the UK has been ‘proposed in the Data Protection Bill and is subject to Parliamentary approval’.20 Children have the same rights as adults over their personal data,20 and it is important that ‘Privacy Notices’ are clear and written in language that children will understand.4 Systems to verify individuals' ages and obtain parent/guardian consent for any data processing is required.4

    9. Data breaches

    Article 33 places a duty on all organizations to report certain personal data breaches to the relevant supervisory authority, within 72 hours of becoming aware (where feasible), and the individuals directly where applicable.21 Information may have to be provided in phases as the investigation takes place.21 Failure to report may result in a fine, plus a fine for the breach itself.

    You only have to notify the ICO where a breach is likely to result in a risk to the rights and freedoms of individuals: e.g. it could result in discrimination, damage to reputation, financial loss, loss of confidentiality or any other significant economic or social disadvantage’.4 If there is a high risk to individuals, those concerned must be notified directly.4 Ensure that the practice has a robust breach detection, investigation and internal reporting procedure in place.4

    Penalties (Article 84) − A practice in breach for the most serious infringements can be fined up to 4% of annual global turnover (not profit) or €20 million − whichever is greater.2 The practice can also be fined 2% for: (1) not having records in order; (2) not notifying the supervising authority and data subject about a breach; (3) not conducting an impact assessment.2

    10. Data protection by design and data protection impact assessments

    ‘GDPR makes privacy by design an express legal requirement, under the term − data protection by design and by default. It also makes Privacy Impact Assessments (PIAs) − referred to as ‘Data Protection Impact Assessments’ (DPIAs) mandatory in certain circumstances’ 4 where data processing is likely to result in high risk to individuals: (1) where new technology is deployed; (2) where a profiling operation is likely to affect individuals significantly; (3) where there is processing on a large scale of the special categories of data.4

    An effective DPIA will allow organisations to identify and fix problems at an early stage, reducing the associated costs and damage to reputation, which might otherwise occur’.22 It would be a recommendation to ‘familiarise yourself with the ICO's code of practice on Privacy Impact Assessments’.4

    11. Data protection officers (DPO)

    Articles 37−39: The practice must designate an individual responsible for data protection compliance, and determine where this role will sit within the structure and governance arrangements.4 The practice is formally required to designate a Data Protection Officer if it is:2

  • A public authority (except for courts acting in their judicial capacity) ie NHS dentists (Article 37(1)(a));
  • An organization that carries out the regular and systematic monitoring of individuals on a large scale. (Article 37(1) (b));
  • An organization that carries out the large scale processing of special categories of data, such as health records, or information about criminal convictions (Article 37(1)(c)).

    • The DPO has a minimum set of tasks to:23

  • Inform and advise the organization and its employees about their obligations to comply with the GDPR and data protection laws.
  • Monitor compliance with the GDPR and data protection laws:
  • managing internal data protection activities;
  • advise on data protection impact assessments;
  • train staff and conduct internal audits.
    •
  • Be the first point of contact for supervisory authorities/individuals whose data is processed (employees, customers, etc).

    • As NHS dentists are regarded as public authorities, all NHS practices will require either an internal or external DPO.2 It will be possible to appoint a single DPO to act for a group of practices, and these services can be contracted out.2It is anticipated that Clinical Commissioning Groups (CCGs) may provide DPOs in primary care settings’.2 Organizations who are not required to appoint a DPO may still appoint one.2

    ** The BDA are actively lobbying to have this DPO requirement removed **14

    12. International

    If your organisation operates in >1 EU member state (ie cross-border processing) you should determine your lead data protection supervisory authority and document this’.4

    Accountability and governance

    This is a significant part of GDPR. There are two main elements:

  • Responsibility for complying; and
  • Demonstrating compliance.24

    • The practice must implement appropriate technical and organizational measures to ensure and demonstrate compliance, eg internal data protection policies/staff training/internal audits of processing.24 Relevant documentation on processing activities must be maintained and a DPO appointed, where appropriate.

    Measures must be implemented that meet the principles of ‘data protection by design’ and ‘data protection by default’. These measures could include:

  • Data minimization;
  • Pseudoanonymization;
  • Transparency;
  • Allowing individuals to monitor processing;
  • Creating and improving security features on an ongoing basis.25 Data protection impact assessments (DPIA) should also be used where appropriate.25

    • Summary

    If your practice is currently complying well with the DPA, then there will be few changes to make. Below are a number of key ‘take home’ messages and points to action in order to help comply with GDPR.

  • Transparency of data processing is a fundamental principle – people (patients, employees, associates) have to be informed as to what is happening with their data via detailed privacy notices. (This should include the legal basis for processing, individuals rights, and the duration of storage, to name a few). If information is stored on a cloud-based system, individuals must be informed of this and how it is protected.
  • Accountability is a legal reality; therefore make staff aware, provide training, and ensure all policies are up to date (eg confidentiality, records management, and data security). Unlike the DPA, processors now have legal responsibilities. Self-employed associates using a practice computer system are processors − they require a written contract with the data controller.
  • Audit − an information audit of processing will highlight how data flows through your practice. Keep a record of each type of processing undertaken, the lawful basis for it and how this was decided. Records of these activities will help demonstrate compliance with GDPR.
  • Consent − limit the use of this for the legal basis as often it cannot be ‘freely given’. Furthermore, as quickly as it is given, it can be removed.
  • Establish written agreements with third parties (including labs, software, cloud storage companies).
  • Rights of the Individual:
  • Rectification − any inaccurate information must be rectified, including with all those that have shared it. Employing periodic reviews/checks will ensure that all data is up-to-date and accurate.
  • Data Portability − any patients may request transfer of their electronic dental records. Liaising with the practice software company early will help make this process more streamlined and stress-free. Don't forget data transfers must be secure.
  • Erasure − personal details can be deleted, but dental records have to be kept by law.
    •
  • Subject access request − in most cases the practice is now not able to charge.
  • Data breach − priority should be the implementation of systems to protect data, but systems should also be established to detect, investigate and report any breaches.
  • DPIA − required if new technology is being introduced within the practice.
  • DPO − as a dental practice one needs to be appointed (this can be outsourced).
  • International − check that the practice data are not transferred outside the EU.
  • ICO fee − unless informed, the ICO assume that as a controller your practice falls into Tier 3 (£2900 fee); a potentially costly mistake.
  • Cloud-based – ‘Check the security measures of your cloud provider; ask for an independent security audit of their physical, technical and organisational security (reputable cloud providers should have this)’.26