As a UK dentist working with the NHS you are viewed as a "Public Authority". You have a greater responsibility to be fully GDPR compliant. Failure to comply with GDPR requirements can have very serious consequences.
The consequences are ICO fines, clients litigation and in some cases your dental practice can be either suspended or in extreme cases shut down.
As a Public Authority you have additional mandatory requirements related to being GDPR complaint to collect and store your patients personal and medical data.
Listed below are the additional specific additional requirements that all UK dental practices must comply with to be GDPR compliant.
Mandatory GDPR requirements for all UK dental practices.
How long must a UK dental practice retain patient records and how does this relate to GDPR compliance?
Can a dental practice be suspended or closed due to non GDPR compliance?
Other consequences of non-GDPR compliance.
How is consent defined?
When is consent invalid?
What are the mandatory GDPR requirements for a UK dental practice?
UK dental practices must comply with GDPR by registering with the Information Commissioner’s Office (ICO), paying a data protection fee, and implementing robust security measures to protect dental patient data. Key requirements include providing patients with a privacy and data consent tick boxes, (Click here for reference) securing dental patient records and retaining them securely for up to eleven years with the written consent of the patient, appointing an independent Data Protection Officer (DPO) (mandatory for NHS practices as they are viewed as “Public Authorities”), and ensuring dental staff are trained on data protection. Dental practices must also have contracts with any third-party processors, secure online communications, and have clear policies on data handling and breach reporting.
Provide a privacy and consent notice:
Inform dental patients about how their data is used, who has access to it, their rights, and the legal basis for processing.
Secure all records:
Ensure all dental patient records, both paper and digital, are kept securely.
Handle special category data:
Take special care when handling sensitive dental patient data, which includes both personal and health information.
Ensure data accuracy:
Keep patient dental data accurate and up-to-date.
Obtain consent:
Get explicit, unambiguous consent for non-essential marketing communications, and provide a clear way for patients to withdraw consent.
Appoint an independent Data Protection Officer (DPO):
NHS dental practices are required to have an independent DPO with expert knowledge of dental data protection.
Secure online and electronic communications:
Ensure that any online or e-communication (like email) is secure and Data Protection Act (DPA) compliant. Manage third-party contracts: Have written contracts with any third-party processors (e.g., IT providers).
Implement breach procedures:
Have a plan to record and report data breaches to the ICO when necessary.
Train your dental staff:
Ensure all staff members understand their responsibilities for handling patient data securely.
Secure personnel files:
Manage staff records in a way that is compliant with data protection laws.
Store dental records for up to ten years:
All dental practices by law must securely store patient dental records for ten years and to comply with GDPR regulations each record stored must have the written consent of the patient.
Include data security in contracts:
Practice principals should ensure that employee and associate contracts include specific clauses regarding the security and processing of patient data.
How long must a UK dental practice retain patient records and how does this relate to GDPR compliance? (Click Here to see reference)
Dentists must keep dental records for different periods depending on the patient’s age and local regulations, but a common minimum is 10 years after the patient’s last visit for adults.
However to comply with GDPR consent regulations these patient dental records can ONLY be stored with the patients written permission. Many dentist are storing patient records prior to May 2018 WITHOUT the written permission of the patient. This is a serious breach of GDPR!
For minors, records must be kept for a longer period, such as 10 years from the last visit or until the patient turns 18 or 21, whichever is longer. It is crucial to check specific state or national laws, as these can vary.
Adults: Most guidelines suggest retaining records for at least 10 years after the last treatment date. Some regulations may specify 8 years, so it is essential to check the local laws.
Minors: Records for minor patients generally need to be kept for a longer period, often until the patient turns 21 and for one year after that, or at least 10 years after the last visit, whichever is longer.
Specifics:
Orthodontic models: Pre- and post-operative models should be kept longer than intermediate models, which can be discarded after five years.
NHS dental records (UK): Clinical records must be kept for 11 years.
Legal requirements:
State and national laws mandate minimum retention periods based on statutes of limitations for malpractice claims and other legal considerations.
Patient needs:
Records are retained longer for minors because they have a longer legal window for potential claims after they reach adulthood.
Data protection:
Regulations like the General Data Protection Regulation (GDPR) state that personal data should not be kept longer than necessary. However, legal incentives often justify retaining records beyond the time necessary for the immediate purpose.
Can a dental practice be suspended or closed due to non GDPR compliance. (Click Here for reference)
Yes, a UK dental practice can face penalties, including closure, for non GDPR compliance although closure is an extreme measure for severe breaches dental practices can be ordered to cease certain data processing activities, which could force a practice to close if it is their primary function.
Other consequences of non-compliance
Non GDPR Compliance Consequences
Fines: The ICO can impose fines of up to £17.5 million or 4% of a practice’s annual global turnover, whichever is higher, for serious infringements.
Enforcement orders: The ICO can issue enforcement orders requiring a practice to take specific actions to become compliant. In severe cases, these orders could halt the processing of patient data, which could force a practice to close if it cannot function without it.
Reputational damage: A data breach or a finding of non-compliance can seriously damage a practice’s reputation with patients and the public.
Legal action: There could be legal consequences for individuals in the practice who are responsible for the breach, including prosecution for a criminal offense in certain circumstances.
Information Commissioners Office definition of legal GDPR consent.
(Click here to see ICO definition of consent)
How is consent defined?
Consent is defined in Article 4(11) as:“any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”.Article 7 also sets out further ‘conditions’ for consent, with specific provisions on:keeping records to demonstrate consent;prominence and clarity of consent requests;the right to withdraw consent easily and at any time; andfreely given consent if a contract is conditional on consent.
When is consent invalid?
In summary, you do not have valid consent if any of the following apply:
You have any doubts over whether someone has consented;
The individual doesn’t realize they have consented;You don’t have clear records to demonstrate they consented;
There was no genuine free choice over whether to opt in;
The consent was bundled up with other terms and conditions;
The consent request was vague or unclear;
You did not tell people about their right to withdraw consent;
People cannot easily withdraw consent;
Can a dental practice be suspended or closed due to non GDPR compliance?
Yes, a UK dental practice can face penalties, including closure, for non-compliance with GDPR, although closure is an extreme measure for severe breaches. While the Information Commissioner’s Office (ICO) has the power to issue substantial fines (up to £17.5 million or 4% of global annual turnover), other actions can be taken, such as being ordered to cease certain data processing activities, which could force a practice to close if it is their primary function.
Summery of what dentists need to do to comply with the mandatory GDPR requirement Comply with GDPR:
All dental practices must be fully compliant with GDPR and be able to demonstrate this compliance.
Ensure proper data handling:
This includes having a lawful basis for processing patient data, being transparent with patients, and having systems for handling data requests.
Hold dental patient records for up to 10 years :
Dental practices must lehgal store patients records with the patients written consent.Implement security measures: Practices must have appropriate security to prevent the compromise of personal data.
Appoint an independent Data Protection Officer (DPO):
Dental practices that treat NHS patients are considered public authorities and must appoint an independent DPO with expert knowledge of data protection law.
Document your policy:
Have a clear, written policy that outlines your record retention schedule and the rationale behind it.
Secure disposal:
Once records are no longer needed, ensure they are destroyed securely through methods like shredding or incineration.
Know local laws: Always check your state or national regulations to ensure you are compliant with the specific retention periods required in your area.
Comply with GDPR:
All dental practices must be fully compliant with GDPR and be able to demonstrate this compliance.
Ensure proper data handling:
This includes having a lawful basis for processing patient data, being transparent with patients, and having systems for handling data requests.
Implement security measures:
Practices must have appropriate security to prevent the compromise of personal data.
As you can see for dental practices GDPR compliance is a specialized area with many additional GDPR requirements. As such UK dental practices working with the NHS are viewed as “Public Authorities” and come under the scrutiny of the ICO with GDPR compliance spot checks.
At the Data Protection Officers Association we understand this and have a specialized department of fully qualified independent Data Protection Officers that specialize in GDPR compliance for the medical industry, especially dentists.
The Solution
Because of the unique needs of UK dental practices when it comes to GDPR compliance we have created a specialized Data Protection Officers program specifically designed to deal with and solve these unique GDPR issues that UK dental practices face.
We have trained and appointed qualified DPOA members that are registered Data Protection Officers with the ICO who specialize in GDPR compliance for dental practices.
They will be your expert independent Data Protection Officer as required by the ICO and GDPR regulation.
They will add the correct consent and privacy caveats not only to your website contact page but will thoroughly review all of your website, your advertising and your literature to ensure that they all comply with GDPR requirements.
Your DPOA independent DPO will also review all of your current stored data that has been collected illegally from your website contact form. They will also review any records that are currently being stored without the written permission of the individual including dental records.
They will advise you how to re format the data you are storing so that it fully complies with GDPR requirements WITHOUT the need to contact the individual!They will also perform all of the required tasks that a registered Data Protection Officer is required to perform every week, month and year to ensure that your dental practice is fully GDPR compliant.
Our Comprehensive Dental Practice Data Protection Officer Service Includes:
Keeping your organisation informed and advised about data protection. Monitoring your organisation’s compliance with the legislation.
Making sure personal data protection is tailored to your care home.Co-operating with and act as the contact point with the ICO or other supervisory. authorities for your care home.
Inform and advise you concerning all GDPR issues:
Facilitate staff training including board members, managers and data facing staff
Share best practice for data protection across the organisation
Advise on the impact of other data protection regulations
Answer queries on all aspects of personal data protection
We will deal with individuals ensuring they can exercise their rights to:
Request access to their data using a Data Subject Access Request (DSAR)
Be informed about processing
Rectify incorrect data
Review and update policies
Keep policies up to date with data protection requirements:
Privacy and cookie policy
Consent forms
General data protection policy
Retention policy
Employee policies etc.
We will provide all of the data protection and privacy impact assessments (DPIAs and PIAs) forms.
Ensure all compliance records are maintained including:
Records of Processing Activity (RoPA)
Data asset register
Breach register
Risk register
Log of individuals’ exercised rights
Supervisory authority contact records
Training record
Full GDPR documentation (as required by GDPR regulations) including:
Data Breach Reporting Form
Data Protection Impact Assessment (DPIA)
GDPR General Security Documentation
GDPR Information Security Documentation
We will also perform:
Regular Cyber security staff training (as required by GDPR regulations)Yearly Data Audit (as required by GDPR regulations)
Our Dental Practice Data Protection Officers Service is
your complete solution to dental GDPR compliance.
Once booked in we will immediately begin the process of making your Dental Practice GDPR compliant giving you peace of mind from ICO fines, litigation and protecting your data from data breaches!