In dentistry, patient data is held under a duty of confidence and dental practices operate on the basis of implied consent to use patient data for the purposes of direct care, without breaching confidentiality.
However, patient consent for treatment or to share healthcare records is not the same as consent under the General Data Protection Regulations (GDPR), which relates to the processing of personal data.
GDPR consent must be given freely, and must be specific, informed and unambiguous. Individuals must have to opt-in to provide consent and the use of pre-ticked boxes is specifically prohibited. Consent should be clearly distinguishable from other terms and conditions and should not generally be a precondition of signing up to a service. Consent cannot be overarching, GDPR requires separate (granular) consent for different types of data processing. Where consent is provided, clear records must exist to demonstrate this. Consent can be withdrawn at any time and you should inform individuals of this and provide a simple process for withdrawing consent.
In dentistry, consent is not a relevant legal basis with regards to patient or employee records. However, if you wish to send marketing communications to patients you will require their consent.
Review your existing procedures for obtaining consent for the processing of personal data and update these where required to comply with GDPR.
- Make your consent request prominent, concise, separate from any other terms and conditions, and easy to understand. Include:
- the name of your dental practice;
- the name of any third party, such as IT providers, who will rely on the consent;
- why you want the data;
- what you will do with it; and
- that individuals can withdraw consent at any time.
- Ensure that individuals are actively asked to opt in.
- Don’t use pre-ticked boxes, opt-out boxes or other default settings.
- Wherever possible, give separate (‘granular’) options to consent to different purposes and different types of processing.
- Keep records to evidence consent – who consented, when, how, and what they were told.
- Make it easy for people to withdraw consent at any time they choose.
- Keep your consent procedure under review and update it if anything changes.
If you have obtained consent in the past and rely on this to process personal data, ensure that the process for obtaining that consent would stand up the GDPR standards. If this is not the case, you will need to seek fresh consent using a GDPR-compliant process
This interim advice is based on resources from the Information Commissioner’s Office (ICO) website. Although every effort has been made to ensure the accuracy of this advice, SDCEP takes no responsibility for inaccuracies or omissions and does not accept responsibility for any loss, damage or expense resulting from the use of this information. Further advice on complying with GDPR can be found on the ICO website and via the EU GDPR learning resource. Your indemnity organisation may also provide information and resources to help you comply and be able to advise you regarding particular issues that may arise from GDPR implementation.