In dentistry, patient data is held under a duty of confidence and dental practices operate on the basis of implied consent to use patient data for the purposes of direct care, without breaching confidentiality.
However, patient consent for treatment or to share healthcare records is not the same as consent under the Data Protection Act 2018 (DPA 2018) [1] and the UK General Data Protection Regulations (UK GDPR) [2], which relates to the processing of personal data.
UK GDPR consent must be given freely, and must be specific, informed and unambiguous. Individuals must have to opt-in to provide consent and the use of pre-ticked boxes is specifically prohibited. Consent should be clearly distinguishable from other terms and conditions and should not generally be a precondition of signing up to a service. Consent cannot be overarching, the DPA 2018 [1] and the UK GDPR [2] requires separate (granular) consent for different types of data processing. Where consent is provided, clear records must exist to demonstrate this. Consent can be withdrawn at any time and you should inform individuals of this and provide a simple process for withdrawing consent.
In dentistry, consent is not a relevant legal basis with regards to patient or employee records. However, if you wish to send marketing communications to patients you will require their consent.
The Information Commissioner's Office provides a checklist on asking for consent
Review your existing procedures for obtaining consent for the processing of personal data and update these where required to comply with the DPA 2018 [1] and UK GDPR [2].
- Make your consent request prominent, concise, separate from any other terms and conditions, and easy to understand. Include:
- the name of your dental practice
- the name of any third party, such as IT providers, who will rely on the consent
- why you want the data
- what you will do with the data, and
- that individuals can withdraw consent at any time.
- Ensure that individuals are actively asked to opt in.
- Don’t use pre-ticked boxes, opt-out boxes or other default settings.
- Wherever possible, give separate (‘granular’) options to consent to different purposes and different types of processing.
- Keep records to evidence consent – who consented, when, how, and what they were told.
- Make it easy for people to withdraw consent at any time they choose.
- Keep your consent procedure under review and update it if anything changes.
If you have obtained consent in the past and rely on this to process personal data, ensure that the process for obtaining that consent would stand up the DPA 2018 and UK GDPR standards. If this is not the case, you will need to seek fresh consent using a DPA 2018 and UK GDPR-compliant process.