Knowing me, knowing you
Kevin Lewis discusses the potential impact of the new GDPR.
It may be time to re-write the old saying: ‘It’s not what you know, it’s who you know’. As from 25 May, when the General Data Protection Regulation (GDPR) descends upon us all, it’s more a case of who you know, what you know about them, where and how you acquired this information, why you needed to know in the first place and why you still hold the information today, who else has had access to it and for what reason…and so on. The list is of course much longer than this – it comes from the European Parliament after all – but it hardly lends itself to a snappy little saying.
Data protection reboot
GDPR is a bit like the Data Protection Act (DPA) on anabolic steroids. Under the DPA, much of the kind of information about patients held by healthcare professionals such as dentists, was defined as ‘sensitive personal data’. This has meant personal data from which a living person could be identified (either directly, or indirectly when considered alongside other accessible information) consisting of information as to the person’s racial or ethnic origin, religious beliefs or other beliefs of similar nature, physical or mental health or condition.
The GDPR recognises the march of healthcare technology into areas not envisaged by the original DPA 20 years ago, and it specifically defines not only ‘data concerning health’, but also ‘genetic data’ and ‘biometric data’.
How the world has changed. A whole generation is growing up in a world where images of them have existed on someone else’s hard drive since they were foetuses. Meanwhile, at border control gates around the world we are all leaving a digital biometric record of ourselves each time we pass through. And given the recent history of data security breaches on an industrial scale involving Government agencies (including the NHS), financial service providers, Facebook etc, a collective crisis of confidence in the security of our most private information is pretty understandable.
Most significantly, all three of the above definitions command a significantly higher standard of protection within GDPR than most other forms of personal data. The easiest way to ensure lawful processing of data is to seek and obtain the ‘explicit’(sic) consent of the patient/data subject and healthcare professionals should be no strangers to the requirement for this to be a ‘freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.’
Somewhat unhelpfully in my view, GDPR leaves the debris of these good intentions strewn in all directions by failing to define what it actually means by the term ‘explicit’ and how this differs from the term ‘unambiguous’ – if indeed it does. And if it doesn’t, why use two words? It also falls into the same old trap that healthcare professionals have had to tiptoe around for years in relation to the unhelpful term ‘informed consent’.
It is one thing to have been provided with information, and quite another thing to understand the practical personal implications of that information. Even the GDC moved some years ago to the use of the alternative term ‘valid consent’, recognising that providing information in a standard way, is no guarantee of understanding by a specific person in a particular situation.
While people cannot be expected to make any decision in the absence of any information at all, there is more to valid consent than information alone. Sitting this new GDPR approach to consent alongside the Mental Capacity Act, not to mention the 2015 Supreme Court decision in the case of Montgomery, makes it seem even more perverse.
Under GDPR you can no longer consent passively or through inactivity – that ‘clear affirmative action’ bit means that you have to specifically opt-in rather than simply failing to opt-out. In reality we will have no time left to obtain what we want from a website anyway, because we will be wading our way through their encyclopaedic privacy statements, and lawful basis for processing our personal data.
Another pitfall that little word ‘necessary’. If you haven’t obtained a patient’s ‘explicit consent’ to processing data concerning their health and/or health services provided to them, you will need to be able to demonstrate that it was ‘necessary’ for you to collect, hold, process, share and/or retain the data. The more one thinks about this in the context of the patient’s best interests, the higher the bar seems to get. I may have needed certain information for a specific purpose X years ago, but do I still need it?
So, as we enter yet another new world, there will be those within the dental profession who are frustrated and exhausted by the seemingly endless ratcheting up of legislation, regulation, scrutiny, and compliance. There is always more to do and costs to be incurred, but never any new money on the table.
But GDPR does something else, which we should all welcome. Every dental professional is also a consumer and from time to time a patient too. I don’t like getting unsolicited mail and emails from companies that I have never had dealings with, and nor would I want any member of my family (including myself) to have their personal health information bandied around or used for purposes we never intended and have not been told about.
Wouldn’t it be great if GDPR can draw a line in the sand and send out a clear message that personal information is just that – it is and should remain private and secure unless and until the person in question specifically decides otherwise, in full knowledge and understanding of where that information might go next, and why?
Subject access requests – which can now be made for free and are likely to become more frequent – may be onerous for small businesses to comply with, but on the other hand we all gain some rights as individuals that we didn’t have before GDPR, and we can benefit from a strengthening of many other rights that we already enjoyed under the DPA but possibly never took advantage of. I am sure that many dental professionals in all branches of dentistry will be interested in the newly extended ‘right to be forgotten’ and the new ‘right to data portability’.
If we look at GDPR as a data subject, rather than as a data processor and/or controller, it looks a whole lot different. And so much better. And if anything, long overdue.