At a high level GDPR asks us to review what data is being stored, how it is being used, is it secure and is the storing and use of this data infringing on the patients’ rights.
Below are the definitions of some basic terms as they are defined within the act itself. All practice staff should be made aware of these terms and their implication to the daily processes within the practice.
The term “personal data” means any information relating to a patient which allows them to be identified. GDPR gives examples of identifiers, including names, identification numbers, and location data.
A patient may also be identifiable by reference to physical, genetic or cultural factors specific to their identity. Face and retinal photographs may be considered patient identifiable data.
The term “processing” refers to any operation or set of operations performed on personal data. Collecting and storing patient records to provide healthcare is processing for instance.
Processing includes storing, collecting, retrieving, using, combining, erasing and destroying personal data. It can involve automated or manual operations.
Optical practices are “data controllers” which refers to a person, company or other bodies that determines the purposes and means of processing of personal data.
The Data Controller is responsible and liable for the personal data and any breaches, reporting breaches, and whether any person or company who process the data on their behalf comply with the law.
A “data processor” refers to a person, company or other bodies that process personal data on behalf of a data controller. Ocuco is a data processor on behalf of customers using Ocuco PMS software.
The most significant change in the new law is that data processors also become liable for breaches. Therefore it is important that data processors and controllers have a ‘Data Processing Agreement’ in place which shows how they comply with the law.
GDPR outlines several ways in which a data controller or processor can legitimately store and use personal data.
The lawful basis for optical practices is ‘for the provision of health care’ but ‘legitimate interests’ could also be asserted. These do not require patient consent for collecting, processing and storing.
Consent is an agreement between the data subject and the processor to process their data. Optometrists are not obliged to gain consent for the ‘provision of health care’ but do need it for processing outside of data storage and recall.
For example, marketing, where processing is based on the patient’s consent, the controller should be able to demonstrate that the patient has consented to the processing operation, i.e. marketing. Consent must be opt-in, freely given and easily withdrawn without detriment.
‘Data subject’ rights are at the core of GDPR. The data subject in the context of the optical practice is its employees and patients. Consumer advertising is making patients aware of these new laws so it is vital that all practice staff not be only aware of their own rights as employees but also understand the practice’s processes and policies when dealing with patients who wish to exercise their rights.
The information below explains the rights generically, but you can see how your practice management system handles each of these rights in the GDPR product section.
A patient has the right to ask to be removed or to erase personal data relating to them, such as electronic or paper records. Practitioners may refer to the legal basis for processing and existing legislation which places an obligation on the practice to retain health records for a set period. If the data held does not contain eye health information then it should be removed.
The basic principle is that the practice will erase personal data where there is no compelling reason to keep it.
Legally, the practice must ensure that the patient is informed about what data is stored about them, why it is needed and for what purpose it will be used; this must be in plain language and easily accessible to the patient. It is typically provided in a privacy statement or notice.
A patient has the right to request and gain access to any data the practice have recorded during the relationship; this includes computer and paper-based records. Data needs to be provisioned in a readable format within one month of a patient making the request. It must be provided free of charge unless the request is for reasons which are unfounded, or the patient is making repetitive requests.
A patient has the right to ensure that the data stored about them is accurate and entitled to rectification if there are errors.
Response to this request should be swift with an expectation of correction of data within one month.
Patients have the right to ask the practitioner to stop processing their data. If this is requested, then the practice must stop sending recalls, for example, but may retain the patient’s health data.
The patient has the right not only to access their data but to take it away with them in electronic format.
Patients have the right to object to the processing of their personal data in certain circumstances and processing must stop unless the practice can show that the lawful basis for processing applies.
For example, the patient can ask that their details not be processed for recall or marketing and if so the practice would have to exclude them from any direct marketing. However, if the data was being processed as part of a legal case, then their objection cannot be met.
Patients have the right to ask to be excluded from any automated processing that would result in profiling of an individual.