Protecting patient data
by Kevin Cahill
In the third of a series of four articles on the GDPR and dentistry, Kevin Cahill takes a look at the data controller and processor in practice, and what this means for associates
The General Data Protection Regulation (GDPR) holds an enterprise responsible for meeting its data protection obligations and protecting personal data. In GDPR terms, an ‘enterprise’ means a natural or legal entity engaged in an economic activity, irrespective of its legal form, including partnerships or associations regularly engaged in an economic activity.
If you were to look at your dental practice closely, what is the enterprise? If you are a limited company, the liabilities are probably straightforward – it’s the company. If you are a legal partnership you might want to examine the agreements that govern the partnership.
But if you are a group of sole traders that shares common premises and facilities, things may start to become a little unclear. Who, for example, becomes liable if a member of staff causes a data privacy breach? Who do your subcontractors – labs, IT providers and accountants – work for and who owns the policies that define how they should handle your patients’ personal data?
If your patients engage with your practice as a single brand, you will most probably want to operate a single record of processing activities and data privacy policies for the practice. But what if one partner regularly dismisses his/her obligations under those policies? Or what if you happen to be the partner who formally employs staff or engages a supplier.
It is worth checking what agreements are in place between partners in a practice, so you understand your own personal liability is aligned with your ability to control how data privacy obligations are met.
Practice associates
For the purposes of this article, it’s important to understand the GDPR definitions for a data controller and a data processor. In simple terms, a data controller determines the purposes and means of the processing of personal data and a data processor processes personal data on behalf of the controller. In the main, your practice is likely to be the controller of patient data.
For most practices we have found clinical associates attend to patients on behalf of the practice and receive fees in proportion to the number of, and income from, consultations that they deliver. The patient considers themselves to be a patient of the practice, their data is maintained on the practice computer systems, and the practice bills them. In such circumstances, the practice is the data controller and the associate is a data processor.
In other cases, typically where the associate is a specialist who visits the practice occasionally, the specialist sets the fee structure, the patients consider themselves to be patients of that specialist and the specialist effectively rents time in that practice to use their treatment rooms and administrative facilities.
Here, the specialist is likely to be the data controller and should maintain their own data policies. However in many such cases, patient records are held on the host practice systems and administered by their staff.
The host practice should have a signed data processing agreement in place with the specialist. It should confirm that the practice policies to capture, retain, manage, secure and delete data in its role as processor are acceptable to the specialist, and they do not require the practice to alter the way they manage patient data specifically for the associates’ patients.
Kevin Cahill is director of Proliance Data Protection Services.
This article was first published in the September 2019 issue of Irish Dentistry. Read more articles like this with a magazine subscription. Click here to subscribe or call 01923 851 777. Get in touch via Twitter @IrishDentistry or Facebook.com/IrishDentistry.