On the Frontline: GDPR and OAs

^{Figure 1: Personal data is information that relates to an identified or identifiable individual}

General Data Protection Regulation (GDPR) replaced the Data Protection Act 1998 (DPA) on the May 25, 2018. It imposes strict obligations and brings in a new set of legal requirements relating to the protection of personal information – with high fines for non-compliance of up to £17.5 million or 4% of annual global turnover, whichever is greater.

GDPR protects individuals or patients’ rights and freedoms over their personal data ensuring it is used properly and fairly. It highlights the need for maintaining patients’ confidentiality and respecting their privacy, which is why it is taken seriously by the optical profession.

The main reason behind the creation of GDPR was the need to bring data protection law up to date with technological advances particularly increased use of computers capturing people’s data. GDPR returns power and control back to individuals to control how their data is used.

In practice we use large amounts of personal data, some of it relating to children. GDPR sets the rules about how your business collects data and the rights of individuals over their data, including the right to access their personal data, subject access requests (SAR) and the right to be forgotten.

Optical practices are involved in processing personal information and must register with the Information Commissioner’s Office (ICO) an independent supervisory authority for data protection in the UK.

What is personal data?

UK GDPR defines personal data as, ‘any information relating to an identified or identifiable natural person (data subject); an identifiable natural person is one who can be identified, directly or indirectly in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person’.

Simply, personal data must be information that relates to a living individual and allows for their identification. The UK GDPR covers personal data processed both electronically and manually in filing systems. Additionally, there are special categories of personal data that require higher protection, including information related to:

• Race
• Ethnic origin
• Political opinions
• Religious or philosophical beliefs
• Trade union membership
• Genetic data
• Biometric data (used for identification purposes)
• Health data
• Sex life/sexual orientation
• Criminal convictions and offenses

All practices should have GDPR protocols in place and an appointed person to manage the process (data protection officer).

Consent (agreement after something has been fully explained)

Remember we need to ask a patient constantly for consent in our roles, every time we need to move a patient’s hair and look behind their ear for a length to bend adjustment. Every time we fire a puff of air into a patients eye on the NCT.

Consent is also required for processing personal data and in situations where a practice wants to send promotional offers additional consent must be obtained. It is recommended this is achieved using a positive opt-in system and it should be easy for patients to withdraw consent at any point.

Consent is the approval or agreement for something to happen after consideration. Any consent given must be clear and freely given for example, within a monthly contact lens contract also records of consent must be kept.

Any business or organisation must have a lawful basis for processing personal data and the privacy notice should explain the basis and purpose of the processing. An example of a lawful grounds for processing personal data is when referring a patient and writing up correspondence to the hospital.

Your practice will have their own processes for managing your patient data, and you should be trained on them and keep up to date with them. Supporting optical colleagues by ensuring patient records are complete and up to date with accurate personal information and highlighting if reminder dates have not been stated or there is any missing information.

Information Security

This means safeguarding an individual’s personal data. GDPR emphasises the need to process personal data securely, implementing appropriate technical and organisational measures to protect data.

If personal information held by your company/practice is disclosed without authorisation it could cause reputational and brand damage for your company/practice, fines from regulators and loss of wellbeing for individuals whose details are disclosed. The following steps should be taken when dealing with a patient and accessing their records on your practice database:

• First, ask for the name, address and contact number to confirm they are the patient
• Make sure people cannot see the screen when they walk past
• Make sure people cannot overhear any confidential information
• Do not write patients details down on a piece of paper as it could fall into someone else’s hands. If this is unavoidable, it must go into the confidential waste and not the regular dust bin
• Different patients will require different levels of privacy and their preferences must be taken into account, for example someone with a health concern

^{Figure 2: Personal data security}

GDPR also creates a new legal requirement to report any personal data security breaches if there is any risk to the rights and freedoms of individuals whose personal information is involved in the breach (such as employees or patients). A security breach is where there is unauthorised or unlawful access to, or loss of, personal information.

Remember patients can request a copy of their records SAR, you can charge a reasonable administration fee for the photocopying and time taken. Generally people are used to giving their details but under GDPR, practices need to explain why they require personal details and the legal basis for such a use for example, to keep patient records up-to-date, or to comply with legal obligations to report on staff payments to HMRC.

Practices need to explain an individual’s rights, which apply under the GDPR, and explain how those rights can be protected. This means practices need to be clear on what they collect, why it is collected, what is done with that information, including who it is shared with, where it is sent and how long it is kept for.

Time lines For keeping records

Data should not be kept longer than necessary, table 1 shows the recommended time lines for keeping patient records. Both ABDO and the College of optometrist adopt this 10-year rule as hospital records are retained for this time period.

Therefore your practice should not have patient records stored if you have not seen them in over 10 years. The UK GDPR does not dictate how long you should keep personal data. It is up to the data controller to justify this as they are in the best position to judge how long it is needed.

Practices selling or buying data

It is not unusual for a practice that is shutting down to sell their records but is it legal? Personal information that is held in a database should not normally be sold if patients have not been told originally that their information could be passed on to other organisations.

However, if the business is closed down or sold, the Data Protection Act 2018 will not prevent the sale of a database containing the details of individual patients, patients will be sent a communication to explain what has happened. Most patients are reassured that their medical/dispensing records are not lost especially if they have a complex medical or dispensing history.

Social media policy and your role in adhering to GDPR

Potential social media pitfalls:

• Take care to ensure that you send information only to those for whom it is intended. If social media activity involves patient details, even inadvertently, this can result in a breach of confidentiality.
• If you use social media to vent or to communicate informally with colleagues, take care not to disclose confidential information in the process.
• It is easy to accept a friend request from a patient without considering the consequences.
• Avoid blurring personal and professional boundaries and keep personal social media for personal contacts only.
• Patients should be encouraged to follow the practice social media rather than your personal account.
• Consider the name you use for personal social media and whether it should be different to that which you use in practice.
• When socialising with colleagues, consider the consequences of sharing on social media. In particular, ensure you have consent before sharing photographs.

Behaviour and conduct on social media

What constitutes misconduct on social media?

• Foul and abusive language
• Bullying and harassment
• Discrimination
• Violence and threats
• Hateful speech
• Racism
• Inappropriate graphic content
• Inflammatory comments, that could arouse feelings of anger or violence
• Deliberately misleading or defamatory comments, damaging the good reputation of someone, whether slanderous or
  libellous
• Phishing and spam

Summary

As an OA you must provide an appropriate level of privacy for your patients during the consultation to ensure that the process of information gathering, examination and treatment remains confidential. Different patients will require different levels of privacy and their preferences must be taken into account.

Only use the patient information you collect for the purposes it was given, or where you are required to share it by law. Securely store and protect your patient records to prevent loss, theft and inappropriate disclosure, in accordance with data protection law.
Confidentially dispose of patient records when no longer required in line with data protection requirements.

We must be mindful of our behaviour and conduct on social media, we are leaving a digital footprint that may have repercussions for our future. A light-hearted comment you make about someone, taken out of context may be used against you, it may stop you getting that dream job in the future.

I have had lots of experience of helping enrol trainee dispensing opticians onto the GOC register. I have come across an awkward situation on many occasions, where a student applying for the GOC register is asked to disclose any previous criminal convictions, disciplinary action from another regulator or physical/mental health issues. Yes, you have to disclose those to train to become a dispensing optician or optometrist.

Supervisor comment

‘My apprentice and I always talk about what has been covered in her class sessions, hands up this was a useful reminder to check how long we are keeping patient records for’.

Student comment

‘This lesson really brought home that I need to be aware of my own behaviour on nights out with friends, some of my friends do silly things at times, which could get us in trouble with the police. I now realise that I need to avoid that group if I want to realise my dream of becoming an optometrist in the future’.

‘I didn’t realise how important it was to log out of my computer and not leave a patient record on show. Tony said that if I did that when having the practice end point assessment observation, I would not pass the course.’

‘This lesson has been really interesting, I never considered how my social media could impact future job interviews, it has made me reconsider what information I share publicly.’ 

• Tony has designed, developed, and managed the level 3 Optical Assistant Apprenticeship course at Training 2000, he was also involved in the development and delivery of the bench-mark BTEC Level 4 Certificate in Optical Dispensing, which started hundreds of students’ careers in optics with around 70% of students going on to further study as a dispensing optician. Tony is also an experienced author and presenter of CPD lectures and discussion workshops with audiences of up to 500. He also previously worked as a part-time lecturer in ophthalmic dispensing at Anglia Ruskin University.