Dear All,

This document will be a place holder for question and answers in relation to GDPR for our CS R4+ Dental Practice Management Software, should you have any specific questions not answered below please email us at privacy@csdental.com

To see our statement on GDPR, please see here. For further information please check out the following links

EU GDPR Website   BDA Guidance on GDPR   ICO Guidelines

Questions

Do I need to collect consent for sending recalls and appointment reminders to my patients?

No. As you would not process the data on that consent. As a healthcare provider you do not need consent for contacting patients about their treatment, appointments or information in regards to their oral health.

How do I deal with a patient's request for the Right to be Forgotten in GDPR?

Currently R4+ does not support deletion of records. The deletion of patient information requires several criteria to be accurately assessed in order to safely remove patient data  without negatively impacting other functions of the DPMS system.  As an example - deleting a patient who has outstanding balance would negatively impact accounting records and balances.  This is why the ICO recognises in its published guidance that "deleting information from a system is not always a straightforward matter and that it is possible to put information ‘beyond use’, and for data protection compliance issues to be ‘suspended’." Our product allows for archiving of records which puts it "beyond" reasonable use and therefore meets ICO's documented acceptable alternative provided that the data controller also puts in procedural controls to not use the archived data:

• to inform any decision in respect of any individual or in a manner that affects the individual in any way;
• does not give any other organisation access to the personal data;
• surrounds the personal data with appropriate technical and organisational security; and
• commits to permanent deletion of the information if, or when, this becomes possible.

Please refer to https://ico.org.uk/media/for-organisations/documents/1475/deleting_personal_data.pdf for additional information.

Can you confirm the R4 process for gaining and recording consent from a patient so a practice is/is not able to send a patient surgery or a practice newsletter?

Where the communication is about the patients appointments, treatment options and recalls there is no need to capture consent.  Carestream Dental's understanding is that medical organisations do not have to rely on consent if processing health data under these circumstances since the communications are related to continual care of an existing patient.  As a reference point we would refer you to a published article by Hogan Lovells in the Chronicle of Data Protection dated January 20th, 2016 entitled "The Final GDPR Text and What It Will Mean for Health Data".  The specific quote from the article states:  "In many instances, those collecting health data will choose to rely on consent. However, an organisation does not have to rely on consent (as its ground for processing sensitive personal data) and can collect and use health data if the processing is necessary for the purposes of preventive or occupational medicine, medical diagnosis, provision of health or social care or treatment, management of health or social care systems and services, under a contract with a health professional or another person subject to professional secrecy under law (the ‘medical care’ ground). "

The need to capture patients consent is then only in relation to purely marketing information you want to send the patient.   R4 does not have a marketing module, but if you wish to capture that a patient has provided you with consent we suggest the simplest ways would be to add a marker to the patient record stating they gave consent.  You can create queries to create a list of patients who have opted in, in order to provide details of who you want to send the marketing email to.  Or, create a document which can be printed and signed by the patient, which would form part of the patients communication record within R4.  We will publish a guide on our community shortly.

How does R4 and Carestream Dental help me with my GDPR compliance?

• R4 provides authentication capabilities to allow Controllers to restrict access to patient data.  R4 includes full user level permissions. You can find this in the User section of the software.
• R4 provides internal security measures for additions, deletions, and modifications of records to ensure compliance with the security requirements under Article 32.
• R4 offers patient archiving capabilities which support the GDPR requirement of “right to be forgotten” provided the patient’s request does not conflict with other regulatory controls for retaining patient records.
• Carestream Dental’s support services utilise secure remote access technologies that require the Controller’s consent to be given prior to access, and ensure proper encrypted viewing and/or transfer of patient data.
• Where available, Carestream Dental can provide secure data backup services through a vetted third-party service to help Controllers meet their “resilience” requirement under Article 32.

We will continue to add questions and answers to this page as we receive them, please note that certain questions may need to be reviewed by our data security advisors and our legal team before we can respond.

Kind regards

Carestream Dental