What does it mean to 'process personal data'?
I just want to offer some clarity on what personal data actually means, in the context of GDPR anyway.
We've had a few comments and posts about whether or not things like plaster casts or practice management patient numbers on a lab ticket constitute personal data.
Here is the official definition in GDPR:
"personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;"
It's a riveting read, really, I promise!
The definition of personal data is quite broad and fairly all-encompassing - frustratingly!
It doesn't just include obvious things like name, DOB and address. It also includes more seemingly-unrelated things like identification numbers on practice management software, IP addresses and so forth.
And of course clinical photographs, dental records, x-rays impressions etc. which are a 'special category' of data and warrant further protections. Note how the legislation says that personal data is any information relating to "an identified OR identifiable" person - i.e. someone who CAN be identified, "directly or indirectly".
So the question we must consider isn't just - "can the person be directly identified from the information?"...
Clearly if an x-ray got lost in transit and a bloke finds it on the road, it's going to be difficult for that person to identify the patient - let alone cause them any harm or distress.
In that context, the risk is of course incredibly low. But it doesn't mean that the x-ray isn't personal data.
Because when you consider that x-ray alongside other information available to the people who process it (not just outside of the practice, of course) - perhaps SOE patient number, clinical photographs, dental records - the x-ray all of a sudden becomes highly relevant, highly personal and highly sensitive data.
It can reveal lots of personal information like oral health, number of implants, presence of disease etc. Clearly when processing and sharing personal information, we clearly shouldn't just focus on "if the information got lost and it was found by a bloke"....
The question should be, can anyone who has access to this data or otherwise processes this data (whether legally or illegally - like an ex member of staff) use this information to identify a particular individual from it... even if that requires considering that data alongside other bits of information.
So, whilst sending a plaster cast to a lab, or a lab ticket with an SOE reference number on it.. doesn't seem like "personal data", it very much is when you consider it alongside other information reasonably available to the people who process it.
That of course doesn't mean you can't share that data, that you need consent for that data or that you can't operate your business... it just means you have to do it in a way that is compliant with GDPR.
In the case of sending information to labs or other third parties - make sure there is a processing agreement in place. In the case of processing it internally, make sure there are proportionate security measures in place. Keep it proportionate to the risk. Clearly no one here would leave an x-ray in the waiting room.
The last thing I want to focus on is "processing" of personal data. Clearly if you are not "processing" personal data, it's not in scope of GDPR.
And we've had some questions around what constitutes processing.
For example, if it's archived, are we processing it?
If we are just storing it but not actively using or manipulating it, is it still processing?
Like the definition for personal data itself, the definition for "processing" is very broad.
It's defined as:
‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
So even just merely having access to, consulting or storing data is considered processing. In short, if you have personal data, you are processing it. It doesn't matter whether it's in your recycling bin, in an iron mountain archive box or in your practice management software.
If in doubt - you probably are processing personal data!
Unless it's clearly not personal - like a business name.
Hopefully that was helpful!
