Electronic messaging and GDPR

TEXT messaging has become almost routine in healthcare today – and dentistry is no different. Practices recognise that this type of communication can be effective both for business needs and as a benefit to patients. However, there must be robust processes in place which consider both the message content and intent, as well as the need to protect patient confidentiality.

The General Data Protection Regulation (GDPR) has raised questions among dentists about what exactly is permissible to send to patients via electronic messaging. Text messages are transmitted on public phone networks and are therefore potentially insecure and could be read by unintended others. A dentist may not be responsible for a message once received, but patients should still be encouraged to protect their phones and other devices if concerned over confidentiality.

Text messages should not contain any clinical information. All health information is classified as ‘special category data’ under GDPR, which demands even greater security measures to be in place. This may relate to the type of information being transmitted (e.g. a specific type of appointment, or mention of a condition) but it is also important to consider the potential implications if the information is misused.

The Information Commissioner’s Office (ICO) has produced guidance that all health professionals should consider if already using or planning to introduce a text messaging service to patients. Specific advice can be obtained by phoning the ICO advice line on 0303 123 1113.

The starting point for data controllers is to identify a lawful basis under GDPR for the processing of all personal information, as well as a ‘special category condition’ for health information. Once this is established it should be set out in a privacy notice and publicised within the practice, on the website and on social media pages as appropriate. Any planned use of text messaging to contact patients should be clearly set out in the privacy notice in a “granular” and “meaningful” way. This means setting out the specific purposes for which you intend to contact patients by text messaging and not deviating outside those parameters.

As a general rule, it is permissible to relay things like appointment reminders which are specific to individual patients, as well as important changes in service delivery arrangements, such as revised opening times. The ICO has also stated that during the current COVID-19 outbreak it is acceptable to send electronic messages to your patients regarding important public health information and specific practice arrangements being put in place. Such messages will come with no additional legal requirement under GDPR to obtain individual patient consent, but the ICO confirms that doing so would still be regarded as ‘good practice’ and more aligned to current regulator guidance from the GDC.

COMMON QUESTIONS

Is it acceptable for a dental practice to send ‘appointment reminders’ via text or email the day before a scheduled appointment?

Yes – such a message is patient specific. This also extends to sending a reminder that a six-monthly check up is due, as it relates to an individual’s dental health and treatment.

Can ‘service update’ messages be texted to all our patients?

Messages such as “the practice will be closed for training next Tuesday afternoon” would be viewed as permissible. The intention is to inform patients about important service changes to prevent inconvenience and maintain the smooth operation of the service. Such texts can be especially useful and important in the current COVID-19 pandemic. Specific patient consent is not required but the ICO advises that a descriptor of such types of communication should also be included in your privacy notice.

What about marketing to patients?

Direct marketing is defined as the “promotion of a service, whether for profit or not” and under GDPR and the Privacy and Electronic Communications Act would require explicit opt-in consent from each patient to receive such messages. An example of direct marketing would be a dental practice texting all registered patients about a “half price teeth whitening offer during January”. Another example would be a text/email message informing patients that a new dentist with a special interest in implant surgery is now available for appointments at the practice, as this would likely fall under the direct marketing criteria as promotion of a specific for-profit service to a large audience. Such a message could be relayed on the practice website.

ACTIONS

• Carefully consider the message content. Protecting confidentiality is foremost when communicating with patients.
• Provision of a patient’s mobile number does not provide the practice with open-ended consent.
• Communicate intentions and purposes for sending texts and other forms of electronic messaging to patients via your privacy notice.
• Consider the purpose of your messaging on an individual basis. Could it be construed as direct marketing? Always seek explicit consent for this type of activity.