Article in response to DDU advice regarding storing data “in the cloud”.
I was recently at a customer site, and in discussion with the practice manager there. He handed me a copy of an article from “The Dentist” magazine, which had caused him some concern; the headline was “Get patient consent before storing records in data clouds DDU advises”.1 I am familiar with the principles of the DPA (Data Protection Act), the ICO (Information Commissioner’s Office) advice related to this, and IG Toolkit requirements, so my initial reaction to this advice was very sceptical. I promised the PM I would take away and get back to him.
Remote Backup from Dental IT
I should declare an interest from the off; Dental IT sells a remote backup solution as part of its support offering: uniquely (I believe) we actually host and manage the data ourselves rather than with an upstream third party (which for various reasons makes our offering significantly more “compliant” than other “resold” remote backup solutions). It is certainly not our main offering, which is IT support, however DDU advice to seek patient consent for any storage of data offsite certainly wouldn’t just harm us - if followed it would effectively kill off remote backup for dental practices, many of which rely on remote/Internet backup as the core “offsite” element in their IT backup strategy.
If you use Carestream R4, for example, they have been encouraging their clients not to bother with local backup and to use just (their!) remote backup, for years now. To be clear, if you ask all your, say, 10000 patients if they consent to their data being stored off-site, you are going to get some that say no, whether they understand the technical aspects or not.
Given that no dental practice management system that I know of is capable of backing up, or storing, some patient records in one location remotely, and some locally, the practice would then not be able to remotely back up, or store, their data off-site/online at all. Since that would be the inevitable outcome of following DDU advice in this case, it is my opinion that the advice is misplaced and detrimental to data security and integrity in the industry in general. My experience from auditing hundreds of dental practices over the last decade, is that many have very poor or non-existent backup systems, poorly specified and badly maintained servers and networks. Removing practices’ ability to remotely backup isn’t going to help that situation any.
I return to the accuracy of the advice itself. On investigation, the article appears to be a rehash of a press release from DDU2, itself a summary of an article by Leo Briggs, dated 12th February 20133. For the purposes of this article I will of course be examining the latter in detail, and not the press release or the news article in “The Dentist” magazine. I note in passing that the press release refers to the use of “virtual servers” in its summary/introductory first paragraph, which is a complete red herring – I assume the author here actually means “in the cloud”, since computers in the “cloud” may be virtual or not (a virtual server being technically a very different beast to a physical server, but both being potentially “cloud” based) – whether the machine is physical or virtual is actually neither here not there, although the casual reader could (wrongly) interpret this introduction as indicating that the considerations only apply to “virtual” servers. It probably isn't helpful that this significant conceptual "error" in the press release is presented as firm advice - after all, many people may read just this and nothing else.
The main Leo Briggs article of 12th February 2013 states: “Some dental professionals are considering using cloud computing services to store their electronic data. Instead of data being stored locally on the hard drive of your computer, the data is stored on a virtual, off-site server run by a third party”. It goes on to say “The internet provides the connection between your computer and the database”. It is worth noting here, that although the article in general refers to personal data being stored in the cloud (which would include remote backups), what the author is clearly describing here is a situation where the “live” database, as opposed to a backup, resides in the cloud. In fact, this is very rarely the case, as there are very few DPMS systems (dental practice management software systems) that support direct cloud hosting, or are optimised for it. The storage of backup data is rather different to that of live data, for various reasons:
- the data would generally not be considered to be subject to “processing” in any way, as a live database is, but rather simply “stored”
- a backup “dump” of a live database, depending on the software, will generally not be readable (or at least, easily readable) or of any use to a third party without the software application required to read and process it; risk of unauthorised access is, therefore, significantly lower
- the database dump will often be compressed and/or encrypted, also making unauthorised access difficult if not impossible. Despite these points, whether or not this is live data or backup data is in fact irrelevant as far as the DPA (Data Protection Act) is concerned, or at least the accepted interpretation of it; the ICO specifically covers this point in its article “Guidance on the use of cloud computing”4 where it states: “19. The DPA applies to personal data that is processed. Processing has a very broad definition and is likely to include most of the operations that are likely to occur in the cloud, including simply storage of data.” So despite the fact that Leo Brigg’s article appears to be singling out live cloud based databases rather than storage of backup data, there is no doubt that the same data considerations should be made for either scenario (although it is likely that any risk assessment would conclude that the security risk will almost certainly be significantly lower where the data is simply being backed up online).
The following two paragraphs of the DDU article stress the context of the considerations and subsequent advice, namely data protection legislation, and obligations of patient confidentiality required by the GDC. I could add to this, the various NHS codes of conduct, the Caldicott Principles, the IG toolkit, the ICO guidelines... In short, I am certainly not in any disagreement with the author on the general point, that dental practices ARE responsible in law for the personal data they process, and should seek “compliance” with all relevant legislation and guidelines. I should point out that the DPA makes a clear distinction between “personal data” and “sensitive personal data”. This distinction is also made in IG guidelines.
Sensitive Personal Data
There are various definitions around “sensitive personal data”, but this is clearly data which, if lost or subject to unauthorised access, would be especially damaging – so clearly this would include credit card details, medical records, and detailed contact and personal information especially if the records are linked (which of course they generally would be, in a database!). There is no doubt, therefore, that the records contained in most dental practice databases (and the backups thereof) IS in the “sensitive personal data” category and should be considered accordingly.
The DPA specifically singles out medical professionals as being entitled to process this sensitive personal data in their course of their work, which is as it should be of course.
The next section of the article, entitled “Can personal data be stored in a data cloud” does not really answer its own question, but poses some salient considerations, mostly from ICO guidance, but also from NHS guidelines regarding the movement of unencrypted data. All of the considerations raised here are accurate and relevant, but none are particularly difficult to “answer” and comply with. Specifically this section raises:
- The ICO guidance suggesting that the data controller (in this case, the dental practice) should consider whether “38. the processing of certain types of personal data could have a greater impact on individuals’ privacy...” and “It suggests that data controllers review the personal data they process and decide whether there is any data that shouldn’t be put in the cloud, for example because specific assurances were given when the personal data was collected.” For the reasons already given earlier, this is really not relevant to the typical DPMS (dental practice management system); none of these systems (that I know of) have a function to allow some of the data to be stored online, and some locally. Even if they did, I am unclear what data in a dental practice would be considered more sensitive than other data. Perhaps a medical history form would be considered highly sensitive, but the patient address not so sensitive? Would a digital x-ray be fairly low risk, but an email address more sensitive? Who knows!?
The reality is that dental practice networks are either going to be prepared to backup or process all their clinical and patient data in the “cloud” or they are not.
Making distinctions here between where different types of data is stored, in my view, a complete dead end. Regarding the consideration of whether assurances were given when the personal data was collected, I doubt there is any dental practice in the country that assured their patients on registration at the practice, that their data would never be stored in the cloud!
the following specific bullet points are raised:
"Will data be encrypted when in transit? What are the deletion and retention timescales and will the data be deleted securely if you withdraw from the cloud? What audit trails are in place so you can monitor who is accessing the data? Which countries does the provider processes data in? The DPA prohibits transfer of personal data outside the EU. Will there be a written contract in place which includes confidentiality clauses?"
All of the above are legitimate considerations, and all can and should be able to be answered by a good cloud/remote backup solution.
the final paragraph in this section details NHS guidance that all electronic data in transit must be encrypted, mobile devices should employ encryption and password protection, and the author suggests that the same disciplines should apply to cloud data. I entirely agree with this. (I note that many of the dental hospitals and specialist imaging centres, with which our dental practice customers correspond, flagrantly ignore this specific guideline by routinely sending unencrypted CDs and DVDs in the post to the dental practice, but I digress!)
It is the final section of the article, “Do I need patient’s consent?” with which I disagree most strongly. It has a number of inaccuracies, and I do not understand how the author arrives at the conclusion that dental practices need to seek the consent of each patient to store their data in the “cloud”. It is worth considering each point here in some detail. The first paragraph states:
“The ICO guidance says that organisations using cloud computing should take appropriate steps to tell their customers about the processing arrangements and that they should be as open as possible (paragraph 48).”
Actually, paragraph 48 of the ICO guidelines does NOT say this. It says:
“The cloud customer may need to take appropriate steps to inform the end users of the cloud service...”
Note the word “may”, which the DDU advice appears to have changed to “should”. Whilst there is undoubtedly reference in the DPA legislation itself to the requirements of openness and fairness, there is absolutely no requirement (that I can find) to seek consent from each individual as to exactly how the data is handled or stored. In my view, (and all the various IG/ICO advice that I have read would back this up), the most important action on the practice is to have CONSIDERED and assessed the risks, UNDERSTOOD how the data is handled, and ENSURE that disciplines and agreements are in place that minimise risk.
In paragraph 2 in this section, the author states:
"The DPA requires that personal data should only be handled in ways people would reasonably expect. It is questionable whether patients would expect sensitive medical information to be held in an off-site storage facility not under direct control of the dental professional involved in their care."
This is, in my view, somewhat misinterpreting the thrust of the relevant DPA principles, which are, it seems to me, intended to prevent, for example, a bank that has your personal financial details, selling those on to a third party who use them to sell you some other service. The second data protection principle is intended to ensure that organisations obtain data only to do what they need to do, and no more than that. So a dental practice needs to know your basic personal information, they need a patient's MH, clinical assessment etc.
Principle 7 of the DPA deals with ensuring that the data is safe, secure, free from unauthorised access etc. I do not see how either of these principles can be interpreted as saying that patients’ opinions about the technical aspects of their data storage have to be sought or actioned upon, any more than the dental practice should consult their patients about which chairs they use, or where they source their instruments. Further, even if the premise was accurate, which I do not believe it is, and patients were consulted about whether they thought it was reasonable to hold their data offsite or not, I doubt many would even have a view about this one way or the other. Has Leo Briggs/DDU done any research that leads them to this conclusion? Have they asked any patients?
The article concludes:
“In the DDU’s view it would therefore be necessary to seek the consent of each patient to store their data in such a way, making patients aware of any risks involved, and as far as possible, in which countries the data will be stored.”
I have no idea how, based on any of the legislation or guidance material referenced, this conclusion is reached. I can understand that it is probably in the nature of an organisation such as the DDU to err on the side of caution; in this case I am afraid this errs on the side of bad advice.
Last edited: 10 December 2013