Personal data privacy is a high priority at MyLab . That is why we want to support you in your privacy compliance when using the MyLab Platform.
The purpose of this statement is to help clarify how the MyLab Platform & Services comply with GDPR.
What is GDPR?
GDPR stands for General Data protection Regulation and it concerns privacy for all EU citizens and other persons who have their personal data processed in the EU/EEA. GDPR covers provisions about how public and private companies (including medical clinics) and institutions can process personal information. GDPR introduces few new requirements compared to previous European privacy regulation, but it introduces significant monetary fines for misconduct and non-compliance. The regulation will come into force on May 25th 2018.
When should I be concerned with GDPR
If you collect and/or process personal information in the EU or about EU citizens, you must comply with the legal requirements of the regulation.
You should familiarise yourself with the general provisions of the regulations, but below we will try to outline respective responsibilities and how MyLab services can support you in maintaining privacy of the personal data you might hold.
Dental Clinic, Dental Lab GDPR Compliance
Does MyLab process patient data from my clinic?
Patient cases will be created on the MyLab Platform. Patient information will include:
- First Name
- Last Name
- Type of Work being requested
What responsibilities regarding privacy do I have, when using the MyLab Platform?
If you are a clinic: Clinics are considered data controllers when they collect and handle patient data (i.e. personal data), no matter if data is on paper or in digital form within Practice Management Systems or within the MyLab Platform. Compliance is the respective clinic’s responsibility. This also includes appropriate legal safe guards for sharing patient data with e.g. a dental lab or other data processors.
If you are a lab: Labs are considered are considered data processor when they – on behalf of clinics – are storing cases containing personal data in order to deliver the ordered restoration etc. Compliance – including respecting retention periods etc. – is the respective lab’s responsibility.
What responsibilities lie with the MyLab Platform?
The MyLab Platform is considered a data processor when MyLab – on behalf of clinics and labs – are transmitting and storing cases containing personal data.
See our Privacy Policy to read more about the circumstances under which MyLab is a data controller.
How can I meet my obligation with regards to data subject rights?
Right of access and portability: The MyLab Platform provides functionality for exporting patient cases. Be aware, that you might hold information about a data subject outside of the MyLab Platform. This information could be subject to data subject access requests as well.
Right to be forgotten: Patients and their data can be completely deleted from the MyLab Platform.
What is MyLab?
MyLab is a web-based software product that allows users to securely exchange cases for the execution of dental work orders between dental professionals. There are a number of associated case management tools such as a web portal and mobile applications to facilitate the management of the case workflow.
How are users able to access MyLab?
To access MyLab, all users must authenticate by providing a unique email address and password. Passwords must be at least 8 characters and have at least 3 different character type (e.g. uppercase, lowercase, digits, special symbols).
To protect personal information, the user’s token will automatically expire after 30 minutes and the user will be required to login again. Additional security polices, such as two-factor authentication, will be optionally available for all users.
What data do authenticated users have access to?
To ensure the security and protection of electronic patient health information (ePHI) users can only see their own orders. MyLab cases are visible to the clinic that books the case, and the lab the clinic requests.
How are files transmitted through MyLab?
All MyLab subsystems use the https file transfer protocol.
Are files transmitted to and from MyLab encrypted?
Yes, data transmitted to and from MyLab is encrypted using TLS1.2 AES_256 to ensure any data intercepted during transit will be unreadable. This transfer protocol also contains a built-in integrity check to ensure data is not improperly modified during transmission.
How are the files transmitted via MyLab stored?
Location: MyLab have a server hosted with Memset in their Reading Data centre in the United Kingdom.
Who has access to the data stored in MyLab?
Besides the data owners, the only individuals that have access to data stored in MyLab are the internal service technicians for system maintenance purposes and a select number of support specialists to provide customer support. Access permissions are maintained and continually reviewed by a role manager.
Does MyLab maintain audit logs of who has accessed data stored in the service?
Yes, as all system users (including support specialists and service technicians) have a unique account identifier, each instance that personal health information is accessed is logged. Each log contains an entry with the user’s email, the order ID of the case accessed, and the time of access.
How long is data stored in MyLab?
Data with MyLab is stored on the live website for 18 months, and archived indefinitely on a separate server. However, the data owner has the option of deleting any case data at any point. Note that to protect against accidental or unauthorized deleting of orders, a deleted order is retained (though not accessible) for a grace period of 30 days.
Is it the data stored in MyLab backed up? How often?
All case data stored in MyLab is backed up daily. These daily backups cover the last 30 days. Additionally, all case data is stored using redundant storage to protect against the accidental loss of data.
MyLab and HIPAA:
The aforementioned security and privacy safeguards have been implemented to ensure the confidentiality, integrity and availability all electronic personal health information (ePHI) created, received, maintained or transmitted by MyLab. To this end, MyLab continually monitors our safeguards and procedures to ensure that they reasonably protect against all threats to the security and integrity of ePHI. This is includes but is not limited to, physical access controls, ongoing employee training, and the maintenance of access audit logs.