3Shape Data Privacy FAQ
Personal data privacy is a high priority in 3Shape. That is why we want to to support you in your privacy compliance when using 3Shape products.
The purpose of this document is to help clarify how:
- 3Shape products based on Dental Desktop version 1.6.2.X (from April 2018) and newer will assist 3Shape partners and customers to comply with GDPR.3Shape Communicate service complies with GDPR.
This FAQ will hopefully clear up and answer your questions and help you with you GDPR compliance and personal data privacy concerns.
What is GDPR?
- GDPR stands for General Data protection Regulation and it concerns privacy for all EU citizens and other persons who have their personal data processed in the EU/EEA. GDPR covers provisions about how public and private companies (including medical clinics) and institutions can process personal information. GDPR introduces few new requirements compared to previous European privacy regulation, but it introduces significant monetary fines for misconduct and non-compliance. The regulation will come into force on May 25th 2018.
When should I be concerned with GDPR
- If you collect and/or process personal information in the EU or about EU citizens, you must comply with the legal requirements of the regulation.
You should familiarise yourself with the general provisions of the regulations, but below we will try to outline respective responsibilities and how 3Shape products can support you in maintaining privacy of the personal data you might hold.
Clinic, Lab GDPR compliance
Does 3Shape process patient data from my clinic?
- Unless you share your patient cases via the 3Shape Communicate service (see communicate section below), 3Shape does not access or process patient cases.
What responsibilities regarding privacy do I have, when using 3Shape products?
- If you are a clinic: Clinics are considered data controllers when they collect and handle patient data (i.e. personal data), no matter if data is on paper or in digital form within Practice Management Systems or within 3Shape’s products such as a TRIOS. Compliance is the respective clinic's responsibility. This also includes appropriate legal safe guards for sharing patient data with e.g. a dental lab or other data processors.
- If you are a lab: Labs are considered data processor when they – on behalf of clinics – are storing cases containing personal data in order to deliver the ordered restoration etc. Compliance - including respecting retention periods etc. - is the respective lab's responsibility.
What responsibilities lies with 3Shape?
- 3Shape is considered a data processor when 3Shape – on behalf of clinics and labs – are transmitting and storing cases containing personal data for instance using the 3Shape Communicate service. To see how 3Shape ensures confidentiality, integrity and availability of data in Communicate, please read the 'Communicate' section below.
How does Dental Desktop (from version 188.8.131.52) support my clinic's or lab's compliance with GDPR?
- First of all, it is important to emphasize that no software in and of itself can be compliant. Compliance always comes down to the workflows and processes around the software and how the software is configured.
- That being said, Dental Desktop does provide a number of technical safe guards that improve security and privacy of information:
- By default patient cases are always stored locally in your clinic or lab. However, if installing 3Shape products based on Dental Desktop in a multi-client setup with the server located outside the clinic or lab, you should ensure that the server is also located within EU to comply with GDPR.
- Patient data is encrypted on the hard disk and in software database.
- Dental Desktop has a built-on access control system. We recommend using strong passwords.
- Dental Desktop has an event log built in for audit purposes. This means, you can review access and activity around the personal data stored in the system.
How can I meet my obligation with regards to data subject rights?
- Right of access and portability: Dental Desktop provides functionality for exporting patient cases. Be aware, that you might hold information about a data subject outside 3Shape products. This information could be subject to data subject access requests as well.
- Right to be forgotten: Patients and their data can be completely deleted from the Dental Desktop system.
What if i don't use the Dental Desktop platform for my 3Shape products?
- You are not by default non-compliant when using eg. TRIOS software on the previous platform (often referred to as TRIOS classic). However, you will need to consider other available technical safeguards such as access control on you computer, etc.
- If you have previously purchased a product from 3Shape which is now available on the Dental Desktop platform, we highly recommend upgrading to Dental Desktop. You will experience more available functionality, improved performance and tighter security safe guards.
TRIOS/Communicate GDPR compliance
What is 3Shape Communicate?
- 3Shape Communicate is a web-based software product that allows 3Shape software users to securely exchange cases for the execution of dental work orders between dental professionals. There are a number of associated case management tools such as a web portal and mobile applications to facilitate the management of the case workflow.
How are users able to access Communicate?
- To access Communicate, all users must authenticate by providing a unique email address and password. Passwords must be at least 8 characters and have at least 3 different character type (e.g. uppercase, lowercase, digits, special symbols). To protect personal information, the user’s token will automatically expire after 15 minutes and the user will be required to login again. Additional security polices, such as two-factor authentication, are applied to internal service technicians who require direct access to the system for maintenance purposes.
What data do authenticated users have access to?
- To ensure the security and protection of electronic patient health information (ePHI) users can only see their own orders.
How are files transmitted to Communicate?
- All Communicate subsystems use the https file transfer protocol, with the exception of older versions of 3Shape software which utilize the legacy API with the Net.tcp file transfer protocol which will eventually be discontinued.
Are files transmitted to and from Communicate encrypted?
- Yes, data transmitted to and from Communicate is encrypted using TLS1.2 AES_256 to ensure any data intercepted during transit will be unreadable. This transfer protocol also contains a built-in integrity check to ensure data is not improperly modified during transmission.
How are the files transmitted via Communicate stored?
- Location: Communicate has 3 servers throughout the globe each located in a geographically separate regions: one in Ireland, serving the EMEA region; one in the United States, serving the Americas; and one in Hong Kong, serving Asia and Oceania. All data is stored in the same region as the data owner. Communicate’s servers are owned and operated by Microsoft Azure. 3Shape has a signed Business Associate Agreement with Microsoft, whereby Microsoft commits to maintaining security and privacy safeguards for their data facilities.
- Encryption: Data is encrypted at rest
Who has access to the data stored in Communicate?
- Besides the data owners, the only individuals that have access to data stored in Communicate are the internal service technicians for system maintenance purposes and a select number of support specialists to provide customer support. Access permissions are maintained and continually reviewed by a role manager.
Does Communicate maintain audit logs of who has accessed data stored in the service?
- Yes, as all system users (including support specialists and service technicians) have a unique account identifier, each instance that personal health information is accessed is logged. Each log contains an entry with the user’s email, the order ID of the case accessed, and the time of access.
How long is data stored in Communicate?
- Data stored with Communicate is stored indefinitely. However, the data owner has the option of deleting any case data at any point. There is mechanism to delete cases via the Communicate web portal. Note that to protect against accidental or unauthorized deleting of orders, a deleted order is retained (though not accessible) for a grace period of 30 days.
Is the data stored in Communicate backed up? How often?
- All case data stored in Communicate is backed up daily. These daily backups cover the last 14 days. Additionally, all case data is stored using redundant storage to protect against the accidental loss of data.
Communicate and HIPAA:
- The aforementioned security and privacy safeguards have been implemented to ensure the confidentiality, integrity and availability all electronic personal health information (ePHI) created, received, maintained or transmitted by Communicate. To this end, 3Shape continually monitors our safeguards and procedures to ensure that they reasonably protect against all threats to the security and integrity of ePHI. This is includes but is not limited to, physical access controls, ongoing employee training, and the maintenance of access audit logs.
Please contact us on [email protected] if you have additional questions.