The General Data Protection Regulation (GDPR) was introduced into UK law on 25 May 2018. Together with a new Data Protection Act it replaces the Data Protection Act 1998. It enhances the protections for data subjects, which includes patients, and increases the duty for practices to demonstrate compliance with the law.
Data security covers everything from staff training to anti-virus software, and practices must have appropriate security to prevent the compromise of the personal data which they hold. The GDPR strengthens the controls that organisations are required to have in place over the processing of personal data.
Definitions and distinctions
A 'data controller' is a person who determines how personal data is or will be processed, and for what purposes. A 'data processor' is any person who processes the data on behalf of the data controller.
The distinction between a data controller and a data processor has been an area of confusion for some members. Calls to the DDU have queried whether associates, dental hygienists and dental therapists need to register with the Information Commissioner's Office (ICO) as a data controller.
Our advice is that it is not necessary to register with the ICO if you work in someone else's practice and input records onto the practice computer. However, if you take patient data out of the practice, you are likely to be a controller and need to be registered as such.
Consider this example: an associate at a practice who takes referrals from dentists outside the practice and holds information on their own laptop to help produce correspondence to the referring dentists is likely to be a data controller and so should consider registering with the ICO.
Conversely, an associate working in a practice where the IT systems are organised by the principal dentist and who does not take any patient data when they leave the practice, is unlikely to be a data controller.
The ICO poses a number of questions for anyone who remains unsure of their position which might clarify their status. Anyone answering yes to any of the questions below is likely to be a data controller and will need to register with the ICO.
- Are you responsible for the control and security of patient records and have other responsibilities associated with the data?
- Do you have a patient list separately from the practice in which you treat patients that would follow if they left?
- Do you treat the same patient at different practices?
- If a complaint was made by a patient, or data was lost, would you be legally responsible for dealing with the matter?
The DDU's understanding about this final question is that it relates to a complaint about data handling or loss, rather than a complaint about treatment.
As a word of warning, do not be tempted to register with the ICO as a precaution, as the role carries significant responsibilities and controllers must pay a fee.
If you are a data controller you are expected to assess your compliance with the data protection legislation. The processing of personal data must have a lawful basis, be fair and transparent. This includes the requirement to provide patients with privacy information and ensure that you have good systems for handling requests for personal data.
Practices must have appropriate security to prevent the compromise of the personal data which they hold.
Data protection officers
Dental practices providing NHS treatment must have a data protection officer (DPO). This individual must have proven expert knowledge of data protection law and practice. There are several options regarding the appointment of a DPO.
- Employ a new member of staff with specific knowledge, qualifications and experience.
- Appoint somebody who already works in the practice with all the above.
- Share a DPO with one or more other practices.
DPOs must not be the final decision-makers regarding data processing; for example they cannot be the data controller and must avoid any conflicts of interest.
For more information on DPOs and other aspects of data protection legislation compliance, see the DDU's website as well as the relevant pages on the ICO site.
A dentist called the DDU and asked for advice after their practice suffered data theft from a software hack and a subsequent request for a ransom to be paid. The police had been informed.
It was quickly established that the dentist was an associate of the practice and was not the data controller. The DDU adviser told the dentist that the data controller should decide if they needed to notify the ICO about the breach, as well as the patients.