This page contains a Flash digital edition of a book.
Dentists and the DPA F


IRST let me pose two questions: what is four per cent of your gross profit for last year and how easy is


it to commit a criminal offence? I will get around to addressing these questions at the end of this article. Before that I would like to discuss the findings of a recent inquiry published by the Information Commissioner’s Office (ICO). Te ICO is the regulator responsible for ensuring that


MDDUS information governance officer Alex Lyons reflects on a recent ICO report on data protection in the dental surgery


organisations comply with the Data Protection Act 1998 (DPA) and for promoting good practice in information handling. Te DPA sets out the core principles with which all organisations processing personal data must comply. Between June 2014 and June 2015, ICO researchers visited 21


dental practices across the UK in order to understand the information risks and challenges that dentists are facing. Tey also conducted an online survey and held discussions with various organisations including the British Dental Association (BDA). Teir visits could only cover a small number of dental practices


and were predominantly in England. Despite these limitations, they found some common themes and challenges faced by all dentists in complying with the DPA.


Am I a data controller? Among the professionals questioned there was general confusion over the circumstances in which a dentist can be considered a data controller and responsible under the DPA for patient data and also for registration with the ICO. Some dentists were registered when not necessary while others were not registered as required. On this point the ICO does not offer a single rule that fits every situation but there are a number of questions that can help clarify whether a particular dental practitioner is a data controller. 1. Are you responsible for the control and security of patient records and do you have other responsibilities associated with the data?


2. Do you have a patient list separate from the practice and would those patients follow you if you leſt the practice?


3. Do you treat the same patient at different practices? 4.


If a complaint was made by a patient or data was lost would you be legally responsible for dealing with the matter?


If you answer ‘yes’ to any of the above questions, you are likely to


be required to register with the ICO by visiting their website (www.ico.org.uk). Bear in mind that failure to comply can result in criminal sanctions from the regulator.


Information security arrangements Information security was another area of concern in the study. It is a wide-ranging topic that covers everything from physical security of records and premises, to using firewalls and anti-virus soſtware, to training staff appropriately. Dental practices are subject to a number of requirements in relation to maintaining the security and integrity of records. In addition to the DPA, the General


18 •


Is there any other legislation that requires that personal data be retained (e.g. income tax purposes)?


• Are there any agreed industry standards for retention? • What is your organisation using the records for and when is the soonest they will not be of any use?


In the case of dental records, the ICO report cites BDA


recommendations that they be retained 11 years for adults, and 11 years for children or up to their 25th birthday (whichever comes first). Tis advice is based on various limitation periods for bringing legal claims for personal injury, clinical negligence or breach of contract, and it is reiterated in the NHS Code of Practice.


SUMMONS •


• •


take reasonable steps to ensure compliance


have a contract in place, in writing, specifying that the data processor is to act only on instructions from the data controller and must comply with information security measures comparable to those in the DPA.


In many of the smaller practices the ICO visited, information


technology support was provided by small-scale IT contractors. Tese arrangements were oſten informal without a written contract or nothing more than a small service-level agreement. Tey rarely included clauses concerning information security measures. In some cases this was justified on the basis that the contractor


was unlikely to have access to sensitive information (working with hardware under supervision or installing soſtware only to new equipment) but with any such work it is possible that contractors could access personal data. Te report recommends that dental practices consult the ICO website for guidance on applying information security principles.


Retention of personal data Many respondents to the ICO survey did not know how long they were required to retain patient data, leading to wide variation in practice. Te DPA states that personal data should be retained for no longer than is necessary but it does not go on to specify how long is necessary for different categories of data. Te following questions therefore tend to be asked (in descending order of importance):


Dental Council publishes its own Standards for the Dental Team which requires dentists to “maintain and protect patients’ information”, and the CQC’s outcomes framework outlines controls for record keeping against which dental providers can be audited. Te ICO points out that


organisations are legally obligated to have appropriate security to prevent personal data being accidentally or deliberately compromised. In particular, the DPA requires data controllers to take specific steps when using a third party (a data processor) to process personal data on their behalf. Data controllers must:


choose a data processor providing sufficient guarantees regarding information security


Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24