1. Dental practices providing NHS treatment must have a Data Protection Officer (DPO).
All practices providing NHS treatment are considered as public authorities and are required to appoint a DPO, or have arrangements to share one.
This individual must have proven expert knowledge of data protection law and practice. They will need to keep up to date with any changes and clarifications (for example, from the Information Commissioners Office) and understand how the changes impact the practice.
There are several options for appointing a DPO.
a) Employ a new member of staff with specific knowledge, qualifications and experience.
b) Appoint somebody who already works in the practice with all the above. This person can add the DPO's requirements to other responsibilities, such as maintaining records of processing activities. DPOs must not be the final decision-makers regarding data processing. For example they cannot be the data controller and must avoid any conflicts of interest.
c) You can share a DPO with one or more practices, but if doing so you will need to consider factors such as:
- the sizes of the practices
- numbers of patients
- whether the DPO is genuinely going to be in a position to understand and advise each individual practice and monitor compliance.
You should document these considerations and the justification for your decision.
Further information about DPOs can be found on the Information Commissioners Office (ICO) website.
2. Privacy notices
You must have a privacy notice which gives patients information that includes:
- explaining the lawful purpose for which you are processing their personal data (for healthcare organisations this may be Article 6(1)€ (of the UK GDPR) that it is "…necessary for the performance of a task carried out in the public interest or in the exercise of official authority…" and Article 9 for special category data, which includes personal data about health)
- the retention periods for the data
- who it will be shared with.
The ICO has a useful checklist explaining the information privacy notices need to contain.
If you are relying on other legal bases, you will need to specify these in the privacy notice.
3. Procedures for subject access requests
Under UK GDPR individuals may request access to their own records. You should redact any third-party information or anything that you believe may cause serious harm to the patient.
The UK GDPR and the Data protection Act (DPA) 2018 only apply to living individuals' data. Deceased patients' records in England, Wales and Scotland are still subject to the Access to Health Records Act 1990. Deceased patients' records in Northern Ireland are subject to the Access to Health Records (Northern Ireland) Order 1993.
Dental professionals also need to be aware of the GDC's guidance, Maintain and protect patients' information.
Under UK GDPR and DPA 2018 if a subject access request is made, you should be aware that.
a) The subject access request does not have to be in writing.
b) The subject cannot be charged for copies of records unless the request is "manifestly unfounded, excessive or repetitive". You could then charge a reasonable fee. There is currently no agreed definition of what constitutes a manifestly unfounded or excessive request, or what a reasonable fee is. It is hoped this type of request will be rare, and when considering them dental professionals should bear in mind their obligations under paragraph 4.4 of the GDC's Standards for the dental team. It may be helpful to discuss such cases with the DPO and/or to seek advice from the DDU.
c) You need to provide the information within one month.
d) If a request is made for the records of a child, phone the DDU for advice before releasing the records.
e) You should document access requests and include information about any delay in providing the information, requests that are "manifestly unfounded or excessive", and also the information you have provided regarding the right to complain to the ICO or judicial remedy.
Insurance companies, solicitors or other third parties should not be charged if requesting records, with patient consent, under a subject access request. However, other requests for information or reports by third parties should be dealt with in the normal way.
4. Review checklists
The ICO has a useful checklist to review.
5. Review data protection fees
The Data Protection (Charges and Information) Regulations came into force on 25 May 2018. These regulations introduced new fees for data controllers. The regulations set the charge period when the fee is due and fix the amount to be paid.
The amount you need to pay will depend on how many people you have in your organisation. You can find out more on the ICO's website.
More information can be found at Information Governance Alliance (IGA) - NHS Digital.
This page was correct at publication on 21/06/2022. Any guidance is intended as general guidance for members only. If you are a member and need specific advice relating to your own circumstances, please contact one of our advisers.