YOU are just starting out on your new career and everyone is full of advice. There is much to remember and it can be difficult to prioritise. While it may not be top of your list, the Data Protection Act 1998 (DPA) is one piece of legislation that will impact you on a daily basis.
Privacy and data protection is an area where people often feel they aren’t given enough practical help. The body set up to advise individuals and organisations on these issues is the Information Commissioner’s Office (ICO), which interprets and enforces the DPA.
They ensure that anyone who “processes personal data” (patient information) complies with the Act’s eight principles. There is a further definition of “sensitive data” which includes medical information for which there are more stringent obligations to be met. Those responsible for deciding how to process this information are known as “data controllers” and they must inform the ICO of this fact. There are few criminal sanctions that can be imposed under the DPA but failing to notify the ICO that you are processing personal data is one of them. Not a great way to start your career.
As a new dentist, you may think data protection is something only the practice principal or manager needs to worry about. But, generally speaking, the ICO do require associates to register as they are usually self-employed, trading as a separate legal entity from their principal dentist and are responsible for their own patient records. However, there are some exceptions to this rule thanks to the many arrangements that exist between principals and associates. Ask yourself the following questions: 1 Are you responsible for the control and security of patient records, and do you have other responsibilities associated with the data? 2 Do you have a patient list separate from the practice in which you treat patients that would follow you if you left? 3 Do you treat the same patient at different practices? 4 If a complaint was made by a patient, or data was lost, would you be legally responsible for dealing with the matter? If you answer ‘yes’ to any of the above questions, you are likely to be a data controller and will need to register with the ICO. The annual fee is £35 for most organisations, including small and medium-sized businesses. It is unlikely you will have to pay the higher fee of £500 as this only applies to organisations with both 250 or more staff and a turnover of at least £25.9 million.
The DPA gives individuals (so-called “data subjects”) the right to know what information is held about them. It provides a framework to ensure that personal information is handled properly. The Act works in two ways. Firstly, it states that anyone who processes personal information must comply with the eight principles which require that data is:
- Fairly and lawfully processed.
- Obtained for specified and lawful purposes.
- Adequate, relevant and not excessive.
- Accurate and up-to-date.
- Not kept for longer than is necessary.
- Processed in accordance with the rights of the data subjects.
- Kept secure.
- Not transferred outside the European Economic Area without adequate protection.
The second area covered by the Act provides individuals with important rights, including the right to find out what personal information is held on a computer and most paper records. This is called a “subject access request” which, for dentists, will most commonly come in the form of requests for patient dental records.
There are strict rules and guidance on when/how to provide this information. Where an individual believes they are wrongly being denied access to any personal information, or feel their information has not been handled in accordance with the Act, they can complain to the ICO. The ICO will normally deal with such matters informally, but if this is not possible, enforcement action can be taken.
Individuals also have the right to object to their information being used to target them with unwanted marketing, which means dentists must be careful how they use confidential patient data. For example, deciding to send a mailshot out to all your patients simply to advertise a new product or promotion may be viewed as a breach of the DPA.
When examining the application of the Data Protection Act you should bear in mind the following points:
- It is a criminal offence to process personal data without being registered.
- Only registered data users/staff may access the data.
- Data must not be disclosed to third parties without prior patient consent.
- Retention of patient records must be managed in accordance with the Act.
- Data should only be kept for as long as is necessary for its intended purpose.
All dental practices should have policies in place covering data protection and data entries should be logged, with each staff member allocated a password. Computer systems should have audit facilities and measures in place to prevent data being accidentally deleted or tampered with. Adequate back-up records must be maintained and kept securely. More detailed information is available on the ICO website at www.ico.org.uk, or you can discuss issues with an MDDUS adviser.
Alex Lyons is senior information governance officer at MDDUS