Dentists and the DPA

FIRST let me pose two questions: what is four per cent of your gross profit for last year and how easy is it to commit a criminal offence? I will get around to addressing these questions at the end of this article. Before that I would like to discuss the findings of a recent inquiry published by the Information Commissioner’s Office (ICO).

The ICO is the regulator responsible for ensuring that organisations comply with the Data Protection Act 1998 (DPA) and for promoting good practice in information handling. The DPA sets out the core principles with which all organisations processing personal data must comply.

Between June 2014 and June 2015, ICO researchers visited 21 dental practices across the UK in order to understand the information risks and challenges that dentists are facing. They also conducted an online survey and held discussions with various organisations including the British Dental Association (BDA).

Their visits could only cover a small number of dental practices and were predominantly in England. Despite these limitations, they found some common themes and challenges faced by all dentists in complying with the DPA.

Am I a data controller?

Among the professionals questioned there was general confusion over the circumstances in which a dentist can be considered a data controller and responsible under the DPA for patient data and also for registration with the ICO. Some dentists were registered when not necessary while others were not registered as required. On this point the ICO does not offer a single rule that fits every situation but there are a number of questions that can help clarify whether a particular dental practitioner is a data controller.

1. Are you responsible for the control and security of patient records and do you have other responsibilities associated with the data?
2. Do you have a patient list separate from the practice and would those patients follow you if you left the practice?
3. Do you treat the same patient at different practices?
4. If a complaint was made by a patient or data was lost would you be legally responsible for dealing with the matter?

If you answer ‘yes’ to any of the above questions, you are likely to be required to register with the ICO by visiting their website (www.ico.org.uk). Bear in mind that failure to comply can result in criminal sanctions from the regulator.

Information security arrangements

Information security was another area of concern in the study. It is a wide-ranging topic that covers everything from physical security of records and premises, to using firewalls and anti-virus software, to training staff appropriately. Dental practices are subject to a number of requirements in relation to maintaining the security and integrity of records. In addition to the DPA, the General Dental Council publishes its own Standards for the Dental Team which requires dentists to “maintain and protect patients’ information”, and the CQC’s outcomes framework outlines controls for record keeping against which dental providers can be audited.

The ICO points out that organisations are legally obligated to have appropriate security to prevent personal data being accidentally or deliberately compromised. In particular, the DPA requires data controllers to take specific steps when using a third party (a data processor) to process personal data on their behalf. Data controllers must:

• choose a data processor providing sufficient guarantees regarding information security
• take reasonable steps to ensure compliance
• have a contract in place, in writing, specifying that the data processor is to act only on instructions from the data controller and must comply with information security measures comparable to those in the DPA.

In many of the smaller practices the ICO visited, information technology support was provided by small-scale IT contractors. These arrangements were often informal without a written contract or nothing more than a small service-level agreement. They rarely included clauses concerning information security measures.

In some cases this was justified on the basis that the contractor was unlikely to have access to sensitive information (working with hardware under supervision or installing software only to new equipment) but with any such work it is possible that contractors could access personal data. The report recommends that dental practices consult the ICO website for guidance on applying information security principles.

Retention of personal data

Many respondents to the ICO survey did not know how long they were required to retain patient data, leading to wide variation in practice. The DPA states that personal data should be retained for no longer than is necessary but it does not go on to specify how long is necessary for different categories of data. The following questions therefore tend to be asked (in descending order of importance):

• Is there any other legislation that requires that personal data be retained (e.g. income tax purposes)?
• Are there any agreed industry standards for retention?
• What is your organisation using the records for and when is the soonest they will not be of any use?

In the case of dental records, the ICO report cites BDA recommendations that they be retained 11 years for adults, and 11 years for children or up to their 25th birthday (whichever comes first). This advice is based on various limitation periods for bringing legal claims for personal injury, clinical negligence or breach of contract, and it is reiterated in the NHS Code of Practice.

The ICO recommends that all dental practitioners implement a retention policy. This can be a short document or schedule that lists when personal data should be destroyed, based on the questions and industry standards discussed above.

Those practices in the ICO survey that had policies in place and followed them tended to destroy only manual or physical personal data. Most practices are now moving to electronic dental records but none of the respondents to the research disposed of electronic records or had the facility to do so.

Retention periods apply to both manual and electronic records. Inactive electronic records can be archived but they often remain intact and accessible at the push of a button. The report concludes that the dental sector must begin to consider the importance of securely destroying electronic records at the end of their retention period. Those practices without the technical capability to delete personal data due to system constraints should consult ICO guidance on how such information can be put “beyond use”.

Wider information governance landscape

The report also stresses the need for all organisations to keep up-to-date with changing technology in order to ensure information is secure. Some practitioners are failing to adapt effectively to the increasing use of mobile and personal devices within the workplace and the report highlights the importance of being alert to guidance and advice about using new technology securely.

Dental professionals busy running practices can struggle to engage with more involved information governance issues. This is understandable as their focus is on delivering care to patients and it may not be possible to spend large amounts of time addressing complex information governance matters. The ICO is pragmatic about the requirements of running small businesses and recognises the need for additional channels of communication regarding information governance.

MDDUS can provide a number of checklists and practical guidance to assist members in achieving compliance. Don’t forget also that our advisers are at the end of the phone and our website features a number of webinars in relation to subject access requests and data sharing to help you achieve compliance.

Some answers

Now back to my initial questions. In 2016, new data protection legislation will introduce a structure for monetary fines set to be agreed at 4 per cent of gross profit. I don’t know what that would cost you but I’m sure your finance manager could give you a figure.

As to the second question: how easy is it to commit a criminal offence? The answer is “very” – processing personal information without registering with the ICO is illegal!

Alex Lyons is a senior information governance adviser at MDDUS