DPA in Brief


All dentists process personal information about patients and therefore must comply with data protection legislation [Data Protection Act 1998 (DPA)] [1-3]. The eight data protection principles outlined under the DPA reflect the dental profession’s ethical principles.



Comply with the DPA principles by ensuring that personal information is:

  • fairly and lawfully processed;
  • processed for limited purposes (i.e. obtained only for specified and lawful purposes and further processed only in a compatible manner);
  • adequate, relevant and not excessive;
  • accurate and up to date;
  • not kept for longer than is necessary;
  • processed in line with the individual’s rights;
  • secure;
  • not transferred to countries outside the European Economic area without adequate protection.

Notify the (UK) Information Commissioner’s Office[4] if you hold personal computerised records (those who hold such records are considered to be a data controller for the purposes of the DPA). See also Data Protection Registration.

NB: Notification is not currently required for data controllers who hold only personal paper records. However, all dental practices must comply with the DPA regardless of whether they use a paper or a computerised records system.

Have in place a data protection policy, confidentiality policy and information security policy (i.e. a fair processing notice) that details how the practice complies with the DPA (see the Data Protection, Confidentiality and Information Security Policy May 2018 template (Word)), including:

  • confirmation that personal data will be processed by the practice;
  • the purposes for which the data will be processed;
  • an outline of the manner in which the data will be processed, including to whom any disclosures will be made (including any legal obligations to disclose), how long the data will be retained and how they will be disposed of when no longer required, and how the data will be stored;
  • the rights of patients under the DPA, including their subject access rights (see Patient Access to Records) and to whom such requests should be made;
  • contact details for requests for more information, including subject access;
  • any other relevant information.

Inform patients, on registration with the practice, of how their personal data will be used to provide appropriate dental care (i.e. via a fair processing notice/data protection policy; see GDPR Privacy Notice for Patients May 2018 template (Word)).

NB: The law requires that patients are informed of how their personal data will be processed before processing of the data.

If you have a practice website, include your fair processing notice on the website.

Train staff in the importance of information handling in line with the DPA and maintaining confidentiality of personal data, and ensure staff are familiar with the practice policies on the handling of personal data (see Confidentiality and Disclosure of Information).

Ensure that only registered data controllers and their staff have access to personal data.

Provide adequate back-up systems for storing personal data (see Record-keeping).

Refer to the (UK) Information Commissioner’s Office  website [5], the NHS Education for Scotland Information Governance website on The Knowledge Network [6] or BDA guidance [7] for further information.

Sources of Information

  1. Data Protection Act 1998 (1998) www.legislation.gov.uk/ukpga/1998/29/contents
  2. Getting it right: a brief guide to data protection for small businesses. Information Commissioner’s Office (2011) ico.org.uk/for-organisations
  3. Getting it right: small business checklist. Information Commissioner’s Office (2008) ico.org.uk/for-organisations/sme-web-hub/checklists
  4. Notification Under the Data Protection Act 1998.  Information Commissioner’s Office ico.org.uk/about-the-ico/what-we-do/legislation-we-cover/data-protection-act-2018
  5. (UK) Information Commissioner’s Office
  6. NHS Education for Scotland Information Governance website on The Knowledge Network. www.knowledge.scot.nhs.uk/home.aspx
  7. Advice Sheet B2: Data Protection, BDA Practice Compendium. (2007) British Dental Association www.bda.org