The Data Protection Act 2018 (DPA 2018) [1], UK General Data Protection Regulations (UK GDPR) [2] and the Data (Use and Access) Act 2025 (DUAA 2025) [3] makes processing by design and default a legal requirement. As data controllers dental practices are required to comply with data protection and default approaches.
Data protection by design and default approaches require appropriate technical and organisational measures to implement data protection principles effectively and to safeguard an individual's rights from the planning stages of a process or project, through to the end. By limiting the personal data collected and using the data gathered for it's specific purpose, the data by design and default approach complies with the data protection principles of 'data minimisation', 'purpose limitation' and 'accountability' for example:
- collecting only relevant social history on patient registration/medical history forms;
- restricting access to the patient notes to the staff providing treatment;
- destroying/deleting personal information/patient records when no longer required (ensuring you follow retention period requirements).
The benefits of this approach include the identification of privacy issues at an early stage and increased awareness of data protection and forms part of the focus on accountability.
The Information Commissioner's Office has further advice:
Data protection by design and default
Ensure that data protection by design and default approaches are key considerations whenever you establish or amend processes that deal with the processing of personal data.