All dental practices hold personal information about patients and their staff (as either paper or computerised records), including patient databases, billing and recall systems, staff absence and sickness records and training plans, and are therefore ‘data controllers’.
Following the introduction of the Data Protection Act 2018 [1], data controllers must pay an annual data protection fee to the ICO (unless they are exempt) but are not required to give details of the types of processing carried out.
The size of the data protection fee is dependent on the number of staff working in your practice and the practice’s financial turnover. The ICO has provided the following resources:
There is an online self-assessment tool to help you work out which fee applies to you
The ICO also provides a useful checklist regarding obligations of both data controllers and data processors.
To comply with data protection legislation, pay the relevant data protection fee to the (UK) Information Commissioner’s Office if you hold personal information about:
- staff in the form of computerised records (e.g. absence and sickness records, training plans)
- patients in the form of computerised records and you are the ‘owner’ of your own patient list (this is likely to apply to most dentists; for details and exceptions see ‘Do I have to pay the data protection fee’ below).
NB: Certain exemptions exist, for example, a data protection fee is not currently required for data controllers who do not electronically hold or process personal information. See the ICO Guide to the data protection fee for more details.
Inform the (UK) Information Commissioner’s Office of any change to your registration (e.g. change of address, contact details, trading names).
- If a registered data controller moves practice, provided there is no change to the legal status, the notification can be amended to reflect the address change. If the data controller changes their legal status (e.g. sole trader to partnership), then a new notification is required.
For details of whether or not you are required to pay a data protection fee, see ‘Do I have to pay the data protection fee?’ below. The ICO has provided a list of frequently asked questions which may also be helpful.
- For further information and advice visit the Information Commissioner’s Office website.
Because of the variety of working relationships that exist in dental practice, it is difficult to be definitive about which individuals are classed as data controllers. The series of questions below may help clarify whether an individual is a data controller and needs to pay the data protection fee:
o Are you responsible for the control and security of patient records, and do you have other responsibilities associated with the data?
o Do you have a patient list separately from the practice in which you treat patients that would follow you if you left?
o Do you treat the same patient at different practices?
o If a complaint was made by a patient, or data was lost, would you be legally responsible for dealing with the matter.
If you answer ‘yes’ to any of the above questions, you are likely to be a data controller and will need to pay the ICO a data protection fee. If you are still unsure, contact the ICO for advice.
Vocational dental practitioners (VDPs) and assistants who are employed by the practice are not considered to be data controllers and will not have to pay the data protection fee.
Dental care professionals directly employed by the practice (dental nurses, hygienists, therapists) and non-clinical practice staff are not considered to be data controllers and will not have to pay the fee.
Associates, hygienists and therapists who are self-employed might be required to pay the data protection fee. Refer to the first bullet point above to determine if an associate, hygienist or therapist is a data controller, or contact the ICO for advice.
A data controller who works at more than one site only has to pay one data protection fee.
It is likely that dental practices registered as limited companies can register the practice name, rather than individual practitioners’ names; however, it is advisable to contact the ICO for advice.
Notifying the ICO of changes to the registration entry is a legal requirement. (see above for categories that require notification of change)
A dentist who does not register or fails to renew their registration each year may be liable to prosecution, a fine and a complaint to the General Dental Council (GDC).