All dental practices process personal information about patients and staff and therefore must comply with data protection legislation [Data Protection Act 2018 (DPA 2018)] [1]. The eight data protection principles outlined under the UK General Data Protection Regulation (UK GDPR) [2] reflect the dental profession’s ethical principles.
Comply with the UK GDPR [2] principles by ensuring that personal information is:
- fairly and lawfully processed in a transparent manner
- processed for limited purposes (i.e. obtained only for specified and lawful purposes and further processed only in a compatible manner)
- adequate, relevant and not excessive (data minimisation)
- accurate and up to date
- not kept for longer than is necessary (storage limitation)
- processed with integrity and confidentiality (security) (e.g. password protected or kept in restricted access locked cabinets)
- accountability (e.g. demonstrates compliance with above principles).
Have in place a data protection policy, confidentiality policy and information security policy that details how the practice complies with the DPA 2018 [1] (see Data Protection, Confidentiality and Information Security template), including:
- confirmation that personal data will be processed by the practice
- the lawful basis for processing personal data
- procedures for ensuring compliance with data protection legislation
- an outline of how the data will be processed, including with whom any data will be shared, how the data will be stored, how long the data will be retained, how it will be disposed of when no longer required and how data breaches will be dealt with
- the rights of patients under the DPA 2018, including their subject access rights (see Subject Access Requests)
- contact details for requests for more information, including subject right of access
- any other relevant information.
Inform patients, on registration with the practice, how their personal data will be used to provide appropriate dental care (see Privacy Notice and GDPR Privacy Notice for Patients template).
NB: The law requires that patients are informed of how their personal data will be processed before processing of the data takes place.
Include your privacy notice on your practice’s website if you have one.
Ensure that only relevant data controllers and their staff have access to personal data.
Provide adequate back-up systems for storing personal data (see Record-keeping).
Refer to the (UK) Information Commissioner’s Office website for further information.