Dental practices may have to share personal data with third parties, for example when referring a patient to a specialist, when requesting dental laboratory work or for payroll purposes. To comply with the Data Protection Act 2018 (DPA 2018) [1] and the UK General Data Protection Regulations (UK GDPR) [2], you should have agreements in place with these external processors to ensure that they will only process the data for the specific purposes that it was shared with them.
When transferring personal data, you should ensure that the route you use (e.g. by post or by email) is secure.
The ICO has a list of FAQs of Data storage, sharing and security
Ensure that before sharing data with external processors, you have agreements in place that cover:
- What type of personal data you will share with the processor?
- How the processer will use the personal data?
- How the processor will securely store the personal data and for how long?
- How the processor will dispose of the personal data?
Ensure that the route you use to transfer personal information is secure.
- When sending personal data by post, consider using recorded delivery services.
- When sending personal data by email, use the secure NHS.net email system or, if sending the information outside the NHS, ensure the email is encrypted.
- If sending a high volume of sensitive or personal identifiable information, you may consider using the NHS Scotland SWAN Secure File Transfer Service.