Data controller or processor?
With the spotlight on data protection following the introduction of the General Data Protection Regulations (GDPR), many practices have been reviewing their current arrangements.
One area that seems to have caused confusion and has prompted calls to the DDU is the distinction between a data processor and a data controller.
In particular, dental associates and hygienists are unsure whether they meet the criteria for a data controller and are therefore required to register with the Information Commissioner’s Office (ICO).
There are a number of different working and contractual arrangements between dentists and dental associates or hygienists and so it is not possible to be unequivocal on this question.
However, we believe that dental professionals would generally have no need to register with the ICO if they only work in someone else’s practice and input patient records onto a practice computer.
If, on the other hand, a dental professional takes patient data out of the practice and holds it on a personal computer or in hard copy, they are a controller and need to be registered.
For anyone who is still unsure, the ICO poses a number of questions that might clarify their status:
- Are you responsible for the control and security of patient records and have other responsibilities associated with the data?
- Do you have a patient list separately from the practice in which you treat patients that would follow if they left?
- Do you treat the same patient at different practices?
- If a complaint was made by a patient, or data was lost, would you be legally responsible for dealing with the matter?
Anyone who answered ‘yes’ to any of the above questions, is likely to be a data controller and will need to register with the ICO.
The DDU’s understanding about the final bullet point is that this relates to a complaint about data handling or loss, rather than patients’ complaint about treatment in general.
Finally, don’t be tempted to register with the ICO as a data controller simply as a precaution.
The role carries significant responsibilities and under GDPR data controllers are required to pay a fee based on the size of their organisation.
Pick up the phone to the DDU or your own dental defence organisation if you are unsure.
Read more from John Makin: