Data Protection Bill

Written evidence submitted by the British Dental Association (DPB09)

Data Protection Bill (Lords) Committee

The BDA

1. The British Dental Association (BDA) is the voice of dentists and dental students in the UK, serving as their professional body and trade union. Founded in 1880, and owned entirely by its members, the BDA is able to focus solely on its mission to promote the interests of its members; advance the science, arts and ethics of dentistry, and improve the nation's oral health.

Executive summary

2. This paper outlines the British Dental Association’s concerns about the potential impact of Clause 7 of the Data Protection Bill on General Dental Practice and other NHS primary care providers in the UK. By using the Freedom of Information Act’s definition of a "public authority" and "public body", the Data Protection Bill – possibly unintentionally – goes further than the GDPR, and extends the requirement to appoint a Data Protection Officer to all NHS primary care providers, regardless of their size. This puts an unreasonable, unjustified and disproportional additional burden on these providers, which might lead to them being deterred from delivering NHS care .

Clause 7 and the definition of a "public authority" and "public body"

3. The GDPR requires a body to appoint a Data Protection Officer (DPO) if it is a public authority, or if it processes "on a large scale […] special categories of personal data" (GDPR, recital 97). It does not , however, define what constitutes "a public authority" or exactly what amounts to "large scale" processing.

4. In our opinion, most NHS general dental practices would not be considered to be processing healthcare data on a large scale, and would therefore not be covered by the requirement to appoint a DPO under the GDPR. The Information Commissioner’s Office echoed our view in an information video they posted before the publication of the Data Protection Bill.

5. The Data Protectio n Bill, however, does go further in this respect than the GDPR and would require all dental practices and other NHS primary care providers to have a designated Data Protection Officer , regardless of their size . This is because the Bill in Clause 7 states that for the purposes of the GDPR the meanings of a "public authority" and "public body" are defined by the Freedom of Information Act 2000 for England, Wales and Northern Ireland, and by the Freedom of Information (Scotland) Act 2002 for Scotland. Under this definition any dental practice or other primary care provider delivering NHS services would be considered a "public body" and therefore be subject to an automatic requirement to appoint a DPO, regardless of its size or how much data it process es .

Data Protection Officers

6. According to the GDPR, Data Protection Officer s must have expert knowledge of data protection law and the ability to carry out a range of professional functions, including providing advice and training on legal obligations, and carrying out audits. They should also be in a position to perform their duties and tasks in an independent manner .

7. Although a DPO can be an existing member of staff, most ‘high street’ dental practices will not employ staff with all the required skills – and they do not need to, given the scale on which they process patients’ personal data. This means practices would usually need to hire an external expert to act as their DPO, at significant extra cost.

8. BDA’s market research suggests that outsourcing this service may well cost even the smallest practices in excess of £5,000. A BDA member who owns a single medium-sized practice (two dentists and one dental hygienist) was recently quoted £11,340 for the first year, and £8,640 per year thereafter for an external company to provide DPO support for his business.

9. BDA members are very concerned about the additional costs of this new requirement, and the extra level of red tape about to be imposed on what is already a highly regulated profession . Compliance cost s in dentistry are already very high, with the Care Quality Commission and G eneral D ental C ouncil registration, professional indemnity and health and safety equipment costing a single-handed dental practitioner on average almost £2 2 k a year. According to the National Association of Specialist Dental Accountants and Lawyers, the cost of compliance in dentistry went up by 1086% between 2006 and 2016.

10. Dental practices, especially those small or medium sized, can ill afford the significant and unjustified new burden of having to appoint a DPO. Dentists’ incomes have fallen by an average of 35% in the last decade and with all capital , compliance and staffing costs coming out of the dentists own pockets, many NHS practices are struggling to stay afloat as it is.

11. Morale amongst dentists practi s ing in the NHS is at an all-time low, and recent BDA research shows that 58% of dentists are looking to leave the NHS in the next 5 years – either to move to fully private practice, move abroad or quit dentistry altogether. The BDA believe s the new administrative and financial burdens placed on primary care providers by the Data Protection Bill might contribute towards deterring even more dental practi ces from delivering NHS work, further compound recruitment difficulties already faced by many NHS practices , and exacerbate existing problems with access to NHS dentistry for patients .

12. Crucially, the BDA believe s requiring dental practices to appoint a DPO would bring no benefit to patients and do little to improve the management of personal information held by dental practices. Providers of NHS dentistry are regulated by the General Dental Council as well as by the Care Quality Commission in England, Healthcare Improvement Scotland, Healthcare Inspectorate Wales and the Regulation and Quality Improvement Authority in Northern Ireland , all of which already put strict requirements on them in relation to confidentiality and data security.

Additionally, NHS dental practices in England have to comply with NHS Information Governance requirements . This makes the obligation to appoint a DPO not only burdensome and costly for practices, but also completely unnecessary.

13. The BDA also consider s th is requirement unfair, as it would put NHS dentists at a disadvantage compared to fully private dental practices. It is important to remember that while most of them provide NHS services, high street dental practices are effectively small businesses. Under the Bill as currently drafted those practices holding an NHS contract ( no matter how small their NHS commitment ) would need to have a DPO, while private practices might well not be covered by this requirement – a distinction which seems to us arbitrary and unfair, and might further contribute to some providers giving up their NHS commitments and turning fully to private work.

Proposed amendment

14. The British Dental Association, alongside our colleagues in the Optical Confederation , the Pharmaceutical Services Negotiating Committee and the National Pharmac y Association, would like to see Clause 7 of the Data Protection Bill amended to exclude NHS primary care providers from the definition of "public authorities" for the purposes of the GDPR . All four organisations support the proposed amendments below, which we believe would achieve this objective.

15. This proposed change would not mean all NHS primary care providers would be free from the requirement to appoint a DPO – any large providers or chains would still be subject to it under the GDPR by virtue of processing sensitive data on a large scale. Th ese amendment s would only take this duty away from small-scale independent NHS providers, bringing the Bill in line with the original intention of the GDPR in this respect.

Clause 7, Page 5, leave out line 9

Clause 7, Page 5, line 8, at end insert –

"subject to subsections (1A), (2) and (3).

(1A) Primary care service providers are not a "public authority" or "public body" for the purposes of the GDPR by virtue of the fact they are defined as a public authority by either

(a) paragraphs 43A to 45A inclusive or paragraph 51 of Schedule 1 to the Freedom of Information Act 2000; or

(b) paragraphs 33 to 35 inclusive of Schedule 1 to the Freedom of Information (Scotland) Act 2002."

March 2018

 

Prepared 12th March 2018