Whether self-employed team members should register with the ICO?
Some dental advisers recommend that self-employed associates and hygienists do not have to register with the Information Commissioner (ICO). CODE’s advice is that we recommend registration for all self-employed dentists, hygienists, clinical lab technicians (at the practice) and therapists but we do not say they must register. Here is our rationale:
The ICO says in its advice for dentists, which you can download here:
“1. Are you responsible for the control and security of patient records, and do you have other responsibilities associated with the data?
2. Do you have a patient list separately from the practice in which you treat patients, that would follow you if you left?
3. Do you treat the same patient at different practices?
4. If a complaint was made by a patient, or data was lost, would you be legally responsible for dealing with the matter”
Further on in one of the examples the ICO explains:
“A self-employed associate dentist works for a small practice, led by a principal dentist. The principal dentist organises the premises and IT systems. The associate treats only those patients who come to the practice, and does not treat patients at any other practice. When the associate leaves the practice, he does not take any patient data with him. The associate is unlikely to be a data controller, and therefore will not need to register with the ICO.”
‘High risk – low cost’
CODE always looks at regulations and requirements situations differently because we understand the business of dentistry, we always aim to reduce risk to practice owners and managers as much as possible. The new cost of registering is just £40 and it’s easy to do and renews automatically by direct debit. So it’s negligible cost and administration.
If you look at point 4 above:
“4. If a complaint was made by a patient, or data was lost, would you be legally responsible for dealing with the matter”
This is a grey area isn’t it. If the complaint was made to the GDC, say because an email was sent to the wrong patient about someone else’s treatment, the treating dentist may be responsible to the GDC even if they were self-employed. But who might be responsible for the data breach – the data controller or the associate dentist of the patient. Note that in the example the ICO says “The associate is unlikely be a data controller”, but the ICO doesn’t give any protection by saying that ‘the associate isn’t the data controller’. If the associate is ‘unlikely’ to be, then there is a possibility that they may be considered to be a data controller. Do you want to be involved in potentially sorting that complexity in court, with the ICO or at the GDC?
In the end it’s up to the practice to decide
That’s why CODE would still recommend that all self-employed associates, hygienists, therapists and clinical lab technicians register and maintain registration with the ICO. But we don’t say they have to register. I have explained our ‘high risk low cost’ strategy, but you may decide only to register the practice, or in the case of a partnership the partners, and let every self-employed team member be a processor, it’s up to you.
The CODE data controller concepts are more fully explored in the iComply members document ‘Data Protection Overview (M 216).
Data processor or controller
If your self-employed team members such as the associates, therapists or hygienists do not register with the ICO they will be your data processors. In which case they will each need to sign the iComply ‘Contract for Data Processor and Joint Dental Controller (M 217UA)’ as a ‘Data Processor’.
If the associates, therapists or hygienists do each register with the ICO, then they will be data controllers in their own right. In which case the practice owner should sign a version of Contract for Data Processor and Joint Dental Controller (M 217UA) for each of them as a ‘Joint Dental Controller’.
Keep this signed agreement in the confidential personnel file or as a secure document in iComply.