Please rotate the screen to Landscape view for best viewing experience.

Close
Speak to an Expert: 01409 254 354

article

ROPA

Meeting the ROPA requirements (Record of Processing Activities)

How you meet the ROPA requirements in a dental practice

When we analysed the requirements for a dental practice, CODE used its experience to create a system that was proportionate for our level of a small business.

Here is the actual legislation:

(1) Each controller and, where applicable, the controller’s representative, shall maintain a record of processing activities under its responsibility.

That record shall contain all of the following information:

  • The name and contact details of the controller and, where applicable, the joint controller, the controller’s representative and the data protection officer;
  • The purposes of the processing;
  • A description of the categories of data subjects and of the categories of personal data;
  • The categories of recipients to whom the personal data have been or will be disclosed including recipients in third countries or international organisations;
  • Where applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation and, in the case of transfers referred to in the second subparagraph of Article 49(1), the documentation of suitable safeguards;
  • Where possible, the envisaged time limits for erasure of the different categories of data;
  • Where possible, a general description of the technical and organisational security measures referred to in Article 32(1).

(2) Each processor and, where applicable, the processor’s representative shall maintain a record of all categories of processing activities carried out on behalf of a controller, containing:

  • The name and contact details of the processor or processors and of each controller on behalf of which the processor is acting, and, where applicable, of the controller’s or the processor’s representative, and the data protection officer;
  • The categories of processing carried out on behalf of each controller;
  • Where applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation and, in the case of transfers referred to in the second subparagraph of Article 49(1), the documentation of suitable safeguards;
  • Where possible, a general description of the technical and organisational security measures referred to in Article 32(1).

(3) The records referred to in paragraphs 1 and 2 shall be in writing, including in electronic form.

(4) The controller or the processor and, where applicable, the controller’s or the processor’s representative, shall make the record available to the supervisory authority on request.

(5) The obligations referred to in paragraphs 1 and 2 shall not apply to an enterprise or an organisation employing fewer than 250 persons unless the processing it carries out is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of data as referred to in Article 9(1) or personal data relating to criminal convictions and offences referred to in Article 10.

In a dental practice, the processing activities, once set up don’t change too much year on year and will mostly be limited to providing dental healthcare and preventive dentistry, communicating with patients, managing and communicating with employed and self-employed team members, criminal record checks, carrying out our legal obligations, setting up and fulfilling contracts and usually some form of marketing. At CODE we break this down so that the following requirements are addressed in Information Governance Procedures (M 217C) and your Privacy Notice (M 217T):

  • The name and contact details of the controller and, where applicable, the joint controller, the controller’s representative and the data protection officer;
  • The purposes of the processing;
  • What is processed
  • A description of the categories of data subjects and of the categories of personal data;
  • The categories of recipients to whom the personal data have been or will be disclosed including recipients in third countries or international organisations;
  • Where applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation and, in the case of transfers referred to in the second subparagraph of Article 49(1), the documentation of suitable safeguards;
  • A general description of the technical and organisational security measures referred to in Article 32(1).

This requirement:

Where possible, the envisaged time limits for erasure of the different categories of data

Is addressed in your Privacy Notice (M 217T) and also in Record Retention (M 215).

Your records of people who request deletion of data, copies of data (their data rights) etc. are kept in Data Requests Record (M 217RX).

Your processing records will be in your dental software for recalls and your email software if you are sending out email newsletters. When you process data on behalf of your staff members, the record will be in their personnel files, the documents themselves. If you send out manual recalls or printed newsletters etc you should keep a manual record of those, perhaps in a spreadsheet.

As far as the requirements for data processors, if they are external companies such as Microsoft, Dropbox or cloud based dental software etc. they will either have their own terms on how they meet the requirements or if a smaller company you will have asked them to sign Model Contract for Data Processor (M 217UA). The details of your data processors should all be listed in your (M 217C).  Your self-employed staff will also sign the contract either as a ‘Data Processor’ or as a ‘Joint Data Controller’ if they register individually with the ICO.

Please refer to point number 5 in the ROPA requirement at the top of this article, it concerns who the obligations apply to, which has bearing on the ROPA requirements. Here again, primary care seems to have been ‘caught in the net’ of regulations that have been designed for much bigger organisations.

At CODE iComply we consider our approach to be proportionate to meet the ROPA requirements, but if you think of anything that is missed or could be improved please let us know. GDPR and the Data Protection Act 2018 is a ‘moving target’ at the moment and we are all learning as new guidelines from the ICO comes out. You can read what the ICO says about ROPA here. It all seems to be covered by iComply information governance policies, procedures and risk assessments.

Our GDPR guidelines are being updated as new information is released by the ICO and when the new Data Protection Act advice is provided by them, so there may be some changes in the pipeline and we will let all iComply members know about them as we find out about them ourselves and will publish the changes in the next Data Protection newsletter.

iComply
To find out more about iCompy and a special newsletter offer click here or email hello@icomply.cc or call 01409 254 354. You can also arrange a free online demonstration.

Terms of use: information in this article is written in general terms and is believed to be based on the relevant legislation, regulations and good practice guidance. This information is indicative only and is intended as a guide for you to review and take particular professional advice to suit your circumstances. CODE is a trading name of the Confederation of Dental Employers Ltd and it licenses information to Codeplan Ltd. CODE and Codeplan do not accept any liability for any loss or claim that may arise from reliance on information provided. The use of this information indicates acceptance of these terms. ©CODE 2018.