CQC, DSPT and GDPR: The Data Security Requirements Every Dental Practice Must Meet

Few small organisations face as many overlapping regulatory obligations around data security as dental practices. The Care Quality Commission, NHS England, the Information Commissioner's Office, and the General Dental Council each have expectations — some explicit, some implicit — about how a dental practice protects the information it holds. Understanding how these frameworks fit together, where they overlap, and what demonstrably meeting them looks like is a practical requirement for any practice owner or manager who takes their compliance obligations seriously.

The Care Quality Commission

The CQC regulates dental practices under the Health and Social Care Act 2008 and its associated regulations. Regulation 17 — Good Governance — requires registered providers to maintain securely and accurately an accessible and up-to-date record in respect of each service user, and to maintain such other records as are necessary to be kept. Regulation 17 also requires that systems and processes are established and operated effectively to ensure compliance with requirements.

In practice, the CQC's inspection approach assesses whether practices have robust information governance arrangements in place. Inspectors ask about data protection policies, staff training, breach response procedures, and — increasingly — whether the practice has any formal cyber security assessment or certification. A practice that cannot demonstrate that its patient records are appropriately secured, backed up, and accessible will receive adverse findings under the safe and well-led key question domains.

The CQC does not itself impose fines for data security failures — that is the ICO's function — but a CQC inspection that reveals inadequate information governance can trigger a requirement notice, result in an inadequate rating, and in serious cases lead to enforcement action that affects the practice's registration. A practice that loses its CQC registration cannot legally operate.

NHS England and the DSPT

The Data Security and Protection Toolkit is an online self-assessment tool that all organisations with NHS contracts — including dental practices — must complete annually. The DSPT maps to the National Data Guardian's Ten Data Security Standards and requires practices to confirm that they have implemented specific controls across staff training, data security policies, backup arrangements, incident response, and technical security measures.

The ten standards include Standard 6 (Cyber Attacks) which specifically requires that organisations have processes to identify, report and learn from cyber attacks and security breaches, and Standard 7 (Continuity Planning) which requires that business continuity plans are in place, including for cyber incidents. For a dental practice with an NHS contract, completing the DSPT is not optional — it is a contractual requirement with NHS England.

The DSPT has three completion levels: not started, approaching standards, and standards met. Practices that achieve Standards Met can display the DSPT badge, which signals to NHS England, patients, and partners that the practice has met the minimum threshold. Practices that submit inadequate responses — or that answer questions positively without having the controls in place to support those answers — are not just non-compliant with the toolkit; they have made a materially inaccurate declaration to NHS England. The contractual and reputational consequences of this becoming known, particularly following a breach that reveals the gap between declared and actual controls, are significant.

UK GDPR and the ICO

As discussed in our previous post, patient health data is Special Category data under Article 9 of UK GDPR. The security requirement under Article 32 — appropriate technical and organisational measures — applies with particular force to Special Category data. The ICO's own guidance notes that the higher the sensitivity of the data, the more robust the security measures need to be.

The 72-hour breach notification requirement deserves specific attention for dental practices. A ransomware attack, a stolen device containing patient records, a compromised email account used to handle referrals, or an inadvertent disclosure of patient information to the wrong recipient all potentially require notification to the ICO within 72 hours of the practice becoming aware. For practices that discover an incident on a Friday afternoon, that 72-hour window runs over the weekend — a fact that makes having a clearly documented breach response procedure, and a security monitoring service whose analyst can assess scope and help draft the initial ICO notification, a practical operational requirement rather than a bureaucratic nicety.

The ICO's enforcement record in the healthcare sector demonstrates that small organisations are not exempt from regulatory action. Enforcement notices and fines have been issued to small GP practices and healthcare providers for failures that would be recognisable to most dental practices: inadequate encryption on portable devices, systems without current security patches, staff accessing patient records without clinical need. The pattern of enforcement in healthcare settings makes clear that the ICO considers a dental practice to be a healthcare organisation, and holds it to the standards appropriate to that category.

The General Dental Council

The GDC's Standards for the Dental Team include Standard 4 — Maintain and Protect Patients' Information — which requires that dental professionals keep patient information confidential, securely store and handle it, and only share it where appropriate. The GDC's guidance is explicit that confidentiality obligations apply to electronic records as much as to paper records, and that dental professionals have a responsibility to ensure that systems used to store patient information are adequately secured.

A data breach involving patient health information that becomes the subject of a GDC fitness to practise investigation is not merely a regulatory data protection matter — it is a professional conduct matter with consequences for registration. The GDC has considered cases where inadequate information security contributed to patient harm or loss of trust, and the professional consequences can include conditions on registration or, in serious cases, suspension.

How the Frameworks Interact in Practice

These four frameworks — CQC, DSPT, UK GDPR/ICO, and GDC — are not entirely separate. A single incident — say, a ransomware attack that encrypts the patient database — simultaneously triggers DSPT incident reporting obligations, ICO breach notification requirements, potential CQC enforcement if patient care is compromised, and GDC fitness to practise considerations if the breach resulted from a persistent failure to meet professional standards. The frameworks overlap and amplify each other's consequences.

The practical implication is that meeting the minimum threshold of one framework does not discharge the obligations under the others. A DSPT submission that achieves Standards Met but relies on controls that do not actually meet the ICO's Article 32 requirements provides limited protection in the event of a breach. Genuine compliance requires controls that meet the most demanding of the applicable standards — not the lowest common denominator.

What Demonstrably Meeting All Four Frameworks Looks Like

Across all four frameworks, the controls that create demonstrable compliance share common characteristics:

• Documented policies — a data protection policy, a breach response procedure, an acceptable use policy — that have been reviewed in the last 12 months and are accessible to staff
• Staff training records showing annual completion of data security training, with evidence that covers the specific obligations relevant to dental practice
• Backup documentation including the backup configuration, frequency, and — critically — test results demonstrating that restore works
• Cyber Essentials certification — an independent assessment that provides a credible baseline security attestation for all four regulators
• Continuous monitoring evidence — monthly reports demonstrating active monitoring, incident detection, and analyst oversight provide the ICO accountability documentation that a DSPT assessment, a CQC inspection, and a GDC investigation may each require