- General Dental Council
- NHS Counter Fraud Authority
- Principles of collaboration
- Working together
- Information Sharing
- Liaison and dispute resolution
- Point of contact
- Types of information
- Data control
- Sharing framework
- Legal Basis for Sharing
- Access and Individual Rights
- Security of information
- Information Governance
- The General Dental Council
37 Wimpole Street, London, W1G 8DQ;
- NHS Counter Fraud Authority Fourth Floor, Skipton House, 80 London Road, London, SE1 6LH; and
- NHS Counter Fraud Services (NHS Wales)
First Floor Block B, Mamhilad House, Mamhilad Park Estate, Pontypool, NP4 0YP
being collectively “the Parties”.
NHS Counter Fraud Authority represents both NHS Counter Fraud Authority (England) and NHS Counter Fraud Services (Wales).
Purpose and Aims
This agreement describes the roles of the General Dental Council (GDC) and NHS Counter Fraud Authority (NHSCFA) and outlines the basis of cooperation and collaboration between the Parties. It sets down the principles underpinning the interaction between the Parties and provides guidance on the exchange of information between them.
This agreement is a statement of principle; more detailed operational protocols and guidance will be developed, as and when these are required. This agreement supports the GDC’s role as the statutory body responsible for the regulation of dentists and dental care professionals.
This agreement applies to England and Wales and is intended to provide a framework to assist the joint working of the Parties to ensure maximum effectiveness and efficiency when carrying out investigations. The agreement includes practical arrangements designed to ensure the relationship is effective and that together both Parties meet their aims and objectives, particularly when there are overlapping interests and responsibilities.
Although the Parties agree to adhere to the contents of this agreement, it is not intended to be a legally binding document. The agreement does not override each Party’s statutory responsibilities or functions, nor does it infringe the autonomy and accountability of either Party or their governing bodies.
The aims of this agreement are to:
- reduce fraud and corruption within the dental profession;
- maintain patient safety and confidence in the dental profession;
- support the sharing of information, intelligence, expertise and experience;
- contribute to improving the regulatory oversight of the dental profession;
- create the potential for reducing the burden of inspection activities in Fitness to Practise; and
- define the circumstances in which the two organisations will act independently.
The term “information” is used in this agreement by NHSCFA to refer to any and all information or data used for NHS business purposes and by the GDC for patient and public safety purposes, including commercial, business, personal and sensitive information or data. The medium in which information or data may be displayed, presented, shared, disclosed or processed, may be in the form of hard-copy or electronic data, records or documents.
To facilitate the sharing of information, both Parties will follow due processes as they are defined in the agreement.
The General Dental Council
The GDC is the statutory body independent of the NHS and of Government, with responsibility for maintaining the dentist and dental care professionals’ registers for the United Kingdom. The GDC aims to protect patients, and to promote public confidence in dentists and dental care professionals.
The GDC has duties and enforcement powers under the Dentists Act 1984. These duties and powers enable the GDC to:
- maintain registers of qualified dental professionals;
- set standards of professional and ethical conduct;
- set standards and assure the quality of dental education;
- ensure professionals keep their skills and knowledge up-to-date;
- investigate complaints or concerns about a dentist or a dental care professionals’ fitness to practise and reports of illegal practice; and
- work collaboratively to strengthen patient protection.
The GDC has statutory powers to take action where there are concerns about the fitness to practise of a registered dentist or dental care professional. This includes those registrants whose fitness to practise is affected by their health.
NHS Counter Fraud Authority
NHSCFA is an independent Special Health Authority established in November 2017. NHSCFA leads on work to identify and tackle fraud across the NHS. Its purpose is to safeguard NHS resources so that the NHS is better equipped to care for the nation’s health, providing support, guidance and direction to the NHS. This work enables effective prevention, detection and enforcement action to take place against fraud and fraudulent activity. NHSCFA also collects, collates and analyses information that holds intelligence value, which in turn broadens the understanding of fraud risks in the NHS.
NHSCFA has duties and enforcement powers under the NHS Act 2006, the Health and Social Care Act 2012, and the NHS Counter Fraud Authority (Establishment, Constitution and Staff and other Transfer Provisions) Order 2017, issued by the Secretary of State for Health. NHSCFA is responsible for:
- leading on work to protect NHS staff, patients and resources from fraud, bribery and corruption, educating and informing those who work for, who are contracted to, or who use the NHS about fraud in the health service and how to tackle it;
- preventing and deterring fraud in the NHS by reducing it and removing opportunities for it to occur or to re-occur; and
- holding to account those who have committed fraud against the NHS by detecting and prosecuting offenders and seeking redress where viable.
NHS England follows the NHSCFA strategy when undertaking its own work to tackle fraud.
Officers working for NHS England must report any suspicions of fraud to NHSCFA as soon as they become aware of them to ensure they are investigated properly and maximise the chances of financial recovery.
The majority of allegations of fraud will be investigated by nominated and accredited Local Counter Fraud Specialists on behalf of NHS England.
NHSCFA will work cooperatively with Local Counter Fraud Specialists appointed by NHS England to ensure work is conducted to prevent, deter and detect fraud within and against NHS England.
NHSCFA’s arrangement with the wider Local Counter Fraud Specialists community, means that the GDC will have access to relevant information from the local counter fraud specialists.
NHSCFA will investigate cases of fraud that cannot be dealt with by NHS England, including cases of bribery and corruption.
The GDC’s role in regulating dentists and dental care professionals means that its processes are distinct from those of the NHS.
The GDC is committed to working collaboratively with NHSCFA, the NHS as a whole, and others, to ensure that patients and the public’s safety is upheld. This agreement is intended to ensure that effective channels of communication are maintained between the Parties.
NHSCFA is committed to reducing fraud and, corruption within the NHS to a minimum, and to put in place arrangements to hold fraud and, corruption at a minimum level permanently. Working in collaboration with the GDC will ensure patients and public are protected and allegations of suspected fraud and, corruption, which are received by the GDC, can be passed to NHSCFA for investigation. Such information is vital for NHSCFA to ensure that systems and procedures can be assessed for their ability to prevent, reduce, detect or measure fraud and, corruption within the NHS in England and Wales.
Fraud and, corruption within the NHS are unacceptable. Fraud and corruption divert essential NHS funds and resources away from patient care and, where health professionals are involved in such offences, undermines patients’ confidence and trust in those professions.
It is in the interests of patients that effective action is taken against the small minority of health professionals who are engaged in fraud and, corruption and, to that end, the GDC and NHSCFA will cooperate to tackle fraud and corruption within the health service.
The GDC and NHSCFA intend that their working relationship will be characterised by the development of this agreement, through which both parties can:
- reduce fraud and corruption within the dental profession;
- make decisions that promote patient and public safety;
- share information, intelligence, expertise and experience;
- address overlaps and gaps in the regulatory framework;
- cooperate openly and transparently with the other Party;
- respect each Party’s independent status; and
- use resources effectively and efficiently.
As signatories to this agreement, both Parties agree to a joint professional approach in support of the following commitments:
- Supporting a real anti-fraud culture within the health service, where fraud and corruption are regarded by everyone as unacceptable and where everyone understands the role they can play in eliminating such offences.
- Support and where possible facilitate initiatives to ensure that fraud and corruption can be measured accurately.
- Support initiatives to revise policies, procedures and systems, to minimise the risk of fraud and, corruption being perpetrated and to ensure that, where necessary, they clearly distinguish between deliberate fraud and unintentional error.
- Ensure, through compliance with suitable guidance, that all cases of suspected fraud and, corruption are examined in a fair, objective, expert and professional way, to demonstrate the truth or otherwise of the suspicion, and that where fraud and, corruption is proved press for appropriate sanctions to be imposed.
- In recognition of the reality that it is only through access to information that the truth or otherwise of a suspicion of fraud and, corruption can be determined, cooperate in sharing ways of accessing information where this is in the public interest.
- Work together to ensure that NHSCFA’s anti-fraud and anti-corruption strategy is effective and this agreement remains meaningful, relevant and subject to review.
Both Parties hold and use sensitive information about organisations and individuals in order to perform their core functions. It is important that such information is on occasion shared between the Parties. The Parties recognise that this exchange of information needs to be carried out responsibly and within the guidelines set out in this agreement.
Both Parties are subject to the duty of confidentiality owed to those who provide them with confidential information and the confidentiality and security of this information will be respected. It is understood by both Parties that statutory and other constraints on the exchange of information will be fully respected, including the requirements of the GDPR 2016, the Data Protection Act 2018, the Freedom of Information Act 2000 and the Human Rights Act 1998.
Both Parties are committed to the principle of using information more effectively as a means to reducing the burden of administration and regulation.
The GDC routinely publishes information about the sanctions it has imposed when registrants are not fit to practise.
The Parties acknowledge that intelligence can be received by way of complaints, professional whistleblowing, concerns raised by members of the public, referrals from other public bodies (including overseas regulators or investigatory bodies), or by information received from other sources (e.g. from press monitoring or during the course of routine inspections to registered dental premises).
If either Party receives intelligence which:
- indicates a significant risk to the health and wellbeing of the public, particularly in relation to the safety of the dental profession or the conduct of a registrant;
- indicates a significant risk of fraudulent activity against the NHS; and/or
- requires a coordinated multi-agency response;
this information will be shared in confidence with the contact specified below within the other Party at the earliest possible opportunity.
NHSCFA has a duty, under the National Health Service (Performers Lists) Regulations 2013, to respond to enquiries from persons, bodies or agencies considering applications from individuals or body corporates for inclusion on a dental performers list, whether the individuals or directors of the body corporates have any record of, or are under investigation for, fraud. To facilitate these checks, it is important that intelligence held by the GDC relating to fraud offences by registrants is shared with NHSCFA on a timely basis. The regulations can be viewed at:
NHSCFA has a responsibility to protect NHS staff, patients and resources from fraud, bribery, corruption, by way of effective prevention, detection and enforcement action against fraudsters and fraudulent activity. To facilitate this work, it is important that intelligence held by the GDC relating to registrant’s fitness to practise is shared with NHSCFA in a timely manner.
The GDC is responsible for regulating the dental profession, which includes taking action when allegations are received which question a dentist or dental care professional’s fitness to practise. This can include allegations relating to fraudulent activity. To facilitate this work, it is important that intelligence held by NHSCFA relating to investigations into dentists or dental care professionals is shared with the GDC in a timely manner.
Where the GDC becomes aware of allegations against people abusing the NHS, NHSCFA will be informed (if it is not clear that they are already aware) if there are clear allegations of fraud, corruption, or bribery.
In cases where there are other allegations of dishonesty or criminality, the GDC will disclose relevant information and documentation to NHSCFA where such allegations are relevant to NHSCFA’s core functions. However, whether such disclosure takes place will depend on the circumstances of the case and the seriousness of the allegations.
In cases where the GDC staff are in doubt as to whether a case should be disclosed to NHSCFA, they will make contact with the point of contact specified below in order to discuss the matter. Any discussions at this stage will be anonymised. The GDC staff will be able to rely on the fact that if the specified NHSCFA contact indicates that they wish to receive full disclosure, this will be on the basis that it is essential for NHSCFA’s core purpose or is in the public interest.
Where NHSCFA is aware that during or following an investigation, information exists that persons of relevance to the GDC have been involved in fraud, corruption or bribery, the GDC will be informed of such matters. The GDC will consider whether any further investigation needs to be carried out.
In cases where NHSCFA staff are in doubt as to whether a case should be disclosed to the GDC, they will make contact with the point of contact specified below in order to discuss the matter. Any discussions at this stage will be anonymised. NHSCFA staff will be able to rely on the fact that if the specified GDC staff indicate that they wish to receive full disclosure, this will be on the basis that that is essential for the GDC’s core purpose or is in the public interest.
Where a case has resulted in a criminal prosecution, NHSCFA will share details of the case with the GDC. That information will already be in the public domain and consent to disclose that information will not be required.
In cases where an investigation has concluded that there was no fraudulent activity, but indicates there may be concerns about the activities of persons of relevance to the GDC, the information will be passed to the GDC to enable the GDC to decide on the seriousness of the allegations and whether they should be referred under its fitness to practise process. The GDC will share that information with the registrant and their representatives and other third parties involved in the case (where appropriate) and through the provision of that information to the GDC, NHSCFA is consenting to the disclosure of that information.
When information is disclosed to the GDC there will be a discussion in advance about the timing of any action that the GDC may consider appropriate, including disclosure of the case to the employer and individual involved. The GDC will consider any request to delay action which may compromise any current NHSCFA investigation. However, NHSCFA recognises that action may need to be taken by the GDC where it is in the public interest to do so.
In cases where NHSCFA becomes aware of allegations or evidence that an individual may be posing as a registered (or licensed) or competent registrant, either through a stolen identity, fraudulently acquired registration or through falsified qualifications, NHSCFA will immediately contact the GDC via the point of contact specified below. NHSCFA will provide all available information that might suggest that an individual is falsely posing as qualified, competent or as a GDC registrant. In these cases, the primary concern for both Parties will be patient safety. The GDC will take whatever action is appropriate in the interests of protecting patients.
There may be occasions when the Parties need to undertake concurrent investigations. When this occurs both Parties will take steps to ensure that they do not undermine the progress and/or success of each other’s investigation. This may include allowing criminal investigations to take place as a priority. There may, however, be occasions when the GDC will need to act swiftly to take steps to protect public safety and would do so with due regard for other known ongoing investigations.
Where either Party intends to undertake an investigation (over and above any routine inspection activity) the contact in the other Party specified below should be alerted, in confidence, at the earliest possible opportunity.
Outcomes arising from any relevant investigations actioned by either Party will be shared with the contact specified below at the earliest possible opportunity.
Where joint or parallel investigations are required, preliminary discussions should resolve any potential areas of conflict or overlap, arising from each Party’s respective powers.
Where NHSCFA has taken or intends to take enforcement action or the GDC intends to take action, the outcome of which is relevant to the other Party, details will be shared at the earliest possible opportunity with the single point of contact or the relevant authorised officer in Appendix 1, specified below.
Areas of communication between the Parties include, but are not limited to:
- sharing of expertise and experience
- discussions about strategy/policy
- discussions about individual registrants
- sharing experiences of investigations or trends
- sharing views and information about how improved performance might be encouraged
- publicising joint working commitments
Meetings between managers within the Fitness to Practise and Registration departments of the GDC and counterparts within NHSCFA, to facilitate the development of effective investigative methodologies. These meetings may involve discussion about particular cases (anonymised if appropriate) and the Parties may be able to share information about approaches to investigations which have been successful in particular circumstances or about useful contacts within other organisations.
Meetings between the Parties will provide an opportunity to discuss strategic/policy developments which may impact on each other’s work. Whilst it is not possible to predict all future developments which may be of mutual interest, it is clear that when either Party is reviewing disclosure policies, for example, discussion will be valuable.
Whilst both Parties have very distinct roles, it is clear that there is an overlap where there are allegations that persons of relevance to the GDC working in or for the NHS has acted dishonestly or fraudulently and one or both Parties are investigating the individuals in question. Where this kind of issue arises, it is essential that knowledge and information is shared at an early stage between the two Parties in order to allow both to carry out their core functions
From the many cases that both Parties handle, common themes frequently arise. Working collaboratively and sharing this information will enable trends and weaknesses to be quickly identified. Opportunities to deal with the cause of the problems can be discussed and wherever possible fed into policy discussions to work towards changes in practice to prevent further opportunities for fraud, corruption, bribery and other dishonesty.
By sharing this information, appropriate strategies for disseminating information on best practice can be identified and implemented.
Making known, the Parties’ commitment to working together and sharing information about potential media interest, or when the media have actively shown an interest, on an issue of relevance to both organisations. Thereby, supporting an anti-fraud culture within the dental industry and the wider health service, including where possible promotion of the NHS Fraud and Corruption Reporting Line.
The working relationship between the Parties will be characterised by regular ongoing contact and the open exchange of information and intelligence, through both formal and informal meetings at all levels, including senior levels.
Disclosures from either Party to the other will be regularly monitored to ensure that arrangements are working effectively.
Liaison and dispute resolution
The effectiveness of the working relationship between the GDC and NHSCFA will be ensured through regular contact, both formally and informally, at all levels up to and including senior management of the respective Parties.
Any dispute between the GDC and NHSCFA will normally be resolved at an operational level. If this is not possible, it may be referred to a senior manager on behalf of each Party who will try to resolve the issues within 14 days of the matter being referred to them.
Unresolved disputes may be referred upwards through those responsible for operating this agreement, up to and including the Chief Executive Officer or Managing Director (or equivalent) of each Party, who will be jointly responsible for ensuring a mutually satisfactory resolution.
Both Parties agree to report immediately instances of breaches of any of the terms of this agreement especially of the confidentiality obligations and to raise an appropriate security incident should such a breach occur.
Point of contact
The Parties agree to, when possible, share information and intelligence using a single point of contact (SPOC). The single point of contact will be responsible for sending and receiving shared information, and will act as facilitator for enquiries (however, this person may not necessarily be the end user or processor of the information).
Both Parties acknowledge that points of contact within either Party may differ over time due to the nature of investigative activities and the appropriateness of Party involvement. Both Parties may nominate an appropriate alternative point of contact for day-to-day communication and/or joint-working in the event of an NHSCFA investigation taking place which involves a specialised area of business, specialist knowledge or a particular expertise. The nominated person(s) will therefore act as single point of contact for investigation purposes. A single point of contact who understands criminal investigation procedures and what is required to a criminal standard is essential to enable investigators to exchange crucial information in a timely manner, to prevent contradictory information being exchanged, and to ensure delays are minimised.
The single point of contact for the GDC (who will have responsibility for nominating an appropriate alternative point of contact for day-to-day communication and/or joint-working in the event of an NHSCFA investigation) will be:
The single point of contact for NHSCFA (who will have responsibility for nominating an appropriate alternative point of contact for day-to-day communication and/or joint-working in the event of an NHSCFA investigation) will be:
Types of information
Both Parties agree to abide by the Data Sharing Code of Practice produced by the Information Commissioners Office, and recognise their respective responsibilities as public bodies under the General Data Protection Regulation (GDPR) 2016, Data Protection Act 2018 and the Freedom of Information Act 2000.
The GDPR 2016 essentially defines the following classes of information relevant to this agreement; ‘personal data’, ‘special categories’ and ‘personal data relating to criminal convictions and offences’.
The Caldicott Information Governance Review 2013, commissioned by the Department of Health, introduced the term ‘personal confidential data’ across the healthcare system to widen the interpretation of ‘personal data’ and ‘sensitive data’ for patient identifiable information.
Personal data are defined as “…any information relating to an identified or identifiable natural person; an identifiable natural person (data subject) is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.’
The obtaining, handling, use and disclosure of personal data is principally governed by the GDPR 2016, Data Protection Act 2018, Article 8 of the European Convention on Human Rights, implemented in the UK through the Human Rights Act 1998, and the common law duty of confidentiality.
The law imposes obligations and restrictions on the way personal data is processed (in this context processing means any operation or set of operations which is performed on personal data , whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction,) and the data subject has the right to know who holds their data and how such data are or will be processed, including how such data are to be shared.
Special Category Data
Certain types of data are referred to as “special categories of personal data’ or ‘sensitive personal data”. These are data which relate to the data subject’s:
- racial or ethnic origin;
- political opinions;
- religious or philosophical beliefs;
- trade union membership;
- genetic data;
- biometric data ;
- sexual life
Additional and more stringent obligations and restrictions apply whenever sensitive or special category personal data is processed.
Data Relating to Criminal Convictions and Offences
Processing of personal data relating to criminal convictions and offences or related security measures is carried out under Article 6 and Article 10 of the GDPR and under Part 3 and Schedule 2 of the Data Protection Act 2018.
Personal confidential data
In 2013 the Department of Health published the Caldicott Information Governance Review, which was an independent review of how information about patients is shared across the health and care system. The review introduced the term ‘personal confidential data’ to describe ‘personal’ and ‘sensitive’ information about identified or identifiable patients, which should be kept private or secret. The Caldicott Information Governance Review can be found at:
Under the GDPR 2016, controller means any ‘natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.’ All data controllers are required to comply with the GDPR 2016 whenever they process personal data. At all times, when providing data to partners, the partner responsible for delivering a service will be considered the “data controller”.
Under the framework of the agreement, the parties are each data controllers in their own right. The GDC is a data controller in respect of the organisation’s information and accordingly the NHSCFA is data controller in respect of the information it holds. It is not the intention of either organisation that they will act as joint data controllers at any time of any shared data. When sharing information each organisation will retain distinct legal responsibility for the handling of information that it acquires for the purpose of its statutory functions.
The Parties agree and acknowledge that they collect and store information.
The Parties agree to share information to assist with the performance of their statutory functions.
When the giving Party discloses information to the receiving Party, that information shall be disclosed for the purposes of the prevention, detection, investigation and prosecution of fraud or any other unlawful activity affecting the NHS, as set out in the NHS Counter Fraud Authority (Establishment, Constitution and Staff and Other Transfer Provisions) Order 2017, which can be found at:
Where the giving Party shares information with the receiving Party, it may share the information in any manner it considers appropriate, although the receiving Party may from time to time make recommendations to the giving Party as to the most practicable means by which information may be shared.
If the Parties wish to share information electronically, it will be in a mutually compatible IT format and shared in a secure method.
In relation to the sharing of information, the Parties shall take all measures necessary to ensure their respective compliance with all relevant legislation, including, but not limited to, regulations or restrictions regarding disclosure of information to third parties. The Parties will be responsible for processing information in accordance with all applicable data privacy and related regulations (Article 5 of the General Data Protection Regulation 2016).
Legal Basis for Sharing
In writing this Agreement due attention has been paid to the views of the Parties where possible, and all guidance has been written to ensure that the disclosure, access, storage and processing of shared information is accurate, necessary, secure, legal and ethical, taking into account relevant legislation and approved guidance where applicable, including:
- NHS Act 2006;
- General Data Protection Regulation 2016
- Access to Health Records Act 1990;
- Human Rights Act 1998;
- Freedom of Information Act 2000;
- Data Protection Act 2018;
- Equality Act 2010;
- Computer Misuse Act 1990;
- Confidentiality: NHS Code of Practice;
- Common Law Duty of Confidentiality.
The Secretary of State for Health has responsibility to make arrangements for healthcare provision nationally and to comply with legislation. The Secretary of State for Health, acting through NHSCFA, has a responsibility to ensure healthcare provision is protected from fraud and other unlawful activities. It is therefore appropriate that information relating to the administration of NHS business may be used for these purposes provided that the requirements of law and policy are satisfied.
Information shared between the Parties will only be used for the purpose(s) specified in this Agreement and its use by NHSCFA will comply with the NHSCFA information security policy.
Part 10 of the NHS Act 2006 makes provision for the protection of the NHS from fraud and other unlawful activities. The NHS Act 2006 confers powers upon NHSCFA, as the statutory body responsible for tackling crime across the NHS, to require the production of information or data from an NHS contractor (defined as any person or organisation providing services of any description under arrangements made with an NHS body) in connection with the exercise of the Secretary of State for Health’s counter fraud functions.
Operational work undertaken by NHSCFA is carried out under Article 6, para (e), Article 9(2) paras (f) and/or (g) and Article 10 of the GDPR 2016 and Part 3 and Schedule 2 Part 1 of the Data Protection Act 2018, for the prevention and detection of crime; under Part 10 of the NHS Act 2006, for the protection of the NHS from fraud and other unlawful activities; and in accordance with the powers contained in part 4 of the NHS Counter Fraud Authority (Establishment, Constitution, and Staff and other Transfer Provisions) 2017 and such directions as the Secretary of State for Health may give. These can be found at:
NHS Act 2006, Part 10:
General Data Protection Regulation 2016
Data Protection Act 2018, Part 3:
Secretary of State for Health’s counter fraud functions:
Information or data shared between GDC and NHSCFA may be used by the Parties for criminal prosecution purposes if the information or data demonstrates evidence of fraud or other unlawful activities against the NHS and/or the information forms a material part of an investigation. Criminal prosecution will be undertaken by NHSCFA and the Crown Prosecution Service and/or referred to the Police.
Access and Individual Rights
Freedom of Information
The Parties are subject to the Freedom of Information Act 2000. The principles of the Freedom of Information Act 2000 apply and nothing provided in this Agreement is confidential to the Parties to this Agreement. Information relating to NHS business processed by the Parties is essentially public sector information; therefore this information may be subject to Freedom of Information enquiries but only by going through the Parties own Freedom of Information process. It is up to the recipient Party to disclose information, or to authorise the disclosure of information, under the terms of the Freedom of Information Act 2000. Public sector information which is subject to the provisions of the Freedom of Information Act 2000 cannot be accessed under Freedom of Information processes by going directly to a third party data processor.
Under the Freedom of Information Act 2000, individuals can make a request to the Parties for information to be disclosed. This is called a Freedom of Information Request. Requests must be put in writing to the recipient Party following their official Freedom of Information Request process. Requests will be considered by the Party’s Information Governance representative and a decision will be made as to the legality and appropriateness of information disclosure.
Subject Access Requests
The Parties are subject to the GDPR 2016 and the Data Protection Act 2018. Under the GDPR 2016 and the Data Protection Act 2018, data subjects can ask to see the information that is held on computer and in some paper records about them. This is called a Subject Access Request. If data subjects wish to know what information is held about them, requests must be submitted to the recipient Party following their official Subject Access Request process. Requests will be considered by the Party’s Information Governance representative and a decision will be made as to the legality and appropriateness of information disclosure.
Complaints regarding Data
Complaints from data subjects about personal or sensitive information held by the Parties must be made in writing to the person or organisation holding the information, detailing the reasons for the complaint. Complaints must be put in writing to the relevant person or organisation following their official complaints process.
Security of information
The GDC and NHSCFA are registered with the Information Commissioner’s Office on the Data Protection Register. Registration entry can be found at:
General Dental Council Registration number: Z5678190
NHS Counter Fraud Authority Registration number: ZA290744
Regardless of the type of information being accessed, processed and stored, security is considered of paramount importance. All information held by the Parties are held on secure servers, with access restricted to internal use by appropriately authorised members of staff. As data controllers for the information they collect, the Parties are expected to treat all information in accordance with the GDPR 2016 and the Data Protection Act 2018 and ensure that security is in place sufficient to protect the information from unauthorised access. This includes physical security, such as adhering to organisational clear desk policies and adequate protection for premises when unattended, to IT related security such as passwords, secure IDs and secure servers.
It is understood that the Parties may have differing security needs, however it is important that all reasonable steps are made to ensure information is kept private and confidential at all times. Each Party is expected to comply with their own Information Security Policy and operating procedures and to make staff aware of their obligations in this respect. As administrators of NHS business, the Parties are also expected to comply with the standard requirements in the NHS Code of Practice for Information Security Management and the NHS Information Governance Guidance on Legal and Professional Obligations, which can be found at:
Each Party’s responsible officer will ensure that their staff know, understand and guarantee to maintain the confidentiality and security of the information and will ensure that anyone involved with the processing of the information is aware of the penalties for wrongful disclosure.
Due to the sensitive nature of operational work carried out by the Parties, much of the information held by the Parties is of a sensitive nature and is classified by central government as “Official’ or ‘Official Sensitive’. NHSCFA uses the Public Services Network (PSN) in its operations and in so doing complies with the standard requirements in the code of conduct for Government Connect.
The GDC is Cyber Essential Plus accredited.
If there is a need for the Parties to disclose or supply information to other law enforcement agencies, government departments and agencies, or any specified external body for the purposes of anti-crime activities, full records will be kept of when and what information is disclosed or supplied to external bodies.
The Parties must take appropriate technical and organisational measures against unauthorised or unlawful accessing and/or processing of information and against accidental loss or destruction of, or damage to, information. This will include:
- appropriate technological security measures, having regard to the state of technology available and the cost of implementing such technology, and the nature of the information being protected;
- secure physical storage and management of non-electronic information;
- password protected computer systems;
- ensuring information is only held for as long as is necessary, in line with data protection obligations; and
- appropriate security on external routes into the organisation, for example internet firewalls and secure dial-in facilities.
Each Party is responsible for its own compliance with security in respect of the GDPR 2016 and Data Protection Act 2018, irrespective of the specific terms of this Agreement.
The physical and technical security of the information will be maintained at all times. No disclosable information will be sent by fax or email (unless vis PSN or NHS.net networks) and, if posted, will be encrypted to approved standards to protect the information and dispatched by Royal Mail Special Delivery service or by courier.
Access to the information will be restricted to those staff with a warranted business case. Access to information will be via restricted-access password protection and be capable of audit. The means of access to the information (such as passwords) will be kept secure.
The preferred method of information transfer for general enquiries, general communications and small data attachments (for example MS or PDF files not exceeding 15MB) will be by email (via PSN). NHSCFA uses Egress Switch to send data securely using the ‘official (official-sensitive)’ marking under the Government Classification Scheme.
The preferred method of information transfer for large volume information sharing (such as downloads of complete datasets where size exceeds 15MB) will be by Egress Switch or by saving the information to a removable media device (for example, a USB stick, pen drive or CD) and dispatching the device to the receiving Party, either by Royal Mail Special Delivery service or by courier. The removable media device must be encrypted to approved standards to protect the information and the information itself must be password protected. Un-encryption processes and passwords will be disclosed separately upon receipt of the removable media device and the information it contains.
Laptops used to access information must be encrypted and secured to an HM Government approved or recognised level, commensurate with the level of the protective marking of the information involved as will any network they are connected to.
The Parties may be required to provide copies of any audits conducted during the period of the Agreement, including any audit arrangements or implementation plans.
Retention of information
Information shall be stored in accordance with the Parties’ records retention and disposal schedule.
In the absence of a records retention and disposal schedule, or a statutory retention period, the information shall not be retained for longer than is necessary to fulfil the specified purpose or purposes.
Breach and Dispute Procedures
The Parties agree to report immediately instances of breaches to any of the terms of this Agreement and to raise an appropriate security incident.
Any disputes arising between the giving and receiving Parties will be resolved initially between the principles of this Agreement. Otherwise, outstanding issues will be referred to an executive group established on behalf of each party.
The parties will maintain an information sharing log in respect of the agreement.
The log will contain:
- A record of information disclosed to the other party;
- The justification of decisions to disclose or not to disclose;
- A record of the outcome of any referral made and the outcomes of the referral;
- An access list recording the authorising officer;
- Notes of meetings with partners;
- A record of any review of the agreement.
Duration and review
This agreement shall commence on the date of its signature by the Parties and will remain in effect for a term of one year unless it is terminated, re-negotiated or superseded by a revised document.
At the end of one year following the commencement of the agreement, the agreement will be formally reviewed by both Parties, and will be reviewed again no less frequently than on each anniversary of its signing. Each annual review will:
- report on actions arising from the operation of this agreement within the preceding 12 months;
- review the effectiveness of this agreement in achieving its aims, and make amendments where necessary;
- refresh operational protocols where necessary;
- identify areas for future development of the working arrangements; and
- ensure the contact information for each organisation is accurate and up to date.
Following each annual review, the agreement shall automatically renew for a further period of one year, unless terminated or re-negotiated by either Party.
Either Party may terminate or re-negotiate this agreement at any time upon giving the other Party one month’s notice in writing of its intention to do so.
This agreement is not legally binding and is not intended to create legal relationships between the Parties.
This agreement is made on the 12th of March 2021.