When attending the practice for dental care, patients provide us with personal information about their health on the understanding that we keep this information confidential and that it will not be divulged without the patient’s consent. Most patients would most likely be reluctant to provide personal health information if they believed it would be passed on.
In addition to practice systems for storing this information securely, each member of the team is under a strict duty to maintain the confidentiality of all personal information held by the practice.
The duty of confidentiality
Your contact of employment or contracts for services at the practice require you to maintain the confidentiality of patient information. A breach of this requirement, could end your employment with the practice or contract for services.
For registrants, a breach of confidentiality, may lead to an investigation by GDC into their fitness to practise; individual registrants are responsible for their professional conduct. A patient may also bring legal action for damages.
Dentists may also be prosecuted for breaching statutory data protection requirements.
A patient’s personal information includes:
- The patient’s name, current and previous addresses, bank account/credit card details, telephone numbers, email address and other means of personal identification, including a physical description
- Information that a person is or has been a patient of the practice or attended, cancelled or did not attend an appointment on a certain day
- Information about the patient’s physical, mental or oral health or condition
- Information about the treatment that has been provided or is planned
- Information about family members and personal circumstances supplied by the patient
- The amount that was paid for treatment, the amount owing or the fact that the patient is a debtor to the practice.
Principles of confidentiality
Personal information about a patient Is confidential to the patient and to those providing the patient with health care, who require the information to provide effective care and treatment.
Disclosures to third parties
You must not disclose personal information to third parties without the consent of the patient, unless it is required by law or the dentist is pursuing a bona fide legal claim against the patient the information is required by a solicitor, court or debt-collecting agency. The responsibility for disclosure rests with the responsible dentist; other members of the team cannot take the decision to disclose.
Disclosure to government agencies
It may be right to disclose personal information without consent to government agencies, including HMRC, the police or social services. In all cases, you should obtain details of what information is needed and why. Only information that it is necessary to comply with the law should be disclosed. You must always obtain professional advice before releasing information on these grounds.
NHS and private care
Disclosure of information is needed to
- Transmit NHS claims/information to payment authorities such as the Business Services Authority for England and Wales
- Refer patients to another dentist or health care provider such as a hospital.
The practice privacy notices for patients, employees and associates describe the personal information that we collect, how we use it and how we store it safely and securely. Copies of the notices are available from the practice Manager.
If you collect, use, store or destroy personal information, you should be familiar with the relevant privacy notice and ensure that you are dealing with the personal information as described in the notice
Access to records
Patients can request access to their health records. The treating dentist should receive the request and the patient be given the opportunity to discuss the records before being given a copy; the patient’s identity must be checked and confirmed.
The copy of the record must be supplied within one month of the request.
Patients must make a written request for access to their medical records. No fee is payable (except if a patient makes multiple requests)
Everyone involved with recording information about patients attending the practice must ensure that records are:
- Contemporaneous and dated
- Accurate and comprehensive
- Neat, legible and written in ink
- Strictly necessary for the purpose
- Not derogatory
- Such that disclosure to the patient would be unproblematic.
- Signed by the dentist.
Patients have the right to stop the practice sending marketing emails and to ask the practice to delete some information, such as contact details. Not all information can be deleted and requests to delete information must be managed in accordance with data protection laws. These requests must be passed to the practice manager for action.
- Records must be kept secure and in a location where it is not possible for other patients or individuals to read them
- Patients should not be able to see information contained in appointment books, day sheets or computer screens
- Discussions about patients must not take place in public areas of the practice
- When talking to a patient on the telephone or in person in a public area, sensitive information must not be overheard by other patients
- Messages about a patient’s care must not be left with third parties or left on answering machines. A message to call the practice is all that can be left
- Recall cards and other personal information must be sent in an envelope
- Identifiable information about patients must not be discussed with anyone outside of the practice including relatives or friends
- Demonstrations of the practice’s administrative/computer systems must not involve actual patient information
- Information about a patient’s appointment must not be given to third parties – for example, schools and employers – unless the patient has given consent
- Appointment books, record cards or other information must not be disclosed to police officers or HM Revenue and Customs officials without instruction by the responsible dentist.
If, after investigation, we find that you have breached patient confidentiality or have failed to follow this policy, you may be liable to summary dismissal in accordance with the practice disciplinary policy. A copy the disciplinary policy is available from the practice manager.
Upon termination of your employment or contract for services, you must respect the confidentiality of all personal information held by the practice. You must not knowingly obtain or disclose personal information without the consent of Data protection Officer (DPO) If the practice believes that you have done so, we will inform the Office of the Information Commissioner; you may, as a consequence, be prosecuted by the Commissioner or the Director of Public Prosecutions.
DATA SECURITY POLICY
This dental practice is committed to ensuring the security of personal data held by the practice. This policy is issued to all staff with access to personal data at the practice and will be given to new staff during their induction. If any member of the team has concerns about the security of personal data within the practice they should contact practice manager.
All members of the team must comply with this policy.
- All employment contracts and contracts for services contain a confidentiality clause, which includes a commitment to comply with the practice confidentiality policy
- Access to personal data is on a ‘need to know’ basis only. Access to information is monitored and breaches of security will be dealt with swiftly by the practice manager.
- We have procedures in place to ensure that personal data is regularly reviewed, updated and, when no longer required, deleted in a confidential manner. For example, we keep patient records for at least 10 years or until the patient is aged 25 – whichever is the longer.
Physical security measures
- Personal data is only removed from the practice premises in exceptional circumstances and when authorised by practice manager. If personal data is taken from the premises it must never be left unattended in a car or in a public place
- Records are kept in a lockable fireproof cabinet, which is not easily accessible by patients and visitors to the practice
- Efforts have been made to secure the practice against theft by, for example, the use of intruder alarms, lockable windows and doors
- The practice has in place a business continuity plan in case of a disaster. This includes procedures for protecting and restoring personal data.
Information held on computer
- Appropriate software controls are used to protect computerised records, for example the use of passwords and encryption. Passwords are only known to those who require access to the information, are changed on a regular basis and are not written down or kept near or on the computer for others to see
- Daily and weekly back-ups of computerised data are taken, off-site. Back-ups are also tested at prescribed intervals to ensure that the information being stored is usable should it be needed
- Staff using practice computers undertake computer training to avoid unintentional deletion or corruption of information
- Dental computer systems have a full audit trail facility preventing the erasure or overwriting of data. The system records details of any amendments made to data, who made them and when
- Precautions are taken to avoid loss of data through the introduction of computer viruses.
- Back up data stored on cloud computing facilities has in place a rigorous service level agreement with our cloud provider to ensure that all our obligations in this policy are fulfilled and that all information is secure.
Loss of patient information
- Any loss, damage to or unauthorised disclosure of patient information must be reported immediately to Data Protection Officer immediately.