Information governance in dental practices

It's important to be up to date with best practice in data processing, information security and record retention.

  • Without a solid information governance framework in place, you may be at risk of breaching data protection law.
  • This could lead to financial penalties and the possibility of investigation by a regulator, as well as the risk of a breakdown in patient trust.

The Data Protection Act 2018 is the UK's implementation of the General Data Protection Regulation (GDPR).

Everyone responsible for using personal data has to follow strict rules called 'data protection principles'. They must make sure the information is:

  • used fairly, lawfully and transparently
  • used for specified, explicit purposes
  • used in a way that is adequate, relevant and limited to only what is necessary
  • accurate and, where necessary, kept up to date
  • kept for no longer than is necessary
  • handled in a way that ensures appropriate security, including protection against unlawful or unauthorised processing, access, loss, destruction or damage.

Is GDPR the same as Data protection Act 2018?

Whereas the Data Protection Act only relates to information used to identify an individual or their personal details, GDPR broadens that scope to include online identification markers, location data, genetic information and more.

Personal data

  • Names
  • Addresses
  • Date of birth
  • Bank details
  • Email addresses

Special category data

  • Biometric data for security purposes
  • Race
  • Religion
  • Sexual orientation
  • Medical information
  • Trade union membership
  • Criminal offence data

The Department of Health issued an information governance toolkit in 2018 which lists the following requirements:

  • information governance management
  • confidentiality and data protection assurance
  • information security assurance.

When should a dentist register with the ICO as a data controller?

A data controller is someone within the practice who is responsible for data processing.

It can be difficult to decide who is responsible for data processing, because of the complex ways in which practices can be organised.

The Information Commissioner's Office (ICO) suggests that a dental professional who can answer yes to any of the following questions is likely to be a data controller, and needs to register with the ICO.

  • Are you responsible for the control and security of patient records, and do you have other responsibilities associated with the data?
  • Do you have a patient list, separate from the practice in which you treat patients, that would follow you if you left?
  • Do you treat the same patient at different practices?
  • If a complaint was made by a patient, or data was lost, would you be legally responsible for dealing with the matter?

Maintaining general information security

Make sure you have an information security policy in place, and all staff should be given clear guidance on the disclosure of personal information.

Review the policy regularly so that it is kept relevant and fit for purpose. Points to cover include:

  • the need for a signed written contract with all third party suppliers, including IT contractors, setting out your confidentiality requirements
  • rules relating to the use of home computers or mobile devices, and proper implementation of tools to allow appropriate scanning, security software and encryption.

The DDU advises that you keep personal and professional computers and mobile devices entirely separate, to avoid confidentiality breaches.

See our guide to protecting patient data for more information.

How long should clinical records be retained?

Your practice should have a retention policy which applies to both electronic and paper records and notes. This can be a short document or schedule which lists when personal data should be destroyed.

Data protection law states that personal data should be retained for no longer than is necessary.

We recommend that NHS and private clinical records should be reviewed:

  • 10 years after the last entry for adults
  • 10 years after the last entry for children or when they reach age 25, whichever is the longer.

When reviewing the records, you can take a decision to either destroy the records or retain them for longer. Holding onto records in difficult cases may prove to be an important part of your defence if you receive a claim.

Destroying records

  • Records that are no longer needed must be destroyed in a way that preserves patient confidentiality, such as cross cut shredding hard copy records.
  • Seek specialist advice before disposing of IT equipment that has been used to store electronic patient records.

If you have any specific concerns about information governance within your dental practice, contact the DDU.

This page was correct at publication on 20/08/2020. Any guidance is intended as general guidance for members only. If you are a member and need specific advice relating to your own circumstances, please contact one of our advisers.