Information governance in dental practices

It's important to be up to date with best practice in data processing, information security and record retention.

Information is a vital asset, and it is therefore of paramount importance that it is effectively managed with appropriate policies, procedures, structures, and accountability.

  • Without a solid information governance framework in place, you may be at risk of breaching data protection law
  • This could lead to financial penalties and the possibility of investigation by a regulator, as well as the risk of a breakdown in patient trust.
  • Appointing a practice information governance lead can be helpful.

The Data Protection Act 2018 is the UK's implementation of the General Data Protection Regulation (GDPR). GDPR outlines six 'data protection principles' which everyone responsible for using personal data must adhere to. These outline that information must be:

  • used fairly, lawfully and transparently (your practice privacy notices should explain this)
  • used for specified, explicit purposes
  • used in a way that is adequate, relevant, and limited to only what is necessary
  • accurate and, where necessary, kept up to date
  • kept for no longer than is necessary
  • handled in a way that ensures appropriate security, including protection against unlawful or unauthorised processing, access, loss, destruction, or damage.

Is GDPR the same as the Data Protection Act 2018?

Whereas the Data Protection Act only relates to information used to identify an individual or their personal details, GDPR broadens that scope to include online identification markers, location data, genetic information and more.

What constitutes 'personal data'?

  • Names
  • Addresses
  • Date of birth
  • Bank details
  • Email addresses
  • Telephone numbers

What constitutes 'special category data'?

  • Biometric data for security purposes
  • Race
  • Religious beliefs
  • Sexual orientation
  • Medical information
  • Trade union membership
  • Criminal offence data

When should a dentist register with the ICO as a data controller?

A data controller is someone within the practice who is responsible for data processing and who must report a data breach without undue delay (or no later than 72 hours of becoming aware of the breach) to the ICO.

It can be difficult to decide who is responsible for data processing, because of the organisational structure of practices. However, the Information Commissioner's Office (ICO) suggests that a dental professional who can answer 'yes' to any of the following questions is likely to be a data controller, and needs to register with the ICO:

  • Are you responsible for the control and security of patient records, and do you have other responsibilities associated with the data?
  • Do you have a patient list, separate from the practice in which you treat patients, that would follow you if you left?
  • Do you treat the same patient at different practices?
  • If a complaint was made by a patient, or data was lost, would you be legally responsible for dealing with the matter?

How to maintain information security

NHS Digital has an online data security and protection self-assessment toolkit. This helps organisations measure their performance against the National Data Guardian's ten data security standards, as well as letting them publish the results.

Make sure you have an information security policy in place. All staff with access to personal data should be given clear guidance on the disclosure of personal information.

Review the policy regularly so that it is kept relevant and fit for purpose. Points to cover include:

  • the need for a signed written contract with all third party suppliers, including IT contractors, setting out your confidentiality requirements
  • rules on the use of home computers or mobile devices, and proper implementation of tools to allow appropriate scanning, security software (including data backup) and encryption of data.

We advise keeping personal and professional computers and mobile devices entirely separate, to avoid confidentiality breaches.

See our guide to protecting patient data for more information.

How long should clinical records be retained?

Your practice should have a data retention policy that applies to both digital and paper records and notes. This can be a short document or schedule listing when personal data should be destroyed and should be regularly reviewed.

Data protection law states that personal data should be retained for no longer than is necessary.

We recommend that NHS and private clinical records should be reviewed:

  • 11 years after the last entry for adults
  • 11 years after the last entry for children or when they reach age 25, whichever is longer.

Record retention schedules may differ according to the jurisdiction:

NHS England 2021

NHSX Records Management

  • Adults: 15 years after date of last entry
  • Children: up to 25th or 26th birthday

Scotland 2020

SG HSC Scotland Records Management Code of Practice 2020

  • Adults: 10 years
  • Children: 10 years or up to 25th/26th birthday rule, whichever is longer

Wales 2020

HEIW records management policy Jan 2020

  • Adults: 10 years
  • Children: 10 years or up until their 25th birthday

Northern Ireland

Good Management, Good Records - disposal schedule

Community dental services

  • Adults: 11 years
  • Children: until the patient's 25th birthday or 26th if young person was 17 at conclusion of treatment, or 11 years after last entry, if longer; or eight years after death if death occurred before 18th birthday.

Hospital dental records

  • Adult: eight years
  • Children and young people: until the patient's 25th birthday or 26th if young person was 17 at conclusion of treatment, or eight years after death.

General dental services and orthodontics

  • Six years

When reviewing the records, you can decide to either destroy them or retain them for longer. Holding onto records in difficult cases may prove to be an important part of your defence if you receive a claim.

Destroying records

  • Records that are no longer needed must be destroyed in a way that preserves patient confidentiality, such as cross-cut shredding hard copy records.
  • Seek specialist advice before disposing of IT equipment that has been used to store electronic patient records.

If you have any specific concerns about information governance within your dental practice, contact the DDU.

This page was correct at publication on 02/03/2022. Any guidance is intended as general guidance for members only. If you are a member and need specific advice relating to your own circumstances, please contact one of our advisers.