Protecting patient data

Protecting data

22 May 2018

Data protection law imposes a legal duty on those responsible for personal data to store it securely and protect it from unauthorised or unlawful processing.

Dental practices are directly responsible for the data held on patients, and those who are data controllers in the practice must be registered with the Information Commissioner's Office (ICO).

The GDC's Standards for the dental team state that you must 'keep patients' information secure at all times, whether your records are held on paper or electronically.'

It also says that 'you must make sure that patients' information is not revealed accidentally and that no-one has unauthorised access to it by storing it securely at all times. You must not leave records where they can be seen by other patients, unauthorised staff or members of the public'.

Data storage on portable devices

While data controllers are primarily responsible for the security of patient data, individual dental professionals have an ethical duty of patient confidentiality, and must keep patient data from being mislaid or accidentally disclosed.

Failure to do so may result in a patient complaint or even a GDC investigation.

The DDU advises that all dental professionals consider the following in order to protect patient data:

  • Avoid storing identifiable personal data on personal mobile devices, such as memory sticks, laptops or personal mobile phones, which risk being misplaced or accessed by other people. If you need to work on confidential documents at home, discuss and agree what you can do with the data controller.
  • Make sure all staff are familiar with the workplace information security policy, including the name of the person in charge of data security.
  • Don't store professional data on your personal computer; it could lead to breaches of confidentiality if someone else uses the computer.
  • Be aware of relevant guidance, such as that provided by the GDC and the NHS, as well as your legal requirements to protect confidentiality.
  • Any loss of data should be reported to the nominated person within your practice or organisation straight away, so that any necessary action can be taken to avoid further breaches and inform patients.

Storing patient data in a data cloud

What is a data cloud?

Cloud computing services allow your data to be stored on a virtual, off-site server run by a third party.

The benefits are that you can access the data from any computer with an internet connection. Of course, with increased convenience come significant security and confidentiality considerations.

ICO guidance

The ICO's guidance on cloud computing advises that anyone planning to use cloud computing to store patient data considers whether the 'processing of certain types of personal data could have a greater impact on individuals' privacy'.

Data controllers should review the personal data they process and decide whether there is any data that shouldn't be put in the cloud – for example, because specific assurances were given when the data was collected.

The ICO also recommends considering the following questions before opting for a data cloud as a storage method:

  • Will data be encrypted when in transit?
  • What are the deletion and retention timescales and will the data be deleted securely if you withdraw from the cloud?
  • What audit trails are in place so you can monitor who is accessing the data?
  • In which countries does the provider process data?
  • Will there be a written contract in place which includes confidentiality clauses?

NHS Digital's guide to data handling and good practice states that 'data transfers should always be carried out over existing, protected and trusted NHS networks, however there may be occasions where data will need to be transferred over other networks. On these occasions the data files must be protected by encryption'.

Do I need patient consent?

ICO guidance states that organisations using cloud computing should take appropriate steps to tell their customers about processing arrangements, and be as open as possible.

Private patients

If you provide private treatment, we recommend you adhere to the same levels of security as those implemented by the NHS.

Encryption and password protection of data held on mobile devices would be considered to be standard practice, and the same would apply to data stored in a data cloud.

See our introduction to good record keeping for more on electronic storage of patient data.

This guidance was correct at publication 22/05/2018. It is intended as general guidance for members only. If you are a member and need specific advice relating to your own circumstances, please contact one of our advisers.


Login to comment

Be the first to comment