Protecting patient data

Data protection law imposes a legal duty on those responsible for personal data to store it securely and protect it from unauthorised or unlawful processing.

Dental practices are directly responsible for the data held on patients, and those who are data controllers in the practice must be registered with the Information Commissioner's Office (ICO).

The GDC's Standard 4.5 states that you must "keep patients' information secure at all times, whether your records are held on paper or electronically."

It also says that "you must make sure that patients' information is not revealed accidentally and that no-one has unauthorised access to it by storing it securely at all times. You must not leave records where they can be seen by other patients, unauthorised staff or members of the public."

Data storage on portable devices

While data controllers are primarily responsible for the security of patient data, individual dental professionals have an ethical duty of patient confidentiality, and must keep patient data from being mislaid or accidentally disclosed.

Failure to do so may result in a patient complaint or even a GDC investigation.

The DDU advises that all dental professionals consider the following points to protect patient data.

  • Avoid storing identifiable personal data on personal mobile devices, such as memory sticks, laptops or personal mobile phones, which risk being misplaced or accessed by other people. If you need to work on confidential documents at home, discuss and agree what you can do with the data controller.
  • Make sure all staff are familiar with the workplace information security policy, including the name of the person in charge of data security.
  • Don't store professional data on your personal computer; it could lead to breaches of confidentiality if someone else uses the computer.
  • Be aware of relevant guidance, such as that provided by the GDC and the NHS, as well as your legal requirements to protect confidentiality. See also NHS Digital's Codes of practice for handling information in healthcare.
  • Any loss of data should be reported to the nominated person within your practice or organisation straight away, so that any necessary action can be taken to avoid further breaches and inform patients.

Storing patient data in a data cloud

What is a data cloud?

Cloud computing services allow your data to be stored on a virtual, off-site server run by a third party.

The benefits are that you can access the data from any computer with an internet connection. Of course, with increased convenience come significant security and confidentiality considerations.

ICO guidance

The ICO's guidance on cloud computing advises that "you need to check that the security and availability of the service is right for the types of files you want to upload."

Data controllers should review the personal data they process and decide if there is any data that shouldn't be put in the cloud - for example, because specific assurances were given when the data was collected.

The ICO also recommends considering the following questions before opting for a data cloud as a storage method.

  • Will data be encrypted when in transit?
  • What are the deletion and retention timescales and will the data be deleted securely if you withdraw from the cloud?
  • What audit trails are in place so you can monitor who is accessing the data?
  • In which countries does the provider process data?
  • Will there be a written contract in place that includes confidentiality clauses?

Advice on sharing and transferring data

NHSX's guidance on information sharing states, "Ensure information is transferred securely when it is shared with others, for example, via NHSmail." NHS Digital's guidance advises NHSmail users that the NHSmail encryption feature must be used if sending confidential information to a non-secure email address.

NHSX also explains that if you do not have access to NHS Mail, a secure messaging app or online document sharing system and need to use an alternative email account (which may not be secure) consider password protecting documents and sharing the passwords via a different channel, like text.

Do I need patient consent?

ICO guidance states that organisations using cloud computing should take appropriate steps to tell their customers about processing arrangements, and be as open as possible.

Private patients

If you provide private treatment, we recommend you adhere to the same levels of security as those implemented by the NHS.

Encryption and password protection of data held on mobile devices would be considered to be standard practice, and the same would apply to data stored in a data cloud.

See our introduction to good record keeping for more on electronic storage of patient data.

Useful links

  1. NHSX - Use and share information with confidence
  2. NHS Digital - Codes of practice for handling information in health and care
  3. NHS Digital - NHS and social care data: off-shoring and the use of public cloud services
  4. Gov.uk guidance - use cloud first
  5. NHS Digital - Guidance for sending secure email (including to patients)

This page was correct at publication on 27/09/2021. Any guidance is intended as general guidance for members only. If you are a member and need specific advice relating to your own circumstances, please contact one of our advisers.