We have placed cookies on your device to help make this website better.
If you choose to customise the site it will help you to find the most relevant content for your needs. You will still be able to access all content on the site.
0800 374 626
7 August 2017
The Data Protection Act 1998 (DPA) imposes a legal duty on those responsible for personal data to store it securely and protect it from unauthorised or unlawful processing.
Dental practices are directly responsible for the data held on patients, and those who are data controllers in the practice must be registered with the Information Commissioner's Office (ICO).
The GDC's Standards for the dental team state that you must 'keep patients' information secure at all times, whether your records are held on paper or electronically.'
It also says that 'you must make sure that patients' information is not revealed accidentally and that no-one has unauthorised access to it by storing it securely at all times. You must not leave records where they can be seen by other patients, unauthorised staff or members of the public'.
While data controllers are primarily responsible for the security of patient data, individual dental professionals have an ethical duty of patient confidentiality, and must keep patient data from being mislaid or accidentally disclosed.
Failure to do so may result in a patient complaint or even a GDC investigation.
The DDU advises that all dental professionals consider the following in order to protect patient data:
Cloud computing services allow your data to be stored on a virtual, off-site server run by a third party.
The benefits are that you can access the data from any computer with an internet connection. Of course, with increased convenience come significant security and confidentiality considerations.
The ICO's guidance on cloud computing advises that anyone planning to use cloud computing to store patient data considers whether the 'processing of certain types of personal data could have a greater impact on individuals' privacy'.
Data controllers should review the personal data they process and decide whether there is any data that shouldn't be put in the cloud – for example, because specific assurances were given when the data was collected.
The ICO also recommends considering the following questions before opting for a data cloud as a storage method:
NHS Digital's guide to data handling and good practice states that 'data transfers should always be carried out over existing, protected and trusted NHS networks, however there may be occasions where data will need to be transferred over other networks. On these occasions the data files must be protected by encryption'.
ICO guidance states that organisations using cloud computing should take appropriate steps to tell their customers about processing arrangements, and be as open as possible.
If you provide private treatment, we recommend you adhere to the same levels of security as those implemented by the NHS.
Encryption and password protection of data held on mobile devices would be considered to be standard practice, and the same would apply to data stored in a data cloud.
See our guide to computer-held records for more on electronic storage of patient data.
This guidance was correct at publication 07/08/2017. It is intended as general guidance for members only. If you are a member and need specific advice relating to your own circumstances, please contact one of our advisers.
Be the first to comment
© 2018 The DDU
We have detected you are in and some website content may have been personalised to be more relevant to you.
You can change your region setting here or at the top of the page.