In the days of paper records, information security consisted of a locked filing cabinet and ensuring you were not overheard chatting about a patient at the reception desk. Today, electronic storage of dental records is the norm, but with it comes the need to ensure effective and secure information governance systems.
Some dental professionals are considering using cloud computing services to store their electronic data. Instead of data being stored locally on the hard drive of your computer, the data is stored on a virtual, off-site server run by a third party.
The internet provides the connection between your computer and the database, which has the advantage that you can access the data from any computer with an internet connection. While cloud computing may offer increased convenience at a reduced cost, there are significant security and confidentiality considerations to be taken into account before opting for this method of storing confidential dental information.
Protecting patient data
The Data Protection Act 1998 (DPA) imposes a legal duty on those responsible for personal data to ensure it is held secure and protected from unauthorised or unlawful processing. Dental practices are directly responsible for the data held on patients and those who are data controllers in the practice must be registered with the Information Commissioner's Office. Section 55 of the DPA makes it a criminal offence to obtain or disclose personal data unlawfully.
The GDC's Principles of Patient Confidentiality says you must "protect the confidential information you are responsible for when you receive it, store it, send it or get rid of it". It adds you should "store records securely and don't leave them where they might be seen by other patients, unauthorised healthcare staff or members of the public".
Can personal data be stored in a data cloud?
The Information Commissioner's Office (ICO) has published Guidance on the use of cloud computing which advises data controllers to take time to understand the data protection risks involved. The guidance suggests that anyone planning to use a cloud computing service considers whether "the processing of certain types of personal data could have a greater impact on individuals' privacy". It suggests that data controllers review the personal data they process and decide whether there is any data that shouldn’t be put in the cloud, for example because specific assurances were given when the personal data was collected. (paragraph 38)
The ICO guidance also provides a checklist of questions to consider before opting for this method of storing data, such as:
- Will data be encrypted when in transit?
- What are the deletion and retention timescales and will the data be deleted securely if you withdraw from the cloud?
- What audit trails are in place so you can monitor who is accessing the data?
- Which countries does the provider processes data in? The DPA prohibits transfer of personal data outside the EU.
- Will there be a written contract in place which includes confidentiality clauses?
The Department of Health has said in Letter to all Information Officers at Strategic Health Authorities from Matthew Swindells, Director General, Information and Programme Integration, DoH, 30 January 2008 that "the movement of unencrypted data held in electronic format should not be allowed in the NHS" and "wherever possible, person identifiable data should always be stored on a secure server." If you work in private practice we recommend that you adhere to the same levels of security as those implemented in the NHS. Encryption and password protection of data held on mobile devices would be considered to be standard practice, and the same would apply to data stored in a data cloud.
Do I need patient's consent?
The ICO guidance says that organisations using cloud computing should take appropriate steps to tell their customers about the processing arrangements and that they should be as open as possible (paragraph 48).
The DPA requires that personal data should only be handled in ways people would reasonably expect. It is questionable whether patients would expect sensitive medical information to be held in an off-site storage facility not under direct control of the dental professional involved in their care.
In the DDU's view it would therefore be necessary to seek the consent of each patient to store their data in such a way, making patients aware of any risks involved, and as far as possible, in which countries the data will be stored.
While the concept of cloud computing may be an attractive one, because of the convenience of being able to access data from any computer, at the present time, in the absence of specific consent from patients to hold data in the cloud, the potential security risks of doing so may outweigh the benefits.
This guidance was correct at publication 26/03/2014. It is intended as general guidance for members only. If you are a member and need specific advice relating to your own circumstances, please contact one of our advisers.