Privacy & Data Protection Policy

P8a Data Protection Practice Statement

This dental practice is committed to ensuring the security of personal data held by the practice. This policy is issued to all staff with access to personal data at the practice and will be given to new staff during their induction. If any member of the team has concerns about the security of personal data within the practice they should contact the practice manager.

All members of the team must comply with this policy.

Confidentiality
  • All employment contracts and contracts for services contain a confidentiality clause, which includes a commitment to comply with the practice confidentiality policy.
  • Access to personal data is on a ‘need to know’ basis only. Access to information is monitored and breaches of security will be dealt with swiftly by the practice manager.
  • We have procedures in place to ensure that personal data is regularly reviewed, updated and, when no longer required, deleted in a confidential manner. For example, we keep patient records for at least 11 years or until the patient is aged 25 – whichever is the longer.
Physical Security Measures
  • Personal data is only removed from the practice premises in exceptional circumstances and when authorised by the practice manager. If personal data is taken from the premises it must never be left unattended in a car or in a public place.
  • Records are kept in a lockable fireproof cabinet, which is not easily accessible by patients and visitors to the practice.
  • Efforts have been made to secure the practice against theft by, for example, the use of intruder alarms, lockable windows and doors.
  • The practice has in place a business continuity plan in case of a disaster. This includes procedures for protecting and restoring personal data.
Information Held on Computers
  • Appropriate software controls are used to protect computerised records, for example the use of passwords and encryption. Passwords are only known to those who require access to the information, are changed on a regular basis and are not written down or kept near or on the computer for others to see.
  • Daily and weekly back-ups of computerised data are taken and stored in a fireproof container, off-site. Back-ups are also tested at prescribed intervals to ensure that the information being stored is usable should it be needed.
  • Staff using practice computers undertake computer training to avoid unintentional deletion or corruption of information.
  • Dental computer systems have a full audit trail facility preventing the erasure or overwriting of data. The system records details of any amendments made to data, who made them and when
  • Precautions are taken to avoid loss of data through the introduction of computer viruses.
Access to Information Held by the Practice

We may be asked to disclose information, documents or records held by the practice. Requests for personal information are made under data protection legislation and under freedom of information legislation for information about the NHS services provided by the practice.

Requests for personal information or for information about the practice that is not included in the practice information leaflet should be passed to the practice manager.

This policy describes who can request information and how and the practice procedures for managing these requests.

Requests for Personal Information

Personal information is any information that allows an individual to be identified. This includes information where the individual is not named but a cross-reference to other information held by the practice would allow identification.

Data protection legislation allows individuals to request access to their personal information. Those eligible to request access include:

  • A person aged 16 years or older
  • The parents or guardians of a child under the age of 16 years and in connection with the health and welfare needs of the child
  • A child under the age of 16 years who has the capacity to understand the information held by the practice. Children aged 11 years and under are deemed too young
  • A third party, such as a solicitor, who has the written consent of individual concerned – checks should be undertaken to ensure that the consent is genuine – for example, by checking the patient’s signature or contacting the patient directly to confirm that they have given consent for the information to be disclosed.

 

If a request concerns information about a deceased person, those eligible to request access include:

  • The administrator or executor of the deceased person’s estate
  • A person who has a legal claim arising from the person’s death – the next of kin, for example. The person should explain why the information requested is relevant to their claim.

 

If the information requested includes information about third parties, it can be disclosed if the third party gives consent or is a health professional involved in the care of the patient.

The Request

The request must be made in writing and describe the type of information required with dates, if possible, and include sufficient information to ensure correct identification (name, address, date of birth, for example). You must check that the person asking for information has the right to do so and, if necessary, ask for proof of identity.

We will provide the requested information within one month of receiving the request or confirming the individual’s identity.

The Information

We will usually provide the information requested in electronic form using secure means, unless the individual asks for the information in paper format or otherwise agreed. The individual may also come to the practice to view the original version under supervision and on practice premises. 

We will provide the information in a way that can be understood by the individual making the requests and may need to provide an explanation to accompany dental clinical notes.

Unfounded or Excessive Requests

Where requests are manifestly unfounded or excessive (particularly if they are repetitive), we can:

  • Charge a reasonable fee taking into account the administrative costs of providing the information; or
  • Refuse to respond.

 

If we refuse to respond to a request, we will explain the reasons and informing the individual of their right to complain to the Information Commissioner’s Office and to a judicial remedy.

Requests for Information About the Practice

Freedom of information legislation allows anyone to ask for information about the provision of NHS services. The available information is described fully in the practice guide to information available under FOIA and the model publication scheme. If the requested information is part of a larger document, we will disclose only the relevant part.

A freedom of information request cannot include clinical records or financial records.

The Request

The request must be made in writing and should describe the information that they want and with dates, if possible. The individual making the request does not have to give a reason.

The charges for information provided under a freedom of information request are included in the practice guide and the model publication scheme

We will provide Information within 20 working days of receiving the request or confirmation of identity or, if applicable, from the receipt of the fee. We will inform you if we need more time.

The Information

Most of the information covered by a freedom of information request is available in the practice information leaflet or on the practice website. Requests for other information should be referred to the practice manager. If we do not hold the information requested, we will inform the individual within the 20-working-day time limit.

We will provide information in a way that is convenient for the person who requested it, which may be in writing, by allowing the applicant to read it on the premises, or, if the information is held electronically, in a useable electronic format.

We are not required to respond to:

  • Vexatious requests for information, for example, requests that are designed to cause inconvenience, harassment or expense.
  • Repeated requests for the same or similar information (unless the information changes regularly, for example performance or activity information)

 

In either situation, you should seek advice from the practice manager.

If you want more information or if you have any questions please contact the practice manager, Karenza Stribley, on 01409 253684.