This policy sets out Simpson and Nisbet Dental Centre’s rules and procedures to maintain strict confidentiality relations, regarding personal information about patients. All practice team members are required by their contract of employment or contract for services to observe these rules and procedures. The relationship between dentist and patient is based on the understanding that any information about the patient will be treated in the utmost confidence and will not be divulged to a third party without the patient’s consent.
Patients have a right to privacy. It is vital that they have the confidence to give the dentist full information about their health in order to ensure that treatment carried out is appropriate and safe. The intensely personal nature of health information means that many patients may be reluctant to give full information to their dentist unless they are sure that the information will not be passed on. If confidentiality is breached, a dentist, hygienist, therapist, technician or nurse may face investigation by the General Dental Council (GDC) and possible erasure from the GDC General Dental Council register. They may also face legal action by the patient for damages, and for dentists, prosecution for breach of the 1998 Data Protection Act.
All staff must follow the GDC’s rules for maintain patient confidentiality as set out in ‘Standards for Dental Professionals’ and ‘Principles of Patient Confidentiality’ whether they are registered with the GDC or not. If confidentiality is breached, each registered dental professional involved is responsible to the GDC for their individual conduct.
In dental context, this includes;
- The patients name, address, bank account or credit card details, telephone number, email address or any means of personal identification such as photographs.
- The fact that the person is or ever has been a patient of the practice or that they attended, failed to attend or cancelled an appointment.
- Information about the patient’s physical, mental or oral health condition.
- Details of historic, planned or ongoing treatment.
- Information about family members.
- Details of personal circumstances supplied by the patient to others.
- The amount paid for treatment, the account owing or the fact that the patient owes the practice money.
The practice has adopted the following three principles of confidentiality;
- Personal information about a patient is confidential in respect of that patient and to those providing the patient with health care.
- It should only be disclosed to those who would be unable to provide effective care and treatment without that information (the ‘need to know’ concept) even in cases such as this consent must still be obtained prior to any disclosure of personal data.
- Such information should not be disclosed to third parties without consent of the patient except in certain specific circumstances described in this policy.
There are certain restricted circumstances in which a dentist may decide to disclose information to a third party or may be required to disclose by law. Responsibility for disclosure rests with the Data Controllers, Rebecca Renforth and Natalie Henderson. Under no circumstances can any other member of staff make a decision to disclose. A brief summary of the circumstances is given below:
- When disclosure is in the public interest. There are certain circumstances where the wider public interest outweighs the rights of the patient to confidentiality. This might include cases where disclosure would prevent a serious future risk to the public or assist in the prevention or prosecution of serious crime.
- When disclosure can be made: (i) with the express consent of the patient, (ii) where it is necessary to enable someone else to provide health care to the patient and the patient has consented to his/her sharing of information, (iii) where it is required by statute, (iv) pursuant to a court order, (v) in order for the dentist to pursue a bona-fide legal claim against a patient (e.g. disclosure to a solicitor, court, or debt collecting agency).
- Disclosure necessary to provide health care and for the functioning of the NHS; in practical terms, this type of disclosure includes transmission of claims/information to payment authorities such as the DPD/SDPD/CSA; in more limited circumstances , disclosure to the PCT or referral of the patient to another dentist or health care provider such as a hospital.
The practice’s Data Protection Policy details how we comply with the Data Protection Act 1998. It is a condition of engagement that all practices staff complies with this policy and also works hand in hand with the newly introduced General Data Protection Regulations Policy.
Patients have the right to access to their health records, whether held on paper or on a computer. Following the launch of the GDPR in May 2018 we can no longer charge patients for a copy of their personal data we hold on them. If a patient requests a copy of their personal date they must request this is writing. This is passed onto the Data Controllers at the practice (Rebecca Renforth and Natalie Henderson) who will reply within 1 month. The Data Controllers have the right to deny the request but if found to be excessive but again must do this with a 1 month time frame. Full detaisl can be found in the practice General Data Protection Regulations Policy. Care should be taken to ensure that the individual seeking access is the patient in question and, if necessary, the Data Controllers must seek confirmation of identity from the individual if they are not a recognised patient.
These principals give rise to a number of rules that everyone in the practice must observe:
- Records must be kept secure and in place where it is not possible for other patients or individuals to read them. Computers are password protected and all staff have an individual log in code and user name that is personal to them to log onto the dental system. All paper records we hold are kept in a locked cupboard with a pin code lock prevent any unauthorised access.
- Information about patients must not be discussed with anyone outside the practice, including relatives or friends. Care must also be taken when talking on the phone especially in a public area such as reception / waiting room. If a phone call needs to be made or a face to face conversation of a private nature, staff must go to a quiet area ensuring privacy for the patient at all times.
- A school / work place must not be given information about whether a patient attended for an appointment on a particular day. If a letter / appointment card is requested by a patient or parent this can be processed (with consent if over 12 years or over).
- Demonstrations of the practice computer system must be carried out using fictitious data and not actual patient information (specific fictitious individuals have been created on the system for staff training purposes and a complete ‘demo data’ set is available at login for appointment book demonstrations, if required- consult Practice Manager.
- Do not give information about a patient’s appointments to their employer / employee. We do have a consent form which we ask patients to complete as in some cases they rely on family members or employee such as a PA or secretary to look at their diary and book appointment. Only in the case of obtained consent would we disclose this information. Consent of this nature will be recorded in a clear place on the patient’s records.
- Messages about a patients care must not be left with third parties, nor on an answering machine. Where care requirements must be discussed, all that can be left is a message to call the practice back as their soonest convenience.
- All patients’ recalls and personal information must be sent in a sealed envelope, marked ‘Private and confidential’. These are posted with Royal Mail which is a trusted courier.
- Where information is to be shared with a third party, such as where a referral is made to a specialist outside the practice, information should be sent either by post in a sealed envelope to a postal address that has been verified (for example, by telephone call to a Consultant’s medical secretary) or by email to an email address that has been similarly verified as valid and secure. We would obtain consent from the patient (usually verbally) prior to the referral being sent. This would be documented in the patient’s records.
- No information may be disclosed to officials such as; police officers, tax officials etc., without the express permission of the Data Controllers.
- Patients must not be allowed to see information contained on day sheets or computerised appointment books, since these inevitably contain information about other patients and therefore other person’s personal data.
- Discussions about patients should not take place in public areas of the practice.
- Discussions with patients about their care should take place in the surgeries or other areas where they will not be overheard.
- Where a child is competent to make decisions about their treatment and wishes to do so, we will also observe confidentiality in relation to them- i.e. we will not share information with the child’s parents without the child’s consent. Any child over the age of 12 years old will be asked to complete a consent form allowing us to discuss their personal information with a parent. This can be retracted at any time. In the case of treatment incurring a charge then we would advise the child to discuss with the person who would inevitably pay for the treatment.
- If in any doubt about whether information is confidential or whether the person requesting it is genuinely entitled to receive it, DO NOT DISCLOSE ANYTHING but politely decline and refer the matter to the dentist or the Data Controllers.
In some cases we need to discuss a patient’s treatment with a parent or guardian. If a patient is aged over 12 years old we would ask them to complete and sign a consent form which allows us to discuss their treatment with their parent who will assist them on making decisions regarding their dental treatment. We are yet to have a patient refuse this but if a case did arise we would respect the wishes of the patient and only discuss their treatment with them. This consent form is also completed by patients who have others make or change appointments on their behalf. The form allows the patient to name someone they trust to do so.
If, after an investigation, a member of staff is found to have breached patient confidentiality or this policy, he or she will be liable for dismissal. If a member of staff becomes aware of a possible breach of information they must inform the Data Controllers at the practice, Rebecca Renforth and Natalie Henderson. They will follow the information breach protocol and report this as and where necessary. See General Data Protection Regulations Policy for more information.
Employees are reminded that all personal data processed at the practice must by law remain confidential after your employment has terminated (for whatever reason). It is an offence under section 55 (1) of the Data Protection Act 1998, knowingly or recklessly, without the consent of the Data Controllers Rebecca Renforth and Natalie Henderson, to obtain or disclose personal data. If the practice suspects that you have committed such an offence, the Data Controllers will contact the Office of the Information Commissioner and you may be prosecuted by the commissioner or by or Director of Public Prosecutions.
Last reviewed: May 2018