As of 25th May 2018 new General Data Protection Regulations will come in to force. This will impact Simpson and Nisbet Dental Centre by raising the level of requirement and precision of how we collect, use, process and delete data we hold on our patients. This will not replace the Data protection Act but will support General Data Protection Regulations.
At the practice we have named Data Controllers and Data Protection Officers, Rebecca Renforth and Natalie Henderson. As Data Controllers it is their responsibility to control the personal data kept on patients within the practice. It is down to Rebecca Renforth or Natalie Henderson if personal information is to be disclosed on how to deal with this correctly and efficiently.
Data processors can only process personal data on the instruction of the Data Controller. This is required on a day to day basis of running the practice. All dentists, therapists and hygienist are data processors as well as nursing and reception staff.
At present Simpson and Nisbet Dental Centre complies with the Data Protection Act 1998 and this policy outlines our procedures we follow to ensure that all personal information we collect is processed fairly and lawfully. At present we are fully computerised and are registered as a Data Controller with the Information Commissioner for this purpose.
To process personal data we must do so only on a lawful basis. There are six lawful basis on which only three really apply to Simpson and Nisbet Dental Centre. These are:
- Legitimate interest
As a dental practice we must have a valid, lawful basis on which to process personal data. There are 6 lawful process, none of which are more important than the other. The most appropriate lawful basis for us to process personal data is consent. This gives the patient choice and control also putting the patient in charge of their decisions.
In order to provide our patients with the best possible standard of care and attention, we need to hold a certain amount of personal information about them. This comprises of:
- Personal details such as name, date of birth, address, contact telephone numbers, email address and your Doctors contact details
- You past and current medical records
- Your past and current dental records
- Radiographs, clinical photographs and study models
- Information about the treatment we have provided or propose to provide (and it’s cost)
- Notes of conversations or incidents that might occur for which a record needs to be kept
- Records of consent to treatment – although this is ongoing and will be updated every visit
- Treatment estimates – given to patients so they are aware of treatment costs for planned work. Also given to Denplan patients who may or not pay depending on the treatment required.
- Any correspondence (relating to you) with other health care professionals such as referrals to specialists
All records and information we keep regarding patients’ needs to be accurate and up to date in order to provide them with safe and appropriate dental care. Below describes how we collect, use and process all patient information we obtain.
The information we collect about a patient will start with a patient booking an appointment where all contact details and the patient’s date of birth will be taken and recorded on the computer on the new patients personal records.
- We will use this information to contact the patient regarding appointments or any other reason we need to speak to them. Patients will also let us know their preferred method of contacting them.
When the patient attends the practice for their initial visit they will be given a medical history form to complete and sign to confirm that the information they have given us is accurate to the best of their knowledge. This asks about a patients past medical conditions as well as ongoing medical conditions and any medication they may be taking.
- This will be scanned onto the patient’s records and a written updated copy will be obtained every 2 years. Any changes will require a signature from the patient and again scanned onto the patients records. This will also be verbally checked at each visit prior to treatment. We need to know this information as certain conditions and medications can affect the treatment we are able to provide to a patient.
As you carry your dental records around with you when you first attend the practice for a ‘New patient examination’, a full charting will be recorded of your existing dental treatment and any planned treatment that is advised by your dentist.
- This will be checked at every examination appointment, for any changes and updated with any additional treatment if required. If a patient attends for an appointment with problems between examination appointments and treatment is required, this will be updated according as treatment is carried out, alternatively if no treatment is carried out then this will also be recorded in the notes.
When a patient attends the practice for the first time the dentist will usually take 2 small radiographs as a baseline of your first visit. These are called bitewings and allow the dental clinicians to see between the back teeth, where in the mouth it can sometimes be difficult to see. If a patient has recently has these done at their previous dentist we may ask for a copy of those. Sometimes treatment requires clinical photographs and/or study models too.
- These are retaken when the dentist feels they are needed as part of your dental care. Additional radiographs may also be taken for diagnostic purposes during treatment but will only ever be taken when clinically necessary. Clinical photos are a useful visual aid when carrying out cosmetic treatments especially but can also help lab technicians when they are carrying out work too.
The computer system we use to record all of your information is called Exact – Software of Excellence. This records and stores all previous treatment you have had carried out with us including referrals to and from other specialists. This also records the fee per treatment. This enables us to look back at historic treatment as an aid when discussing future treatment plans.
- All personal data we hold at the practice about patients is held on our computer system and / or manual filing system. The information is not accessible to the public, computers are password protected and again all staff have individual log-ins. Each member of staff have their own security clearance as to what they can see and do regarding patient details which is tailored to the individuals job role. As users can be identified by their user log in name/code, we can carry out an audit as and when required to see which user carried out certain actions and when. Each user has an inactivity timer and will log out when the computer has not been used for a period of time. Our paper records are kept in locked filing cabinets inside locked cupboards which have a combination lock. The computer system has secure audit trails and information is backed up on a removable hard drive every day, which is taken from the premises on an evening by a senior member of staff and returned the next day (this is in the unfortunate event of a fire we have a backup of data). Also see the practice Data Security Policy.
After a patient has seen a dentist and more work is required they will be given an estimate so they are aware of treatment costs and options.
- This is also a contract they will be entering into so far as if they have the treatment carried out, they will be liable for the cost implications attached. By signing the estimate a patient is not agreeing to have the treatment carried out but is signing into a contract that if they do have the treatment carried out then they are aware of the estimated cost of the treatment and that this must be paid for on the completion of treatment at the end of every appointment. Some treatments require a deposit in which if a patient needed to cancel they must give at least 48 hours’ notice of the deposit will be lost. By signing the estimate patients are also acknowledging they are aware of the deposit and the notice period if they wish to cancel the appointment.
As with discussions regarding treatment plans, any other discussion with staff relating to treatment, queries or complaints will also be recorded onto a patients records.
- This could be in relation to treatment, costs, complaints etc. All notes about patients and their treatment must be clear and accurate and in an understandable language for all concerned.
On occasion we will refer patients to other practices / clinics for specialist treatment that we cannot carry out within our practice. In these cases a referral letter will be sent with the consent of the patient. This will result in the specialist replying and arranging to see the patient for the treatment required. We also record all correspondence we have with the patient regarding appointments and ongoing treatment etc.
- All correspondence is recorded in the patient’s records from referrals to text messages regarding future appointments. Any referrals send out of the practice will be discussed in full with the patient prior to any correspondence being sent. Only on the agreement and consent from the patient would we send a referral to an outside source.
All of the above creates lawful basis to process patient information. We have a legitimate interest for the patient to create a treatment plan and therefore an estimate for planned work. This then creates another lawful basis of a contract in which we need to gain their consent prior to any treatment being carried out.
At Simpson and Nisbet Dental Centre we would gain verbal consent at the beginning of each treatment verify this at every stage of treatment after this. The patient attending for the appointment cannot be taken as implied consent. The consent is recorded each time it is taken either as verbal consent or written.
- In the case of verbal consent the dentist will make a note of this in their clinical records and it’s well documented but in the case of written consent being obtained then this will be scanned onto the patients records as proof (although this can be retracted at any time throughout the course of treatment).
We also ask patients over the age of 12 to sign a consent form (if they are willing) to allow us to discuss their information with a parent. This is also added to the patient records. Consent will be necessary for processing children’s data. Parental consent will be required for this processing of personal data of children under the age of 16. The consent is set out in clear, plain language which is easy to understand. Patients will opt to do this. If we do not gain consent then we cannot proceed.
- In addition patients who are treated by the hygienist on a more frequent basis that every 6 months are also asked to sign a consent form to allow us to do this.
- Specific consent forms for some more complicated treatments such as implants and teeth whitening are also given to patients. We have a dedicated policy to consent that looks into this in more depth and is available on request.
The way we process the personal data we hold on patients is also very important. Simpson and Nisbet Dental Centre will process personal data on patients as stated above. We also retain the data we hold on patients
- We will retain your dental records while a patient is a current patient with us. If you cease to be a patient with us then we will hold their records for at least another 11 years, or in the case of children until they reach the age of 25 years old, whichever is longer. We have both paper and computerised records on some patients. On a yearly basis both Rebecca Renforth and Natalie Henderson will go through all patient records. Any that have exceeded the time frame described will be destroyed. This could be for a number of different reasons, e.g. a patient has moved and not returned to the practice or patient is now deceased. Even in the case of a deceased patient we must still retain their records for the stated amount of time.
In order to provide proper and safe dental care, we may need to disclose personal information about you to:
- Your general medical practitioner
- The Dental Hospital or community dental services
- Other health professional caring for you
- Private dental schemes of which you are a member
Disclosure of such information would be on a ‘need to know’ basis. Information would only be given to those individuals / organisations who need to have it in order to provide care to you and for the proper administration of Government (whose personal details are also covered by strict confidentiality rules and policies) the recipient will only be given the information they need to know for these purposes.
In limited circumstances or when required by law or court order, personal data may have to be disclosed to a third party not connected with your dental care. These cases are very rare. In all other situations, disclosure that is not covered by this Policy will occur only when we have your specific consent to do so. Where possible you will be informed of these requests for disclosures. Section 29 of the Data Protection Act covers this in more detail.
The new changes as of May 2018 now state that patients have a right to the access the data we keep on them. Prior to this date the practice could charge patients for copies of this. Now patients have a stronger right to their information, this information is to be given free of charge. We now have a shorter time frame of 1 month to respond opposed to the previous 40 days. The Data Protection Officers at the practice can refuse the request if they are unfounded or excessive. If a request is refused then our Data Protection Officers will give an explanation why and inform the patient that they have the right to complain to the supervisory authority and to a judicial remedy. This must also be done without delay and within a 1 month time frame.
The Data Protection Officers maintain a summary of all requests for access to records, disclosures, consent to disclosure and reasons for refusing access, and is documented on patient’s notes.
If you do not wish for personal data we hold about you to be disclosed or used in the way that is described in this Policy, please discuss the matter with your Dentist / Practice Manager / Data Protection Officer. You have the right to object, but please remember that this may affect our ability to provide you with dental care.
The new General Data Protection Regulations include the following rights for individuals’
- The right of access – Patients have the right to confirm how their personal data is being processed. They can also access their information at any time. This will be provided free of charge but the Data Protection Officer has a right to refuse this is it excessive or unfounded. They must give a reason for the rejection of the request. If the request is granted then the information must be given within 1 month of the request. If the request is denied, a response must still be given within 1 month as to why the request has been denied.
- The right to rectification – Patients have the right to obtain and rectify inaccurate personal data held about themselves.
- The right to erasure – Patients can request that the information we hold on them can be deleted and or destroyed. Patient information that we have held on a patient that has not been seen for over 11 years or in the case of a child, when they reach the age of 25 years old – whichever is the longer period of time, will be destroyed by cross shredding and disposed of correctly.
- The right to restrict processing – We can hold information on a patient but may not be able to use it in any way. If we need to pass on patient information to an outside source then consent from the patient must be obtained prior to processing this information. All referral letters have a statement at the bottom that under GDPR guidelines the personal information documented within the referral letter if for the named clinician only. If the data needs to be shared then they must secure consent from the patient named prior. All of the dental laboratories we use have signed a written agreement stating the same, that they will not share any personal information regarding the patient without obtaining their consent first.
- The right to data portability – This is a new factor. Data portability will allow the patient to request a copy of their personal data. This should be a format that they can understand and allow them to send this to another processing system electronically. Data can also be transferred to other specialists and referral sources but again only done so with the consent from the patient.
- The right to object – Patients can object to us using their personal data for any reason e.g. marketing. As soon as a patient objects to this we must stop immediately. Patients do not need to give a reason to object. In some cases this may affect the service we provide.
- The right not to be subject to automated decision-making including profiling – This does not apply when it has been authorised by law e.g. fraud or tax evasion.
Overall the rights a patient / individual has are the same as those under the Data Protection Act but with some substantial improvements on the patient’s behalf.
At Simpson and Nisbet Dental Centre all policies are updated every 6 months by Rebecca Renforth. Both Rebecca Renforth and Natalie Henderson constantly monitor all staff and processes carried out for any issues that may arise as well as keeping up to date with legislation regarding data protection and data processing.
Data protection training is given to all staff on induction. During staff meetings we carry out information governance and data protection scenarios also incorporating GDPR. Staff also carry out their own ongoing development in the form of CPD in this particular area.
All staff have a contract containing a confidentiality and Data protection agreement in which they are all aware of the importance and highly sensitive nature of confidentiality in the environment we work in.
What to do in the event of a breach of information
In the event of an information breach whereas patient’s records or information held regarding a patient has been released to an unauthorised individual a protocol must be followed. Within the practice an investigation and internal reporting procedure will be carried out:
- Either the Practice Manager, Practice owners or Data controllers must be notified immediately.
- The time, date and information breach must be recorded regardless if it is reported or not.
- The service user whose data has been released must be informed within 72 hours of becoming aware of the breach. A high risk breach must be reported immediately (if the breach adversely affects the service user’s rights of freedom).
- The ICO must be informed of the breach of information if it is deemed to be high risk.
Overall within the practice the final decisions are made by the practice owners, John Simpson & Gillian Nisbet. It is the role of Rebecca Renforth and Natalie Henderson to inform the practice owners of any updates, guidelines and legislation as well as if it should occur a breach of personal information. Rebecca Renforth and Natalie Henderson are responsible for the day to day running but significant decisions are passed to John Simpson & Gillian Nisbet.
We not only protect the data we hold within the premises such as password protections on all computers as well as to log onto the system used to store all personal data. In addition to this, on computers we have a firewall. We have internal locks and pin codes on both the stock cupboard and the staff room. To get into the building itself there are 4 locks and a burglar alarm. The building is secure during working hours and the burglar alarm is set outside of working hours. We also have tenants in the flat above whom have the contact details of the practice owners in the case the burglar alarm is triggered.
All of our computers are monitored by Microminder. They continually monitor and check on back-ups and provide assistance should any issues occur. They provide update and install all hardware as and when needed. Records are never taken from the premises. All data in kept on site.
Rebecca Renforth is the Records Management Lead and is responsible for how all data is collected and held at the practice. In the event of a breach of information she must be notified immediately and will follow the appropriate action. As the Records Management Lead it is Rebecca’s responsibility to ensure that all staff are up to date on how to handle patient’s personal data and recognise any potential breaches.
At Simpson & Nisbet Dental Centre all staff can record information regarding a patient. We must ensure that, no matter who records the information that is accurate, adequate, relevant and not excessive. Any records made using the system Exact will show which user name created the information. All staff have their own username and password which is personal to them. Only the Practice Manager has the security clearance to change the password other than the user themselves.
When a member of staff leaves the practice the Practice Manager will delete their user details from the system (with the exception of a dentist). It will also be down to the Practice Managers discretion which level of security is given to a member of staff depending on their job role and requirements to carry out their duties.
As part of any member of staff’s induction into the practice, they must read and fully understand all of our policies. Anything they are unsure of they must ask the Practice Manager and she will explain any queries they have. The policies are updated every 6 months, this is the responsibility of the Practice Manager. Any policies that are updated will be passed to all staff to read and refresh. Any additional information the practice receives regarding such issues will also be passed onto staff either at a staff meeting or if it of a more pressing nature then it will be discussed as soon as possible. During a new member of staff induction they are made aware of who they need to go to in the event there is a problem or they need any advice. In the case of data processing staff would go to Rebecca Renforth or in the event of her absence, Natalie Henderson.
Procedure for recognising and responding to an individual’s request to access their personal details
Patients have always been able to request access to the personal data we store about them. At Simpson and Nisbet we have a procedure to be followed when a request like this is made.
Under GDPR individuals have the right to obtain information:
- Confirming how their data is being processed
- Regarding their personal data we hold on them
- Other supplementary information
These are very similar to previous rights under the Data Protection Act called Subject Access Rights.
If a patient requests access to their personal details then this must be passed straight to the Practice Manager, Rebecca Renforth, or Natalie Henderson (Data Controllers) in her absence. From this notification we would then follow a checklist ensuring the protocol is followed correctly:
- Is the request a valid request to access an individual’s data?
- Has the individual given adequate evidence of their identity?
- Do required more information from the individual to locate the data they have requested to access?
- Is the information requested ‘personal data’ relating to the individual?
- If not, then we must respond to the individual to clarify why they want access to the information
- Record a note of the 1 month deadline to respond to the individuals request
- Examine the information requested, remove duplicates and any irrelevant information
- Check to see if the data requested contains information from a third party
- Can we redact the information to protect the third party?
- Can we gain consent from the third party?
- If consent or redaction are not possible, can we not disclose this part of the information held?
- Inform the individual that due to dealing with a third party and the need to gain their consent this is likely to delay all or part of the information they have requested.
- Take into account that some of the data requested may not be required.
- Explain the reason you are refusing access to particular data.
- Make a record of the data you are withholding and the reason behind your decision e.g. if request is excessive and not required.
- Establish if the individual wants hard copies of the information or digital copies. If the access request is acceptable then the information is to be printed out. The patient can either collect this from the practice and show identification (if the patient is not recognised) or can be posted via Royal Mail recorded delivery at a cost to the patient. Confirmation of the patients address must be obtained prior to posting. Information can alternatively be emailed to the patient. A test email must be sent prior to confirm the email address is correct and valid.
- Ensure that the information provided is in a legible format and can be understood. Also include a brief description of the search for data. This information should be presented in a permanent form.
- Make a copy of what you have sent to the individual including dates and time frames.
- If a second copy of the personal details is requested then a charge can be issued as the discretion of the practice owners John Simpson & Gillian Nisbet.
Reviewed: March 2018