Information Governance Policy

A breach in Information Governance (IG) Legislation can cause risk to patients in many ways such as:

  • Identity fraud
  • Financial loss
  • Physical safety
  • Loss of privacy

This will also cause damage to Simpson & Nisbet Dental Centres reputation which will in turn cause loss in confidence from patients, possible fines and legal proceedings. Individual members of staff can also face a fine as well as the practice on whole. Any requests of information must be referred to a Dentist, Practice Manager or Data Controller. These will be dealt with within the appropriate time frame of 1 month.

The aim of this policy is to work in conjunction with IG legislation for the storage, processing and providing information. This policy also works alongside the General Data Protection Regulations Policy, the Privacy Policy, Confidentiality Policy, the Consent Policy and the Data Protection Policy. As a practice we promote the privacy and protection of patient information at all times.

Simpson & Nisbet Dental Centre comply with all Laws, Legislation, Regulations and Acts that are relevant to the protection of personal information which include:

  • Data Protection Act 1998
  • Access to Health Records Act 1990
  • Freedom of Information Act 2000
  • Human Rights Act 1998
  • Information Governance Legislation
  • Common Law of Confidence

The Data Protection Act 1998

The Data Protection Act (DPA) is in relation personal data about any living person. Personal data is information that can identify an individual from such data. Under the Data Protection Act it is required that data is kept for no longer than necessary. At Simpson and Nisbet Dental Centre we retain patient records for 11 years following a patient’s most recent visit or up until the age of 25 years old for children.  After this time all hard copies of the data is destroyed.

The Data Protection Act gives you the right to find out what information an organisation such as Simpson and Nisbet Dental Centre holds on you. You have a right to have this information but you must write to request this. The Data Controllers Rebecca Renforth and Natalie Henderson will respond to the written request within 1 month. If a patient dies then the right passes onto the person whom has claim on their estate and arises under the Access to Health Records Act 1990.

 On rare occasions your personal data can be withheld. Examples of these are for the prevention, detection or investigation of a crime or if the information is regarding the armed forces or national security. 

The Data Protection Act affects the way Simpson & Nisbet Dental Practice uses and holds personal data. The main points to consider are interlinked with the 8 principles within the Act:

  • Fair and lawful
  • Purposeful
  • Adequate
  • Accurate
  • Retained for the correct amount of time
  • Processed within the rights subject to the Act
  • Secure
  • Not transferred outside the European Economic Area

If staff are in a situation such as a Police officer contacts the practice asking for personal data of a patient as they are a known suspect in a crime, they need to refer this to the Practice Manager, Data Controllers or Practice owners. 

Many people may feel as a Police officer they are entitled to ask for such information. This is only true if they are in possession of a court order or a statutory right to obtain this. This would not be a breach of confidentiality and this would be a lawful way to disclose patient information without their consent. If a dentist found themselves in this situation they can contact Dental Protection for support and advice prior to disclosing any information. 

If you believe your information has been misused you need to contact the Practice Manager or Data Controllers who will look into this matter. If you are not satisfied with the response you can contact the Information Commissioners Office (ICO) on telephone 0303 123 1113.

The ICO can investigate your claim and take action against anyone who has misused your information.

Access to Health Records Act 1990

Patients have a right to access their own records and personal information. They can also consent for disclosure to a third party. As a practice we would only disclose information after gaining consent from the patient in question and only disclosure the information they had consented to. 

Under this Act there are 3 reasons you are able to disclose information without the patients consent. These are:

  • If you believe a patient is the victim of neglect or abuse
  • If you believe it is in the wider public interest or that it is necessary to protect the patient or someone else from serious harm or death
  • Disclosure is required by law – E.g. Court order or Disclosure notice

Children aged 12 and above are deemed able to be mature enough to understand well enough to make their own request for subject access. The Information Commissioners Office have stated that parent of children under this age are able to request subject access on their behalf. You must use your own judgement on whether a child has the capability to make their own decisions on consent and access to their own personal records. Any access to a child’s information must be purely in the best interest of the child. A parent’s responsibility for a child does not change if the parents are no longer together.

It is normally assumed that a patient’s information will be shared within the clinical team for the purpose of their care but they should be made aware of this as well as their right to withhold consent. In some cases patients may request that certain sensitive information is withheld and this should be respected.

The Access to Health Records Act affects Simpson and Nisbet Dental Centre in the way we allow patients to access their own records and consent to third parties having access to it. All requests for personal data such as patient records must be made in writing as well as consent to disclose information to a third party. This also applies to anyone wanting to access to a deceased patients records.

Deceased patient records are public records under the Public Records Act and it has been argued that they should be accessible under the Freedom of Information Act 2000. This issue is currently under consideration by the Department of Constitutional Affairs in conjunction with the Department of Health. Until and decision has been made on this matter Simpson and Nisbet Dental Centre will not release any records of deceased patients unless it is to comply with the Access to Health Records Act.

Freedom of Information Act 2000

At Simpson & Nisbet Dental Centre we have two main obligations under the Freedom of information Act. 

We must:

  • Publish certain information proactively and
  • Respond to requests for information. Please see our consent form for requesting information.

The Freedom of Information Act 2000 provides public access to information held by public authorities.

It does this in two ways:

  • Public authorities are obliged to publish certain information about their activities; and

              members of the public are entitled to request information from public authorities.

  • The Act covers any recorded information that is held by a public authority in England, Wales and Northern Ireland, and by UK-wide public authorities based in Scotland. Information held by Scottish public authorities is covered by Scotland’s own Freedom of Information (Scotland) Act 2002.

Public authorities include government departments, local authorities, the NHS, state schools and police forces. However, the Act does not necessarily cover every organisation that receives public money. For example, it does not cover some charities that receive grants and certain private sector organisations that perform public functions.

Recorded information includes printed documents, computer files, letters, emails, photographs, and sound or video recordings.

The Act does not give people access to their own personal data (information about themselves) such as their health records or credit reference file. If a member of the public wants to see information that a public authority holds about them, they should make a subject access request under the Data Protection Act 1998. See Simpson & Nisbet’s consent forms available at reception.

The Freedom of information act doesn’t confer any explicit right to copies of original documents. A request for a copy of a document is a valid request for all of the recorded information in that document.  Most documents contain recorded information over and above the actual wording, such as the design, layout and style of writing. This means that in most cases, the only practicable way to communicate all the recorded information in the document to the requester will be to provide a copy of the original. If the request is limited to a specific document or documents (for example, patient’s notes), then Simpson & Nisbet only has to consider the release of the recorded information in the document(s) concerned. It doesn’t have to check whether it holds any further relevant information in other records.

Human Rights Act 1988

The Human Rights Act 1998 (the Act or the HRA) sets out the fundamental rights and freedoms that everyone in the UK is entitled to.

In practice, the Act has three main effects:

1. It incorporates the rights set out in the European Convention on Human Rights into domestic British law. This means that if your human rights have been breached, you can take your case to a British court rather than having to seek justice from the European Court of Human Rights in Strasbourg, France.

2. It requires all public bodies (like courts, police, local authorities, hospitals and publicly funded schools) and other bodies carrying out public functions to respect and protect your human rights.

3. In practice it means that Parliament will nearly always seek to ensure that new laws are compatible with the rights set out in the European Convention on Human Rights (although ultimately Parliament is sovereign and can pass laws which are incompatible). The courts will also, where possible interpret laws in a way which is compatible with Convention rights.

The Human Rights Act came into force in the UK in October 2000.

The Act sets out your human rights in a series of ‘Articles’. Each Article deals with a different right and these are commonly known as ‘the Convention Rights’:

  • Article 2 Right to life
  • Article 3 Freedom from torture and inhuman or degrading treatment
  • Article 4 Freedom from slavery and forced labour
  • Article 5 Right to liberty and security
  • Article 6 Right to a fair trial
  • Article 7 No punishment without law
  • Article 8 Respect for your private and family life, home and correspondence
  • Article 9 Freedom of thought, belief and religion
  • Article 10 Freedom of expression
  • Article 11 Freedom of assembly and association
  • Article 12 Right to marry and start a family
  • Article 14 Protection from discrimination in respect of these rights and freedoms
  • Protocol 1, Article 1 Right to peaceful enjoyment of your property
  • Protocol 1, Article 2 Right to education
  • Protocol 1, Article 3 Right to participate in free elections
  • Protocol 13, Article 1 Abolition of the death penalty

At Simpson & Nisbet Dental Centre all members of staff are made aware of the Human Rights Act during induction when they read all of the practice policies. Our policies are updated on a 6 monthly basis and training where necessary is reviewed.

Common Law of Confidence

Common law is not written out in document form but is based on previous court cases and decided by judges. It is also referred to as ‘judge-made’ or case law. The general consensus is that information cannot be given or disclosed without the patient’s consent. Three ways of giving such information is lawful are:

  • The patient whom the information/records are about has given consent
  • Where the disclosure of information is in the public interest (rare occasions – check with the Practice Manager, Data Controllers or Practice owners John Simpson and Gillian Nisbet)
  • Where it is a legal duty to do so E.g. a court order (again check with the Practice Manager, Data Controllers or Practice owners John Simpson and Gillian Nisbet)

Under Common Law Simpson & Nisbet Dental Centre will not disclose any patient information without seeking prior consent from the patient in question.

Where it is not possible to gain consent, Simpson and Nisbet Dental Centre may rely on a disclosure of information being in the overriding public interest. This will not be taken lightly and a solid justification will be made as to why the records have been disclosed, specialist and/or legal advice will be sought before any information would be released. This decision would be fully documented as to why this decision was reached.

In the event of a court order requesting information, this would be referred to our legal team prior to any disclosure. This should also be carried out promptly as representations maybe required in court.

Any disclosure of information without consent from a patient may bring legal action against Simpson and Nisbet Dental Centre and the individual member of staff who passed on any information without the patients consent. This is a breach of confidentiality and may result in a fine for both practice and individual. In the event of a personal data breach the Data Controllers must be informed and protocol must be followed to report the breach.

This requires Simpson & Nisbet Dental Centre to think about whether a duty of confidence exists when responding to information requests. The main points to consider are:

  • All information held must not normally be disclosed without the patients consent
  • Patients age and mental health are irrelevant – this applies to all patients
  • Records of deceased patients will not be disclosed unless it complies with the Access to Health Records Act 1990

Records Management considerations

All members of staff at Simpson & Nisbet are aware of their own personal responsibility as well as the responsibility of the practice where confidentiality is involved. Staff are only able to access patient information that they require to carry out their duties within their job role. As and when job roles change/evolve then so can to the access a member of staff has to patient records. 

Requests for records should be directly addressed to the Practice Manager, data Controllers or Practice owners John Simpson or Gillian Nisbet. Particular care is taken when sending such information. As a practice we have a protocol in place of how to send patient data, both digital and hard copy.

  • Transferring patient data via email

In the event that we need to transfer a patients personal and confidential data to an unknown source. The ‘TO, FROM, DATE and SUBJECT’ fields can be viewed by anyone. Personal data needs to be kept confidential to all parties except the intended recipient. If a patient requests that we pass on their dental records to their new dental practice and gives an email address to do so we must:

  1. Check the email address with the one on the new practices website if applicable
  2. Ring the new dental practice to confirm to the email address and that you will be sending the records of the patient and whom to mark it for the attention of
  3. Send a test email to confirm the email address with the new practice
  4. Send patient records once all of the above have been confirmed
  5. Ask new practice to reply with confirmation that they have received the email and are able to access the information it contains
  6. This protocol applies to any unknown source when transferring confidential data. 
  7. When sending data in the event of a legal case, a patient can be identified using a reference number/code. This will have been previously sent on a separate email to identify the patient. 
  • Transferring patient data via post

In the event that we need to transfer a patient’s personal and confidential records via post, we will print out the relevant information requested (at a possible charge). We will put this in a security sealed envelope and send via an approved carrier such as Royal Mail. We will always send information such as this via recorded delivery so the recipient must sign for this when they receive it. All information sent via post containing any patient data is marked as ‘Private and confidential’.

If a patient requests that we speak with their parent regarding their treatment and personal information then we have a consent form to ensure that we have written and signed copy to confirm this. This is then scanned and held in digital form on a patients records.

Patients have a right to access the data we hold on them and to have a copy of this. This request must be in writing. The request will be passed onto the Data Controllers, Rebecca Renforth and Natalie Henderson. They will respond within 1 month of receiving the request. They can deny the request if they deem it too excessive.

Staff responsibility

All staff are aware of this policy and the Acts, Laws and Legislation that work alongside it. Staff are also aware of what it means to both staff and patients at Simpson & Nisbet and the possible consequences of not adhering to them. All staff have completed an Information Governance workbook and assessment as part of their training and new staff are to complete this as part of their induction training. If any member of staff, or a patient have any concerns regarding Information Governance, they need to raise this issues with the Practice Manager or Practice owners John Simpson and Gillian Nisbet. Staff must ensure that:

  • They are individually responsible for keeping the information they hold on a patient.
  • Everyone working at Simpson & Nisbet Dental Centre who records, handles, stores or comes across patient information, has a Common law Duty of Confidence to both the practice and the patient. They are recognised as a Data Processor.
  • All staff have signed a contract with Simpson & Nisbet Dental Centre in which they have agreed to complete confidentiality of personal information that we collect and process.

This policy is to be reviewed on a 6 monthly basis with all other policies and will be amended to maintain its relevance.

If any changes occur that affect how the records we keep are managed, this policy will be reviewed and staff informed via staff meeting and updated training.

Last reviewed: May 2018