ACCESS TO INFORMATION HELD BY THE PRACTICE
We may be asked to disclose information, documents or records held by the practice. Requests for personal information are made under data protection legislation and under freedom of information legislation for information about the NHS services provided by the practice.
Requests for personal information or for information about the practice that is not included in the practice information leaflet should be passed to the Practice Manager.
This policy describes who can request information and how and the practice procedures for managing these requests.
Requests for personal information
Personal information is any information that allows an individual to be identified. This includes information where the individual is not named but a cross-reference to other information held by the practice would allow identification.
Data protection legislation allows individuals to request access to their personal information. Those eligible to request access include:
• A person aged 16 years or older
• The parents or guardians of a child under the age of 16 years and in connection with the health and welfare needs of the child
• A child under the age of 16 years who has the capacity to understand the information held by the practice. Children aged 11 years and under are deemed too young
• A third party, such as a solicitor, who has the written consent of individual concerned – checks should be undertaken to ensure that the consent is genuine – for example, by checking the patient’s signature or contacting the patient directly to confirm that they have given consent for the information to be disclosed.
If a request concerns information about a deceased person, those eligible to request access include:
• The administrator or executor of the deceased person’s estate
• A person who has a legal claim arising from the person’s death – the next of kin, for example. The person should explain why the information requested is relevant to their claim.
If the information requested includes information about third parties, it can be disclosed if the third party gives consent or is a health professional involved in the care of the patient.
The request must be made in writing and describe the type of information required with dates, if possible, and include sufficient information to ensure correct identification (name, address, date of birth, for example). You must check that the person asking for information has the right to do so and, if necessary, ask for proof of identity.
We will provide the requested information within one month of receiving the request or confirming the individual’s identity.
We will usually provide the information requested in electronic form using secure means, unless the individual asks for the information in paper format or otherwise agreed. The individual may also come to the practice to view the original version under supervision and on practice premises.
We will provide the information in a way that can be understood by the individual making the requests and may need to provide an explanation to accompany dental clinical notes.
Unfounded or excessive requests
Where requests are manifestly unfounded or excessive (particularly if they are repetitive), we can:
• Charge a reasonable fee taking into account the administrative costs of providing the information; or
• Refuse to respond.
If we refuse to respond to a request, we will explain the reasons and informing the individual of their right to complain to the Information Commissioner’s Office and to a judicial remedy.
Requests for information about the practice
Freedom of information legislation allows anyone to ask for information about the provision of NHS services. The available information is described fully in the practice guide to information available under FOIA and the model publication scheme. If the requested information is part of a larger document, we will disclose only the relevant part.
A freedom of information request cannot include clinical records or financial records.
The request must be made in writing and should describe the type of information that they want and with dates, if possible. The individual making the request does not have to give a reason.
The charges for information provided under a freedom of information request are included in the practice guide and the model publication scheme.
We will provide information within 20 working days of receiving the request or confirmation of identity or, if applicable, from the receipt of the fee. It may be possible to extend this timescale if we need more information about the request or are taking legal advice on whether an exemption applies. We must inform the person making the request if we need to extend the 20-working-day deadline.
Most of the information covered by a freedom of information request is available in the practice information leaflet or on the practice website. Requests for other information should be referred to Dr Emma Arnold, the DPO or the Practice Manager. If we do not hold the information requested, we will inform the individual within the 20-working-day time limit.
We will provide information in a way that is convenient for the person who requested it, which may be in writing, by allowing the applicant to read it on the premises, or, if the information is held electronically, in a useable electronic format.
We are not required to respond to:
• Vexatious requests for information, for example, requests that are designed to cause inconvenience, harassment or expense.
• Repeated requests for the same or similar information (unless the information changes regularly, for example performance or activity information)
In either situation, you should seek advice from the DPO or the Practice Manager.
When attending the practice for dental care, patients provide us with personal information about their health on the understanding that we keep this information confidential and that it will not be divulged without the patient’s consent. Most patients would most likely be reluctant to provide personal health information if they believed it would be passed on.
In addition to practice systems for storing this information securely, each member of the team is under a strict duty to maintain the confidentiality of all personal information held by the practice.
The duty of confidentiality
Your contract of employment or contracts for services at the practice require you to maintain the confidentiality of patient information. A breach of this requirement could end your employment with the practice or contract for services.
For registrants, a breach of confidentiality, may lead to an investigation by GDC into their fitness to practise; individual registrants are responsible for their professional conduct. A patient may also bring legal action for damages.
Dentists may also be prosecuted for breaching statutory data protection requirements.
A patient’s personal information includes:
• The patient’s name, current and previous addresses, bank account/credit card details, telephone numbers, email address and other means of personal identification, including a physical description
• Information that a person is or has been a patient of the practice or attended, cancelled or did not attend an appointment on a certain day
• Information about the patient’s physical, mental or oral health or condition
• Information about the treatment that has been provided or is planned
• Information about family members and personal circumstances supplied by the patient
• The amount that was paid for treatment, the amount owing or the fact that the patient is a debtor to the practice.
Principles of confidentiality
Personal information about a patient is confidential to the patient and to those providing the patient with health care, who require the information to provide effective care and treatment.
Disclosures to third parties
You must not disclose personal information to third parties without the consent of the patient, unless it is required by law or the dentist is pursuing a bona fide legal claim against the patient and the information is required by a solicitor, court or debt-collecting agency. The responsibility for disclosure rests with the responsible dentist; other members of the team cannot take the decision to disclose.
Disclosure to government agencies
It may be right to disclose personal information without consent to government agencies, including HMRC, the police or social services. In all cases, you should obtain details of what information is needed and why. Only information that it is necessary to comply with the law should be disclosed. You must always obtain professional advice before releasing information on these grounds.
NHS and private care
Disclosure of information is needed to
• Transmit NHS claims/information to payment authorities such as the Business Services Authority for England and Wales
• Refer patients to another dentist or health care provider such as a hospital.
The practice privacy notices for patients, employees and associates describe the personal information that we collect, how we use it and how we store it safely and securely. Copies of the notices are available from reception.
If you collect, use, store or destroy personal information, you should be familiar with the relevant privacy notice and ensure that you are dealing with the personal information as described in the notice.
Access to records
Patients can request access to their health records. The treating dentist should receive the request and the patient be given the opportunity to discuss the records before being given a copy; the patient’s identify must be checked and confirmed.
The copy of the record must be supplied within one month of the request.
Patients must make a written request for access to their medical records. No fee is payable (except if a patient makes multiple requests).
Everyone involved with recording information about patients attending the practice must ensure that records are:
• Contemporaneous and dated
• Accurate and comprehensive
• Neat, legible and written in ink
• Strictly necessary for the purpose
• Not derogatory
• Such that disclosure to the patient would be unproblematic
• Signed by the dentist.
Patients have the right to stop the practice sending marketing emails and to ask the practice to delete some information, such as contact details. Not all information can be deleted and requests to delete information must be managed in accordance with data protection laws. These requests must be passed to the Practice Manager for action.
• Records must be kept secure and in a location where it is not possible for other patients or individuals to read them
• Patients should not be able to see information contained in appointment books, day sheets or computer screens
• Discussions about patients must not take place in public areas of the practice
• When talking to a patient on the telephone or in person in a public area, sensitive information must not be overheard by other patients
• Messages about a patient’s care must not be left with third parties or left on answering machines. A message to call the practice is all that can be left
• Recall cards and other personal information must be sent in an envelope
• Identifiable information about patients must not be discussed with anyone outside of the practice including relatives or friends
• Demonstrations of the practice’s administrative/computer systems must not involve actual patient information
• Information about a patient’s appointment must not be given to third parties – for example, schools and employers – unless the patient has given consent
• Appointment books, record cards or other information must not be disclosed to police officers or HM Revenue and Customs officials without instruction by the responsible dentist.
If, after investigation, we find that you have breached patient confidentiality or have failed to follow this policy, you may be liable to summary dismissal in accordance with the practice disciplinary policy. A copy of the disciplinary policy is available on the computer Shared drive.
Upon termination of your employment or contract for services, you must respect the confidentiality of all personal information held by the practice. You must not knowingly obtain or disclose personal data without the consent of Dr Emma Arnold. If the practice believes that you have done so, we will inform the Office of the Information Commissioner; you may, as a consequence, be prosecuted by the Commissioner or the Director of Public Prosecutions.
DATA PROTECTION POLICY
This Data Protection Policy is the overarching policy for data security and protection for May House Dental Practice.
The purpose of the Data Protection Policy is to support the 7 Caldicott Principles, the 10 Data Security Standards, the General Data Protection Regulation (2016), the Data Protection Act (2018), the common law duty of confidentiality and all other relevant national legislation. We recognise data protection as a fundamental right and embrace the principles of data protection by design and by default.
This policy covers:
Our data protection principles and commitment to common law and legislative compliance;
procedures for data protection by design and by default.
Scope: This policy includes in its scope all data which we process either in hardcopy or digital copy; this includes special categories of data. It applies to all staff, including temporary staff and contractors.
Principles: We will be open and transparent with service users and those who lawfully act on their behalf in relation to their care and treatment. We will adhere to our duty of candour responsibilities as outlined in the Health and Social Care Act 2012.
We will establish and maintain policies to ensure compliance with the Data Protection Act 2018, Human Rights Act 1998, the common law duty of confidentiality, the General Data Protection Regulation and all other relevant legislation.
We will establish and maintain policies for the controlled and appropriate sharing of service user and staff information with other agencies, taking account all relevant legislation and citizen consent.
Where consent is required for the processing of personal data we will ensure that informed and explicit consent will be obtained and documented in clear, accessible language and in an appropriate format. The individual can withdraw consent at any time through processes which have been explained to them and which are outlined in our Record Keeping Policy. We ensure that it is as easy to withdraw as to give consent.
We will undertake annual audits of our compliance with legal requirements.
We acknowledge our accountability in ensuring that personal data shall be:
Processed lawfully, fairly and in a transparent manner;
Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);
Accurate and kept up to date;
Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed (‘storage limitation’);
Processed in a manner that ensures appropriate security of the personal data.
We uphold the personal data rights outlined in the GDPR;
The right to be informed;
The right of access;
The right to rectification;
The right to erasure;
The right to restrict processing;
The right to data portability;
The right to object;
Rights in relation to automated decision making and profiling.
In line with legislation we employ a Data Protection Officer (DPO) who will report to the highest management level of the organisation. We will support the DPO with the necessary resources to carry out their tasks and ensure that they can maintain expertise. We guarantee that the DPO will not be pressured on how to carry out their tasks, and that they are protected from disciplinary action when carrying out the tasks associated with their role.
This policy is underpinned by the following:
Record Keeping Policy
Business Continuity Plan
Access to Information Policy
Information Security (Card Transactions) Policy
Data protection by design & by default: We shall implement appropriate organisational and technical measures to uphold the principles outlined above. We will integrate necessary safeguards to any data processing to meet regulatory requirements and to protect individual’s data rights. This implementation will consider the nature, scope, purpose and context of any processing and the risks to the rights and freedoms of individuals caused by the processing.
We shall uphold the principles of data protection by design and by default from the beginning of any data processing and during the planning and implementation of any new data process.
Any new high-risk data processing activities will be assessed using a Data Privacy Impact Assessment (DPIA) before the processing commences.
All new systems used for data processing will have data protection built in from the beginning of the system change.
All existing data processing has been recorded on our Record of Processing Activities. Each process has been risk assessed and is reviewed annually.
We ensure that, by default, personal data is only processed when necessary for specific purposes and that individuals are therefore protected against privacy risks.
In all processing of personal data, we use the least amount of identifiable data necessary to complete the work it is required for and we only keep the information for as long as it is required for the purposes of processing or any other legal requirement to retain it.
Responsibilities: Our designated Data Protection Lead is the practice manager. The key responsibilities of the lead are:
To ensure the rights of individuals in terms of their personal data are upheld in all instances and that data collection, sharing and storage is in line with the Caldicott Principles;
To define our data protection policy and procedures and all related policies, procedures and processes and to ensure that sufficient resources are provided to support the policy requirements.
To complete the Data Security & Protection Toolkit (DSPT) annually and to maintain compliance with the DSPT.
To monitor information handling to ensure compliance with law, guidance and the organisation’s procedures and liaising with the Senior Information Risk Owner (SIRO to fulfil this work.
Our designated Data Protection Officer (DPO) is Emma Coll. The key responsibilities of the DPO are:
Overseeing changes to systems and processes;
Monitoring compliance with the GDPR and DPA18;
Reporting on data protection and compliance with legislation to senior management;
Liaising, if required, with the Information Commissioner’s Office (ICO).
Our Senior Information Risk Owner (SIRO) is Dr Emma Arnold. The key responsibilities of the SIRO are:
To manage, assess and mitigate the information risks within our organisation;
To represent all aspects of information and data protection and security to senior management and drive engagement in data protection at the highest levels of the organisation.
National data opt-out: Any new disclosure requests will be assessed to identify if they qualify for inclusion in the National Data Opt-Out service. These would be for research and planning purposes only, identified by NHS numbers.
DATA PROTECTION PRIVACY NOTICE
In providing your dental care and treatment, we will ask for information about you and your health. Occasionally, we may receive information from other providers who have been involved in providing your care. This privacy notice describes the type of personal information we hold, why we hold it and what we do with it.
We are May House Dental Practice, operating at 4 Cadewell Lane, Torquay TQ2 7AG.
Dr Emma Arnold is responsible for keeping secure the information about you that we hold.
Those at the practice who have access to your information include dentists and other dental professionals involved with your care and treatment, and the reception staff responsible for the management and administration of the practice.
Our data protection officer Emma Coll, ensures that the practice complies with data protection requirements to ensure that we collect, use, store and dispose of your information responsibly. You can contact Emma Coll by email at firstname.lastname@example.org or by phone on 01803 612525.
Information that we hold
We can only keep and use information for specific reasons set out in the law. If we want to keep and use information about your health, we can only do so in particular circumstances. Below, we describe the information we hold and why, and the lawful basis for collecting and using it.
We hold personal information about you including your name, date of birth, national insurance number, NHS number, address, telephone number and email address. This information allows us to fulfil our contract with you to provide appointments. We will also use the information to send you reminders and recall appointments as we have a legitimate interest to ensure your continuing care and to make you aware of our services.
We hold information about your dental and general health, including
Clinical records made by dentists and other dental professionals involved with your care and treatment
X-rays, clinical photographs, digital scans of your mouth and teeth, and study models
Medical and dental histories
Treatment plans and consent
Notes of conversations with you about your care
Dates of your appointments
Details of any complaints you have made and how these complaints were dealt with
Correspondence with you and other health professionals or institutions.
We collect and use this information to allow us to fulfil our contract with you to discuss your treatment options and provide dental care that meets your needs. We also use this information for the legitimate interest of ensuring the quality of the treatment we provide.
We hold information about the fees we have charged, the amounts you have paid and some payment details. This information forms part of our contractual obligation to you to provide dental care and allows us to meet legal financial requirements.
Where your dental care is provided under the terms of the NHS, we are required to complete statutory forms to allow payments to be processed. This is an NHS requirement.
How we use your information
To provide you with the dental care and treatment that you need, we require up-to-date and accurate information about you.
If you are an NHS patient we will share your information with the NHS in connection with your dental treatment.
We may contact you to conduct patient surveys or to find out if you are happy with the treatment you received for quality control purposes.
We will seek your preference for how we contact you about your dental care. Our usual methods are telephone, email or letter.
If we wish to use your information for dental research or dental education, we will discuss this with you and seek your consent. Depending on the purpose and if possible, we will anonymise your information. If this is not possible we will inform you and discuss your options.
We have CCTV at the practice for the purposes of patient and staff safety. Please see our CCTV policy for further details.
Your information is normally used only by those working at the practice but there may be instances where we need to share it – for example, with:
The hospital or community dental services or other health professionals caring for you
Specialist dental or medical services to which we may refer you
NHS payment authorities
The Department for Work and Pensions and its agencies, where you are claiming exemption or remission from NHS charges
Debt collection agencies
Private dental schemes of which you are a member.
We will only disclose your information on a need-to-know basis and will limit any information that we share to the minimum necessary. We will let you know in advance if we send your medical information to another medical provider and we will give you the details of that provider at that time.
In certain circumstances or if required by law, we may need to disclose your information to a third party not connected with your health care, including HMRC or other law enforcement or government agencies.
National data opt-out policy (for NHS patients only)
May House Dental Practice is one of many organisations working in the health and care system to improve care for patients and the public.
Whenever you use a health or care service (A&E or community care services, for example), personal information is collected and stored on your patient record to ensure that you receive the best and most appropriate care and treatment. The information collected can also be used by and provided to other organisations for purposes beyond your individual care, for example, to provide better health and care for you, your family and future generations by:
Improving the quality and standards of care provided
Research into the development of new treatments
Preventing illness and diseases
Information about your health and care is confidential and can only be used where allowed by law. Mostly, information used for research and planning is anonymised so that you cannot be identified; your confidentiality is maintained.
You can choose whether you want your confidential information to be used in this way. If you are happy with this use of your information, you do not need to do anything. If you wish to opt out, your confidential information will be used only to support your individual care.
You can register your choice and find out more at nhs.uk/your-nhs-data-matters – including:
What is meant by ‘confidential patient information’
Examples of when confidential patient information is used for individual care and examples of when it is used for purposes beyond individual care
The benefits of sharing data and who uses it
How your data is protected
Situations where opt-out will not apply
You can change your choice at any time.
Your information will not be shared with insurance companies or used for marketing purposes without your specific agreement.
Keeping your information safe
We store your personal information securely on our practice computer system and in a manual filing system. Your information cannot be accessed by those who do not work at the practice; only those working at the practice have access to your information. They understand their legal responsibility to maintain confidentiality and follow practice procedures to ensure this.
We take precautions to ensure security of the practice premises, the practice filing systems and computers.
We use high-quality specialist dental software to record and use your personal information safely and effectively. Our computer system has a secure audit trail and we back-up information routinely.
We use cloud computing facilities for storing some of your information. The practice has a rigorous agreement with our provider to ensure that we meet the obligations described in this policy and that we keep your information securely.
We keep your records for 10 years after the date of your last visit to the Practice or until you reach the age of 25 years, whichever is the longer. At your request, we will delete non-essential information (for example some contact details) before the end of this period.
Access to your information and other rights
You have a right to access the information that we hold about you and to receive a copy. We do not usually charge you for copies of your information; if we pass on a charge, we will explain the reasons.
You can also request us to
Correct any information that you believe is inaccurate or incomplete. If we have disclosed that information to a third party, we will let them know about the change.
Erase some of the information we hold. For legal reasons, we may be unable to erase certain information (for example, information about your dental treatment). However, we can, if you ask us to, delete some contact details and other non-clinical information.
Stop using your information – for example, sending you reminders for appointments or information about our service. Even if you have given us consent to send you marketing information, you may withdraw that consent at any time.
Stop using information if you believe the information is inaccurate or you believe we are using your information illegally.
Supply your information electronically to another dentist.
If we are relying on your consent to use your personal information for a particular purpose, you may withdraw your consent at any time and we will stop using your information for that purpose.
All requests should be made to our data protection officer at email@example.com or by post to the address above.
If you do not agree
If you do not wish us to use your personal information as described, you should discuss the matter with your dentist. If you object to the way that we collect and use your information, we may not be able to continue to provide your dental care.
If you have any concerns about how we use your information and you do not feel able to discuss it with your dentist or anyone at the practice, you should contact The Information Commissioner’s Office (ICO), Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF (0303 123 1113 or 01625 545745).