PROSIECT 1
The practice is committed to complying with the requirements of the legislation governing patient confidentiality including: Access to Health Records 1990, Caldicott Guidelines 1997, Confidentiality Code of Practice 1998, Data Protection Act 2018
and the current GDC Standards.
For the purpose of this policy, confidential information is defined as all the information that is learnt in a professional role including personal details, medical history, what treatment a patient is having and how much it costs. The definition of personal details includes, but is not limited by, such details as name, age, address, personal circumstances, race, health, sex and sexual orientation, etc. Note that even the fact that a patient attends the practice is confidential. Confidential information may be supplied or stored on any medium including images, videos, health records, and computer records or may be transmitted verbally.
All staff members must be aware of their responsibilities for safeguarding patient confidentiality and keeping information secure and must have received appropriate training on the legislation requirements and the current GDC Standards to ensure that:
- No personal information given or received in confidence is passed on to anyone else without the patient's prior consent. To obtain consent a patient is advised what information will be released and why and the likely consequences of the information release. The patient is given an opportunity to withhold their permission to share information, unless exceptional circumstances apply, and record is made on their notes of whether or not they gave their permission.
- If a patient consents to sharing information about them the team member will ensure that all recipients of the information understand that it is confidential.
- If a patient’s information or images are used for research or marketing the team member will advise the patient how these will be used, check that the patient understands what s/he is agreeing to, obtain and record the patient’s consent to their use and only release the minimum information for the purpose. The patient will be advised that s/he can withdraw permission at any time.
- If it is not necessary for a patient to be identified, they will remain anonymous in any information released.
- The duty to keep information confidential also covers originals and copies of a patient's photographs, videos or audio recordings, including those made on a mobile phone. No images or recordings will be made without the patient's
permission
- Patient information is kept confidential even after death Before releasing information without the patient’s permission, an effort is always made to either convince the patient to release the information himself or herself or give the practice permission to do so, with the details of the discussion fully documented in the patient record. If obtaining consent from a patient is not practical or appropriate or if the patient will not give their permission, the team member will obtain advice from their professional indemnity organisation before releasing it.
A patient’s information will only be released without their prior permission in the following exceptional circumstances:
- It is in the best interests of the public or the patient and the information released could be important in preventing or detecting a serious crime.
- If a team member has information that a patient could be at risk of significant harm or may be a victim of abuse, in which case the appropriate care agencies or the police will be informed.
- If a team member is required to disclose information by a court or a court order, in which case only the minimum amount of information necessary to comply will be released.
The practice treats breaches of confidentiality very seriously. No team member shall knowingly misuse any confidential information or allow others to do so. Failure to comply with this policy may result in disciplinary action.
​
Date: September 2025
Review date: September 2026
PROSIECT 1
The practice may be asked to disclose information, documents, or records that we hold. Requests for personal information are made under the data protection legislation and under the freedom of information legislation for information about the
NHS services provided by the practice.
Requests should be passed to The practice manager for personal information or for information about the practice that is not included in the practice information leaflet.
​
Requests for personal information
What is Personal Information? - Personal information is any information that allows a person to be identified. This includes information where the person is not named but a cross-reference to other information held by the practice would allow identification.
Date protection legislation allows individuals to request access to their personal information. Those eligible to request access include:
​
-
A person aged 16 years or older
-
The parents or guardians of a child under the age of 16 years and in connection with the health and welfare needs of the child
-
A child under the age of 16 years who has the capacity to understand the information held by the practice. Children aged 11 years and under are deemed too young
-
A third party, such as a solicitor, who has the written consent of individual concerned – checks should be undertaken to ensure that the consent is genuine – for example, by checking the patient’s signature or contacting the patient directly to confirm that they have given consent for the information to be disclosed.
​
If a request concerns information about a deceased person, those eligible to request access include:
​
-
The administrator or executor of the deceased person’s estate
-
A person who has a legal claim arising from the person’s death – the next of kin, for example. The person should explain why the information requested is relevant to their claim.
​​
If the information requested includes information about third parties, it can be disclosed if the third party gives consent or is a health professional involved in the care of the patient.
​
The request
All requests must be made in writing and describe the type of information required with dates, if possible, and include sufficient information to ensure correct identification (name, address, date of birth, for example). You must check that the
person asking for information has the right to do so and, if necessary, ask for proof of identity.
​
We will provide the requested information within one month of receiving the request or confirming the individual’s identity.
​
The information
We will usually provide the information requested in electronic form using secure means, unless the individual asks for the information in paper format or otherwise agreed. The individual may also come to the practice to view the original version
under supervision and on practice premises.
​
We will provide the information in a way that can be understood by the individual making the requests and may need to provide an explanation to accompany dental clinical notes.
​
Unfounded or excessive requests
Where requests are manifestly unfounded or excessive (particularly if they are repetitive), we can:
​
-
Charge a reasonable fee taking into account the administrative costs of providing the information; or
-
Refuse to respond.
​
If we refuse to respond to a request, we will explain the reasons and informing the individual of their right to complain to the Information Commissioner’s Office and to a judicial remedy.
​
Requests for information about the practice
Freedom of information legislation allows anyone to ask for information about the provision of NHS services. The available information is described fully in the practice guide to information available under FOIA and the model publication scheme. If the requested information is part of a larger document, we will disclose only the relevant part.
A freedom of information request cannot include clinical records or financial records.
​
The request
The request must be made in writing and should describe the information that they want and with dates, if possible. The individual making the request does not have to give a reason.
​
The charges for information provided under a freedom of information request are included in the practice guide and the model publication scheme
​
We will provide Information within 20 working days of receiving the request or confirmation of identity or, if applicable, from the receipt of the fee.
​
[England, Wales and Northern Ireland only: it may be possible to extend this timescale if we need more information about the request or are taking legal advice on whether an exemption applies. We must inform the person making the request if we need to extend the 20-working-day deadline.]
​
The information
Most of the information covered by a freedom of information request is available in the practice information leaflet or on the practice website. Requests for other information should be referred to the practice managermr. If we do not hold the
information requested, we will inform the individual within the 20-working-day time limit.
We will provide information in a way that is convenient for the person who requested it, which may be in writing, by allowing the applicant to read it on the premises, or, if the information is held electronically, in a useable electronic format.
We are not required to respond to
-
Vexatious requests for information, for example, requests that are designed to cause inconvenience, harassment, or expense.
-
Repeated requests for the same or similar information (unless the information
changes regularly, for example performance or activity information)
In either situation, you should seek advice from the practice manager.
​
Date: September 2025
Review date: September 2026
​
NB: This policy was taken from the BDA
PROSIECT 1
WE WILL KEEP YOUR RECORDS SAFE
This dental practice complies with the Data Protection Act (2018) and General Data Protection Regulations (GDPR) 2018. This means that we will ensure that your information is processed fairly and lawfully.
WHAT PERSONAL INFORMATION DO WE NEED TO HOLD?
-
Past/current medical and dental history, personal information such
as address, phone numbers, age and name of your GP.
-
Details of your NHS number and healthcare treatment entitlement.
-
Details of your exemption status if applicable.
-
X-rays, clinical photographs and study models.
-
Treatment plans and correspondence regarding treatment we have
provided or proposed plus its costs.
-
Notes of conversations or incidents that might occur for which a
record needs to be kept.
-
Consent of treatment.
-
Any correspondence relating to you with other health care
professionals ie: hospitals or community services.
​
WHY DO WE HOLD THIS INFORMATION?
We keep accurate personal data in order to provide you with safe and appropriate dental care. If providing care under the NHS, we also need to process personal data to ensure proper management and administration of the NHS.
​
RETAINING INFORMATION
We will retain your dental records, study models and X-rays while you are a patient of this practice and for eleven years or until the age of 25yrs (whichever is longer) once you cease to be a patient.
​
SECURITY
We hold your information on our computer system or in a secure manual filing system. Information is only accessible to authorised personnel. Information will not be removed for the practice with the patients consent. Personal information is carefully protected and all access is held securely and passwords are changed regularly. Data is encrypted and computers are closed if unattended.
​
TIMES WE MAY NEED TO DISCLOSE YOUR INFORMATION
In order to provide proper and safe dental care to:
-
Your GP
-
Hospital or Community dental service
-
Other health professionals caring for you
-
NHS payment authorities
-
Inland Revenue
-
Private dental schemes of which you’re a member
-
Benefits Agency (where you are claiming exemption or remission
from NHS charges)
​
We will only release information on a need-to-know basis and only to those individuals/organisations who need to know, to provide care for you and for the proper administration of government. Only information that the recipient needs to know will be disclosed.
In very limited circumstances or when required by law or a court order, personal data may have to be disclosed to a third party not connected with your health care. In all other situations disclosure is not covered by this disclosure and will only occur with your consent. Where possible you will be informed of any requests for disclosure.
​
IF YOU DO NOT AGREE
If you do not wish us to use your information, you should discuss the matter with your dentist or the practice manager. If you object to the way we collect and use the information, we may not be able to continue to provide your dental care.
​
If you have any concerns about how we use the information and your do not feel able to discuss it with your dentist or the practice owner, you should contact The Information Commissioners Office (ICO), Wycliffe
House, Water Lane, Wilmslow, Cheshire SK9 5AF Tel: 0303 123 1113 or 01625 545745.
​
Date: September 2025
Review date: September 2026
PROSIECT 1
This dental practice holds and maintains information about the business and its patients that is necessary for the efficient running of the practice and the effective provision of dental care. This policy describes the information that must be kept, how it must be stored, archived and disposed of to ensure that the practice complies with the requirements of data protection legislation.
The practice Confidentiality policy describes the need for all members of the dentalteam to keep patient information confidential and practice procedures for handling information about patients; it must be followed always. The arrangements for keeping information safe are described in the practice Data security policy, which includes the measures for physical and electronic security.
The practice Privacy Notice for patients helps them understand how the practice uses and protects their personal information.
Retaining information
Information about the business and its patients is kept for no longer than required.
-
Patient records are maintained and kept up to date while the individual remains a practice patient. When they cease to be a patient of the practice, their records are retained for ten years following their last visit to the practice or until age of 25, whichever is the longer.
-
Personnel and associate records are maintained and kept up to date whilst the individual works at the practice as an employee or self-employed contractor. Following their departure from the practice their records are retained for six years from the date of leaving the practice. Records relating to workplace accidents or injuries are retained indefinitely. Records for associates are kept for up to eight years.
-
Financial records are retained for at least six years.
-
Business records, including contracts with suppliers, are retained for at least six years.
Secure storage
All members of the team must protect information held by the practice and store itsecurely. Information is only accessed on a need-to-know basis: where it is necessary to carry out required tasks; in the delivery of care to patients; or upon the
direct instruction of a senior person within the practice.
For records held electronically, access is password protected and restricted to those who, as part of their work duties, require the information. Electronic records are regularly backed-up daily overnight by our computer company onto a cloud based storage.
Non-electronic (paper) records are stored in a location that is not accessible to patients, visitors to the practice or other members of the public. To ensure that patient record cards, financial information and personnel records are stored securely they must be kept in lockable cabinets at the end of each working day and the keys
retained by the practice manager and practice owner.
Patient record cards are stored securely in locked cabinets. Financial information and personnel records are stored securely in the practice office – locked away.
Archiving records
Where records need to be retained but are no longer required on a day-to-day basis, they are archived and stored securely. Records will be stored in a way that ensures easy identification and retrieval. The final decision on archiving information is taken by the practice owner.
Electronic records that need to be retained but are not required on a day-to-day basis are, in the first instance, archived within the IT system. Where electronic storage space is at or near capacity, archived electronic data will be copied onto a
suitable electronic format with copies stored securely at the practice premises and off-site.
The practice has systems for reviewing archived information that is no longer needed. We have set months every year where we review how long the patients have been archived and prepare them for incineration.
Secure disposal of old records
Records that are no longer required are disposed of securely by shredding, pulping or incineration. The services of a professional contractor will be used where necessary; a certificate of confidential destruction is obtained and retained by the practice as evidence of DPA compliance.
Patient study models are disposed of as soon as they are no longer required, and at the latest at the same time as the records associated with the patient are disposed of. This is completed by gysum retainer waste by our clinical waste company.
Records held electronically and backups of electronic information are disposed of using the secure deletion option on the practice computer system. We archive the patients on the systems for 11 years or up to 25 years of age if a child. They are then deleted permanently from our electronic system. The final decision on disposing of records will be taken by the practice owner.
​
Date: September 2025
Review date: September 2026
​
NB: This policy is a BDA policy