Keep a close watch on patient data

What happened?

The Information Commissioners Office (ICO) visited 21 dental practices between June 2014 and June 2015 and has published a report of its findings.

What did the report say?

In summary, it found that:

• Individual named dentists are not always registering with the ICO when they should, mistakenly thinking that the practice registration is sufficient. Various scenarios are identified when individual dentists are likely to be “data controllers” who need to register with the ICO separately from the practice. For example, if a dentist keeps their patient list separately from the practice in which they treat patients, they might be a data controller.
• Although information security in most of the practices visited was “fairly good”, there were some areas where dentists “struggled”. For example, it was found that arrangements with third parties (such as IT contractors) were not sufficiently robust from an information security perspective. There was also evidence that “some of the risks of new technologies, such as working on mobile and personal devices, are not being appropriately controlled”.
• Retention periods for records were not always clear. The ICO recommends that practices (and individual dentists where applicable) have policies which clearly set out when records, both physical and electronic, should be destroyed. The ICO has published guidance on deleting personal data.

The full report has been published on the ICO website.

What does this mean for me?

Information security is important for dental practices, particularly bearing in mind the potentially sensitive nature of patient information.

With the recent ICO visits in mind, practices should look again at their arrangements to check that they are in line with relevant regulations.

How can I find out more?

For further information on how this may affect your practice, please get in touch.