7.7 Confidentiality Code of Practice.
The Department of Health published the policy document “Confidentiality: Code of Practice” in November 2003 with the expectation that it will be applied across the NHS. This Code of Practice is an updated version of the Department of Health Policy Document. It has been developed to ensure that all staff, volunteers and external contractors are clear about the expectations of the PCT whilst working on behalf of the PCT.
All staff, volunteers and external contractors are required to comply with the Confidentiality: Code of Practice (the code) published by the Department of Health in November 2003.
There is an expectation that all NHS staff will act legally and within the standards published within this code and within the confidentiality framework.
A full copy of the Department of Health Confidentiality: Code of Practice is available upon request to the Site Manager or Lead Dental Nurse.
All staff, volunteers, students and external contractors have a common law (legal obligation) duty of confidence that is derived from case law and is specified within NHS employment contracts. This common law duty of confidence applies for the rest of your life and continues after you have left the NHS.
Protecting patient information.
Standard 1: Recognising that confidentiality is an obligation for all staff, external contractors and volunteers.
All staff, external contractors and volunteers are subject to the common law of confidentiality. Breach of confidence or inappropriate use of health records or computer systems may lead to disciplinary action and possibly result in legal proceedings.
Standard 2: Recording patient information accurately and consistently.
Maintaining proper records is vital to patient care. If records are inaccurate, future decisions may be wrong and harm the patient. The information may be needed for treatment of patients, clinical incident investigations, clinical audit and future research.
Standard 3: Keeping private information private.
You have an obligation not to disclose confidential patient information to anyone. It may be pertinent to discuss particular cases with your colleagues for professional reasons (to gain advice, share experience and knowledge) but care must be taken to ensure that others do not overhear these conversations. Generally there is no need to identify the patient concerned.
Standard 4: Keeping patient information physically and electronically secure.
This covers both manual and electronic records. You should not leave any patient identifiable information in unattended cars or easily accessible areas; this includes portable computers, medical notes and diaries. You should not normally take records home and where this cannot be avoided, agreement from your line manager should be sought and procedures should be in place to safeguard this information.
Standard 5: Disclosing information with appropriate care.
- Follow established information sharing protocols
- Identify enquirers, so that information is only shared with the appropriate people
Before giving out any information you should check that any callers by telephone or in person are who they say they are, they have legitimate access to the information and what the information is to be used for.
Where the disclosure is to a carer in relation to a minor it is important to establish who holds parental responsibility as they are the only person who can consent to information being divulged.
- Ensure that appropriate standards are applied in respect of emails, faxes and surface mail.
Care must be taken when transmitting patient information both electronically and manually. For example marking emails as confidential, tagging email delivery ensuring the recipient fax is in a secure environment and they are waiting for collection.
- Share the minimum information necessary to provide safe care or satisfy other purposes.
There is a clear balance against the need to provide safe care where missing information could be dangerous. It is important to consider how much information is needed before disclosing it.
Under common law staff are permitted to disclose information in order to present and support detection, investigation and punishment of serious crime and/or to prevent abuse or serious harm to others.
Standard 6: Check that patients have seen the available information leaflets.
Where information leaflets, posters and other materials about confidentiality are available encourage and support patients to access and understand them.
Standard 7: Make clear to patients when information is recorded or health records are accessed.
This should occur naturally as part of the patient’s treatment and need no more than comments such as ‘let me make a note in your file’.
Standard 8: Make clear to patients when information is or may be disclosed to others.
Patients do not necessarily understand how NHS and related agencies share information. Staff must ensure that patients know when information is disclosed more widely for example in a referral letter.
There are certain acts of parliament or court orders that require disclosure, advice should be sought from PCT management when this is necessary.
Standard 9: Check that patients are aware of the choices available in respect of how their information may be used or shared.
Within the boundaries of the law (see standard 8) patients have a right to choose whether or not to agree information that they have provided in confidence being shared beyond the purposes for which it was provided. There are exceptions to this; where statute law requires or permits disclosure, to prevent and support detection, investigation and punishment of serious crime and/or to prevent abuse or serious harm to others.
Standard 10: Check that patients have no concerns or queries about how their information is used.
It is important that patients feel free to raise any queries or concerns. If information being recorded is particularly sensitive, you should be explicit about what information is being recorded, and ask the patient directly if he or she is happy with that information being shared.
Standard 11: Answer any queries personally or direct patients to others who can answer their queries or other sources of information.
It is much better for patients if their concerns can be addressed immediately, but if you feel you cannot answer the questions or do not have all the information you need the patient should be referred to the PALS service.
Standard 12: Respect the right of patients to have access to their health records.
Patients have a right to see and/or have copies of their health records. Applications to see health records should be directed to the PALS service. If you do decide to show the patient their health record you must ensure it does not compromise another patient or carers confidentiality.
Standard 13: Communicate effectively with patients to help them understand.
It is important to recognise the different communication needs of particular groups of patients. Difficulty in communicating does not remove your obligation to help people understand. The PCT has access to an interpretation service information is available from the PALS office.
Standard 14: Ask patients before using their personal information in ways that do not directly contribute to, or support the delivery of care.
Where information about patients is required, but does not satisfy the tests of necessity the information should be anonymised.
Activities to support the delivery of care include clinical audit and incident investigations.
Standard 15: Respect patients’ decisions to restrict the disclosure and/or use of information.
In some cases, it may not be possible to restrict information disclosure without compromising care. This requires careful discussion with the patient, but ultimately the patient’s choice must be respected. All decisions taken by patients must be recorded in the patients’ health record.
Standard 16: Explain the implications of disclosing and not disclosing.
To enable patients to make an informed choice they must be informed of the options and the risks of making the choice. Where patients insist on restricting information it should be documented in the patients’ health record.
Standard 17: Be aware of the issues surrounding confidentiality, and seek training or support where uncertain in order to deal with them appropriately.
Ignorance is not an excuse; you must be aware of the basic requirements (set out in this agreement). You can gain further information and training by accessing the PCT Training and Education Programme. Where immediate support is required you should contact the Assistant Director for Quality Improvement or Assistant Director for Risk Management at PCT Headquarters for advice. For support outside of normal working hours you should use the PCT On Call Procedure.
Standard 18: Report possible breaches or risk of breach.
If you identify possible breaches or risk of breaches you must report these to your line manager and complete an incident reporting form (see Incident Reporting Procedure).
Further advice on the content of this Code of Practice should be sought in the first instance from the PCT Clinical Governance Team.
A full copy of the Confidentiality NHS Code of Practice can be found at:
7.8 Practice data security policy.
This Dental Practice is committed to ensuring the security of personal data held by the practice. This objective is achieved by every member of the practice team complying with this policy.
Confidentiality (see also the practice confidentiality policy).
- All staff employment contracts contain a confidentiality clause.
- Access to personal data is on a “need to know” basis only. Access to information is monitored and breaches of security will be dealt with swiftly by their Site Manager or Lead Dental Nurse.
- We have procedures in place to ensure that personal data is regularly reviewed, updated and deleted in a confidential manner when no longer required. For example, we keep patient records for at least 11 years or until the patient is aged 25 – whichever is the longer.
Physical security measures.
- Personal data is only taken away from the practice premises in exceptional circumstances and when authorised by their Site Manager or Lead Dental Nurse. If personal data is taken from the premises it must never be left unattended in a car or in a public place.
- Records are kept in a lockable cabinet, which is not easily accessible by patients and visitors to the practice.
- Efforts have been made to secure the practice against theft by, for example, the use of intruder alarms, lockable windows and doors.
- The practice has in place a business continuity plan in case of a disaster. This includes procedures set out for protecting and restoring personal data.
Information held on computer.
- Appropriate software controls are used to protect computerised records, for example the use of passwords and encryption. Passwords are only known to those who require access to the information, are changed on a regular basis and are not written down or kept near or on the computer for others to see.
- Daily and weekly back-ups of computerised data are stored on a server.
- Staff using practice computers will undertake computer training to avoid unintentional deletion or corruption of information.
- Dental computer systems all have a full audit trail facility preventing the erasure or overwriting of data. The system records details of any amendments made to data, who made them and when.
- Precautions are taken to avoid loss of data through the introduction of computer viruses.
This statement has been issued to existing staff with access to personal data at the practice and will be given to new staff during induction. Should any staff have concerns about the security of personal data within the practice they should contact their Site Manager or Lead Dental Nurse.
7.9 Practice data protection code of practice for patients.
Keeping your records.
This practice complies with the 1998 Data Protection Act and this policy describes our procedures for ensuring that personal information about patients is processed fairly and lawfully.
What personal data do we hold?
To provide you with a high standard of dental care and attention, we need to hold personal information about you. This personal data includes:
- Your past and current medical and dental condition; personal details such as your age, National Insurance number/NHS number, address, telephone number and your general medical practitioner.
- Radiographs, clinical photographs and study models.
- Information about the treatment that we have provided or propose to provide and its cost.
- Notes of conversations/incidents about your care, for which a record needs to be kept
- Records of consent to treatment.
- Correspondence with other health care professionals relating to you, for example in the hospital or community services.
Why do we hold information about you?
We need to keep comprehensive and accurate personal data about our patients in order to provide them with safe and appropriate dental care. We also need to process personal data about you in order to provide care under NHS arrangements and to ensure the proper management and administration of the NHS.
How we process the data.
We will process personal data that we hold about you in the following way:
We will retain your dental records while you are a practice patient and after you cease to be a patient, for at least eleven years or, for children, until age 25, whichever is the longer.
Security of information.
Personal data about you is held in the practice’s computer system and/or in a manual filing system. The information is not accessible to the public; only authorised members of staff have access to it. Our computer system has secure audit trails and we back up information routinely.
Disclosure of information.
To provide proper and safe dental care, we may need to disclose personal information about you to:
- Your general medical practitioner.
- The hospital or community dental services.
- Other health professionals caring for you.
- NHS payment authorities.
- The Inland Revenue.
- The Benefits Agency, where you are claiming exemption or remission from NHS charges.
- Private dental schemes of which you are a member.
Disclosure will take place on a ‘need-to-know’ basis. Only those individuals/organisations who need to know in order to provide care to you – or in order to ensure the proper administration of Government (whose personnel are covered by strict confidentiality rules) – will be given the information. Only the information that the recipient needs to know will be disclosed.
In very limited circumstances or when required by law or a court order, personal data may have to be disclosed to a third party not connected with your health care. In all other situations, disclosure that is not covered by this Code of Practice will only occur when we have your specific consent.
Where possible you will be informed of these requests for disclosure.
You have the right of access to the data that we hold about you and to receive a copy. Access may be obtained by making a request in writing and the payment of a fee of up to £10 (for records held on computer) or £50 (for those held manually or for computer-held records with non-computer radiographs). We will provide a copy of the record within 40 days of receipt of the request and fee (where payable) and an explanation of your record should you require it.
If you do not agree.
If you do not wish personal data that we hold about you to be disclosed or used in the way that is described in this Code of Practice, please discuss the matter with your dentist. You have the right to object, but this may affect our ability to provide you with dental care.
GENERAL STATEMENT OF POLICY
Our Practice is committed to providing high quality dentistry. As such, it must ensure that it is committed to protecting the rights and privacy of individuals in accordance with the Data Protection Act 1998.
This policy will be kept up to date, particularly as changes occur within the practice. To ensure this, the policy and the way in which it has operated will be reviewed every year.
The Practice is committed to protecting the rights and privacy of individuals in accordance with the Data Protection Act 1998. Care Dental processes information about its staff, patients and other individuals it has dealings with for a range of administrative purposes (e.g. to recruit and pay staff, comply with legal obligations to funding bodies and government). In order to comply with the law, information about individuals must be collected and used fairly, stored safely and securely and not disclosed to any third party unlawfully.
All “processing” of personal data (includes collection, holding, retention, destruction and use of personal data) are governed by the Data Protection Act 1998. The Act applies to all personal data – whether they are held on a computer or similar automatic system or whether they are held as part of a manual file. Personal data is defined as information relating to an identifiable living individual and can be held in any format, electronic (including websites and emails), paper-based, photographic etc. from which the individual’s information can be readily extracted.
Under the 1998 Act, all organizations which process personal information are required to notify the Information Commissioner’s Office. Our Data Protection Policy describes the various types of processing of personal information and defines the persons or bodies to which the information may be disclosed. Our Data Protection registration number is:
It is an offence to process personal data except in strict accordance with the eight principles of data protection and the rights of data subjects. Further information on the Data Protection Act can be found at http://www.dataprotection.gov.uk/ and also failure to comply with the Data Protection Act could result in the prosecution not only of the Dental Practice but also of the individual concerned.
Data subjects (that is persons about whom such data is held) may also sue for compensation for damage and any associated distress suffered as a result of:
- loss or unauthorized destruction of data
- unauthorized disclosure of, or access obtained to, data
- inaccurate data – i.e. data which is incorrect or misleading
It follows, therefore, that all staff who are concerned with, or have access to, such data have an obligation to ensure that they are processed according to the eight principles of data protection and the rights of data subjects. This means, among other things, that staff must treat all data carefully and must not disclose personal data to unauthorized persons (this will often include parents of patients).
You are specifically cautioned that the Dental Practice does not authorize any employee or agent of the Dental Practice to hold or process any personal data on its lf except as required by the Dental Practice. Users of personal data on or away from the surgery (e.g. pc at home or laptop) should consider the legal position before attempting to process personal data.
In cases of doubt or difficulty staff should in the first instance contact the Data controller (Group Partners).
EIGHT DATA PROTECTION PRINCIPLES
- Data must be processed fairly and lawfully.
- Data must be obtained for one or more specified lawful purposes.
- Data shall be adequate, relevant and not excessive.
- Data shall be accurate and where necessary kept up to date.
- Data is not kept longer than is necessary for its purpose.
- Data shall be processed in accordance with subject rights under the Act.
- Appropriate technical and organizational measures shall be taken against unauthorized/unlawful processing, loss, destruction, damage to personal data.
- Data shall not be transferred outside England unless that country/territory ensures adequate level of protection for rights and freedoms of data subjects in relation to the processing of personal data.
DATA SUBJECT RIGHTS
- To make subject access requests regarding the nature of information held and to whom it has been disclosed.
- To prevent processing likely to cause damage or distress
- To prevent processing for purposes of direct marketing
- To be informed about mechanics of automated decision taking process that will significantly affect them
- Not to have significant decisions that will affect them taken solely by automated process
- To take action for compensation if they suffer damage by any contravention of the Act
- To take action to rectify, block, erase or destroy inaccurate data
- To request the Commissioner to assess whether any provision of the Act has been contravened
CONSENT FOR DISCLOSURE OF PATIENT INFORMATION TO THIRD PARTIES
- Patients must be informed as to who and where they will be referred to
- Patients must sign a consent form if information is to be requested from their GP
- Patients must sign a consent form if their images are to be used in training or for any other purpose
BREACH OF THIS POLICY WILL BE TREATED AS GROSS MISCONDUCT
1.1 Records Management is the process by which our practice manages all the aspects of its records whether internally or externally generated and in any format or media type, from their creation, all the way through to their eventual disposal. This policy has been developed in line with: The Records Management: NHS Code of Practice to comply with the required standards of practice in the management of records for those who work within or under contract to the NHS It is based on current legal requirements and professional best practice.
1.2 The Practice’s records are its memory, providing evidence of actions and decisions and support its daily functions and operations. The Records Management Policy protects the interests of the Practice and the rights of patients, staff and members of the public. They support consistency, continuity, efficiency and productivity and help deliver our services in consistent and equitable ways. The Practice has adopted a records management policy as it will gain a number of organisational benefits from so doing. These include:
- Better use of physical space,
- Better use of Practice computer space,
- Better use of staff time,
- Improved control of information,
- Compliance with legislation and standards; and
- Reduced costs in the management, storage and ultimately in the destruction of patient records.
2.1 This policy relates to all patient and non-patient records held in any format by the Practice. These include:
- All administrative records including personnel, estates, financial and accounting records, notes associated with complaints; and
- All patient records including patient record cards, x-ray and imaging reports, registers, appointment books and any other records kept which fall into this category.
2.2 The key components of records management are:
- Record creation,
- Record keeping,
- Record maintenance,
- Access and disclosure,
- Closure and transfer;
- Archiving; and
2.3 The term “Records Life Cycle” describes the life of a record from its creation/receipt through the period of its ‘active’ use, then into a period of ‘inactive’ retention (such as closed files which may still be referred to occasionally) and finally either confidential disposal or archival preservation.
2.4 In this policy, “Records” are defined as ‘recorded information, in any form, created or received and maintained by the Practice in the transaction of its business or conduct of affairs and kept as evidence of such activity’.
2.5 “Information” is a corporate asset. The Practice’s records are important sources of administrative, evidential and historical information. They are vital to the Practice to support its current and future operations (including meeting the requirements of Freedom of Information legislation), for the purpose of accountability, and for an awareness and understanding of its history and procedures.
3.1 The aims of our Records Management System are to ensure that:
- Records are available when needed – from which the Practice is able to form a reconstruction of activities or events that have taken place,
- Records can be accessed – records and the information within them can be located and displayed in a way consistent with its initial use, and that the current version is identified where multiple versions exist,
- Records can be interpreted – the context of the record can be interpreted: who created or added to the record and when, during which process, and how the record is related to other records;
- Records can be trusted – the record reliably represents the information that was actually used in, or created by, the business process, and its integrity and authenticity can be demonstrated,
- Records can be maintained through time – the qualities of availability, accessibility, interpretation and trustworthiness can be maintained for as long as the record is needed, perhaps permanently, despite changes of format,
- Records are secure – from unauthorised or inadvertent alteration or erasure, that access and disclosure are properly controlled and audit trails will track all use and changes. To ensure that records are held in a robust format which remains readable for as long as records are required;
- Records are retained and disposed of appropriately – using consistent and documented retention and disposal procedures, which include provision for appraisal and the permanent preservation of records with archival value; and
- Practice staff are trained – so that all staff are made aware of their responsibilities for record-keeping and record management.
- 4. Roles and ResponsibilitiesProvider and Performer4.1 Dr Asmed Nojib and Lee Nightingale have overall responsibility for records management in the Practice and are responsible for the management of the organisation and for ensuring appropriate mechanisms are in place to support service delivery and continuity. Records management is key to this as it will ensure appropriate, accurate information is available as required.Verne Road Dental Practice
4.2 The Practice has a particular responsibility for ensuring that it corporately meets its legal responsibilities, and for the adoption of internal and external governance requirements.
The Caldicott Guardian
4.2 Dr Asmed Nojib the Practice’s Caldicott Guardian, has particular responsibility for reflecting patients interests regarding the use of patient identifiable information. He is responsible for ensuring patient identifiable information is shared in an appropriate and secure manner.
The Site Manager / Lead Dental Nurse
4.3 The Site Manager / Lead Dental Nurse is responsible for ensuring that this policy is implemented, through the Records Management Strategy, and that the records management system and processes are developed, co-ordinated and monitored.
4.4 The Practice team, as part of its operational responsibility, is responsible for the overall development and maintenance of health records management.
4.6 All staff, whether clinical or administrative, who create, receive and use records have records management responsibilities. In particular all staff must ensure that they keep appropriate records of their work in the Practice and manage those records in keeping with this policy and with any guidance subsequently produced.
All NHS records are Public Records under the Public Records Acts. The Trust will take actions as necessary to comply with the legal and professional obligations set out in the Records Management: NHS Code of Practice, in particular:
- The Public Records Act 1958;
- The Data Protection Act 1998;
- The Freedom of Information Act 2000;
- The Common Law Duty of Confidentiality,
- The NHS Confidentiality Code of Practice,
- Any new legislation affecting records management as it arises
- 6. Retention and Disposal Schedules
- It is a fundamental requirement that all of the Practice’s records are retained for a minimum period of time, for legal, operational, research and safety reasons. The length of time for retaining records will depend on the type of record and its importance to the Practice’s functions. The Practice has adopted the retention periods set out in the Records Management: NHS Code of Practice The retention schedule will be reviewed annually.
- 7. Records Management Systems Audit7.1 The Practice will regularly audit its records management practices for compliance.7.2 The audit will:
- Identify areas of operation that are covered by the Practice’s policies and identify which procedures and/or guidance should comply to the policy,
- Follow a mechanism for adapting the policy to cover missing areas if these are critical to the creation and use of records,
- Set and maintain standards by implementing new procedures, including obtaining feedback where the procedures do not match the desired levels of performance; and
- Highlight where non-conformance to the procedures is occurring and suggest a tightening of controls and adjustment to related procedures.
- 8. Training8.1 All Practice staff will be made aware of their responsibilities for record-keeping and record management through training and guidance.
- 9. Review9.1 This policy will be reviewed every two years (or sooner if new legislation, codes of practice or national standards are to be introduced).