Information Governance Procedures
These are the procedures for data protection and information governance, to meet the requirements of the GDPR, the Data Protection Act 2018 and professional standards. Refer to the Data Protection Overview and Data Protection and Information Security Policy.
General information about the data we process:
Details of the personal data and special category data that we hold are in our Privacy Notice.
How we hold personal data
Personal data is held in hard copy securely at the practice / in digital form on the practice computer / in cloud servers or services / backed up online and via portable hard drive back up.
How we collect personal data
We collect personal data directly from team members or patients by phone, in person, by email, using online forms, from referrals.
How we hold special category data
Special category data is held in hard copy, securely at the practice, / in digital form on the practice computer / in cloud servers or services / backed up online and via portable hard drive back up.
How we collect special category data
We collect special category data directly from team members or patients, by phone, in person, by email, using online forms, from referrals, other.
Lawful basis for processing data
It is necessary to have a valid lawful basis in order to process personal data. Of the six available lawful bases for processing no single basis is ’better’ or more important than the others. We have determined our lawful basis before we began processing, and we document it here.
When we process criminal conviction data or data about offences, we have identified both a lawful basis for general processing and an additional condition for processing this type of data. When recruiting team members, it is a requirement to obtain a criminal record check, but we take care to handle the data appropriately, see the Information Security section below for further information.
The lawful basis for processing data at the practice is found in the Data Protection and Information Security Policy.
The practice offers individuals real choice and control. Our consent procedures put individuals in charge to build customer trust and engagement. Our consent for marketing requires a positive opt-in, we don’t use pre-ticked boxes or any other method of default consent. We make it easy for people to withdraw consent and tell them how and keep contemporaneous evidence of consent. Consent to marketing is never a precondition of a service. There are two types of consent management at the practice and the lawful basis of processing is above:
Any consents for marketing that we have, that do not meet the new standards, are being re-consented by referring to:
In order to bring our consent for marketing in line with the latest regulations we are re-consenting individuals as follows:
Managing individual’s rights
Individuals have the right to access their personal data, correct it, have copies of it, correct errors in it and to restrict processing of it. They also have the right to obtain supplementary information such as how we process their data, what it is used for and to object to specific uses of it. The right of access allows individuals to be aware of, and verify the lawfulness of, processing activities. They also have the right to request we delete data, however this may not always be possible. If an individual contacts the practice about their data they will be provided with the relevant information or actions, as requested:
To manage individual’s rights, we use the following procedures:
Right of access for children
Even if a child is too young to understand an access request, it is still their personal data and does not belong to anyone else such as a parent or guardian. When handling a request for information about a child we always consider if the child is mature enough to understand their rights. If they do, then we consider responding directly to the child rather than the parent. In Scotland, a child aged 12 years or older can make a request on their own behalf. When a child makes a request, they are provided with a copy of the Privacy Notice for Children or told where to access it on the website.
Information about a child may be released to a person with Parental Responsibility, taking into account the best interests of the child. All mothers and most fathers have this responsibility and parents do not lose it if they divorce, although it can be removed by a court. When in doubt about parental responsibility, proof of identity and evidence is requested. Note: For more information on how a parent can prove that they have parental responsibility see the gov.uk advice page.
Access requests and mental capacity
For patients who lack the mental capacity to manage their own affairs, an attorney or other person with a Lasting Power of Attorney, or someone appointed by the courts will have the right to access information about the person they represent and make decisions on their behalf. Proof of identity and evidence of power of attorney or court order is always requested. The same applies to a person appointed to make decisions by:
Our consent requests are prominent, concise, separate from other terms and conditions and easy to understand, they include:
We record consent in the clinical records.
Pseudonymisation means transforming personal data so that it cannot be attributed to an individual unless there is additional information.
Examples of pseudonymisation we use are:
Right to be informed
We provide ‘fair processing information’, through our Privacy Notice, which provides transparency about how we use personal data. The Privacy Notice is available on our website at ……………………………………… or from the practice in printed form.
Data processors and contracts
Data processors are third parties who processes personal data on our behalf. We have identified who our data processors are, where they store their data and, if it is outside of the EU, that they have suitable arrangements to secure our data that meets the GDPR requirements. The USA has the EU-US Privacy Shield, the companies we use such as Dropbox or Microsoft who store our data in the USA are certified on the Privacy Shield website, we check this by searching for them in the list of companies.
We have an appropriate contract with all of our data processors, we use the Data Processor or Joint Data Controllers agreements for smaller companies when the company does not provide their own contract. Alternatively, the processor will send us their own contract. We have a link to the relative terms for the bigger companies such as Dropbox or Microsoft who are unable to send us individual agreements.
Privacy by design
We implement technical and organisational measures to integrate data protection into our processing activities. Our data protection and information governance management systems and procedures take Privacy by design as their core attribute to promote privacy and data compliance. Privacy Impact Assessments (PIAs) are an integral part of taking a privacy by design approach. To identify the most effective way to comply with our data protection obligations and meet individuals’ expectations of privacy we review our Privacy Impact Assessment annually using the Sensitive Information Map, PIA and Risk Assessment.
We keep records of processing activities for future reference.
2-Step Backup Procedure
We use three-step backup procedure:
All backups are encrypted and password protected for security.
We have appropriate security to prevent the personal data we hold being accidentally or deliberately compromised. It includes technical security, physical security and the plan for appropriate response swiftly and effectively. To meet this requirement we have policies, procedures, risk assessments and planning which we review annually. Our approach to information security includes:
This electronic security section applies to desktop computers, laptop computers, tablets and smartphones. In networked computer systems it also applies to servers. The IG Lead is also responsible for allocating responsibility to keep any Internet router’s software up to date.
Team members are aware to never click a link in an email unless they are sure of the sender. A common way for cyber-criminals to obtain usernames and passwords is by sending an email that looks like it originates from a well-known bank or other service provider such as PayPal or Netflix. It will have a link that says, ‘click here to reset your password’ and usually has a strong message to drive the action such as ‘take action now, account suspended’.
Inadvertently clicking on an unknown link may install malware on a device or computer, this is how many ransomware attacks are perpetrated. When the link is clicked the ‘ransomware’ may encrypt the computer rendering it useless unless you pay a large amount to the criminals who have sent you the malware. There are many variations of this type of cybercrime and to minimise the risk of it happening team members:
Requests for money
There are many ingenious ways that money can be stolen using email. These include:
Whenever an email like this is received, the team member will contact the sender, in person by telephone to confirm. The team member will only use the telephone number that they can confirm is the correct phone number of the supposed sender.
Our IT Team
Password type and storage – notes for reference
The theory of using upper and lower-case letters mixed with numbers and special characters was invented by Bill Burr. Unfortunately, hackers have designed their password cracking software to ‘crack’ this type of password so they are no longer secure. He now advises use of four unrelated words such as ‘moon rapport deckchair towel’.
We recommend that all computer users install a password manager such as 1Password, which helps the user easily manage different passwords for each login. It also completes name and address details or credit card details into a website form saving the user time. Some people are concerned that password managers may be hacked.
The password rules for team members:
Routers and other equipment
The default administrator username and password of our internet router/firewall/practice computers/other electronic equipment has been changed.
The practice encrypts data whenever possible. Encryption scrambles the data and makes it unreadable unless the user has the encryption key. We use encryption in the following situations:
Managing logins and levels of computer access
The IG Lead is responsible for who has access to computers and software, as well as the level of access that is appropriate to their role. The Practice Manager is responsible for setting up users when they join the practice, providing the appropriate level of access such as administrator or team member user and deleting the login when the team members leaves.
Wherever possible two factor authentication is set up for administrator logins. All logins and their level of access are recorded on the Network, Computer and Software Access Log.
Each user is allocated a unique username and password, to identify their use of the software. During training each user is given a copy of the guidelines on the use of the system with their login details. A record is kept of all users given access to the software.
New team members
When a new employee/self-employed dentist, hygienist or therapist or external consultant joins the practice the IG Lead, arranges passwords and access level.
Temporary access is granted on a need to use basis by the IG Lead and is recorded in the Network, Computer and Software Access Log. Temporary logons are deleted or suspended immediately they are no longer required.
Change of user requirements
Changes to access level or suspension of an account are made by the IG Lead and a record is kept of all changes on the Computer and Software Access Log.
Removal of users
As soon as an individual leaves the practice their logons will be removed by the IG Lead.
Review of computer access rights
The IG Lead reviews all access rights on a regular basis. The review is designed to positively confirm all system users and remove any lapsed or unwanted logons.
Postal services and couriers
To ensure that confidential information transferred from the practice by post or courier is done so as securely as is practicable, the practice ensures:
The practice’s fax machine is in a secure location and when receiving faxes containing confidential information, the practice ensures:
Additionally, when practice staff members transfer confidential information by fax they always:
Emails received containing patient information are incorporated into the dental record and deleted from the email system on receipt.
The practice is aware that NHS mail is currently the only NHS approved method for sending patient identifiable information by email, but only if both sender and recipient use an NHSmail account, therefore the practice ensures:
Personal identifiable information is only taken off site when absolutely necessary, in which case the following procedure is followed:
Other forms of information exchange (e.g. text messages, smartphones, etc.)
Personal identifiable information is always sent by means as described above, with the exception of messages that solely relate to appointment scheduling (such as reminders), which may be sent to a patient’s phone or text messaging system if they have previously given permission to use these methods of contact to it.
The secure use of personal information
When working in an area where patient records may be seen we always:
When using paper patient records we ensure that they are:
If using electronic records, we:
When communicating information about a patient we take care:
When verifying the identity of a caller requesting personal information we:
Transferring patient information
If a team member is authorised to transfer patient information they follow the information handling procedures.
Handling and retention of criminal record information – DBS/PVG/Access NI disclosures
The IG Lead ensures that information is kept securely in a lockable fire-resistant cabinet with access strictly controlled and limited to persons who need to have access to this information in the course of their duties. This information is only used for the specific purpose it was requested for and with the applicant’s full consent. Note that it is a criminal offence to share criminal record information with any individual who is not entitled to receive it. However, if the applicant freely gives their consent to the sharing of this information, then an offence has not been committed.
The practice does not retain criminal record disclosure details for longer than is necessary; not exceeding six months after the decision has been made to appoint or for six months from the date the applicant was unsuccessful, to allow for the consideration and resolution of any disputes or complaints (in England, Wales and Scotland, while in Northern Ireland the practices keeps copies of criminal records disclosures).
Preventing unauthorised computer access
When a desktop computer is left unattended, the team member logs off to prevent unauthorised users’ access to it. When leaving a workstation for the day, the team member logs out of the system entirely and closes down the computer.
Audit trails and reporting security breaches
Nearly all of the activity that is performed on a computer can be tracked. Our system suppliers record and enable us to review Internet usage logs. Emails are routinely backed up on the practice’s computer servers. Recorded information will be used to aid an investigation where breaches of security, the law or these guidelines, are suspected. This information is kept confidential, but when used helps to explain innocent situations more often than exposing security breaches.
Information security breaches might involve unauthorised use of equipment or unauthorised access to data. Any breach of security, however small, wastes time and often requires work to be repeated and could be a potential risk to the practice or individuals. If you know or suspect that a breach of information security has occurred, please inform your IG Lead.
Using mobile computing equipment
These procedures outline the appropriate use of portable computer devices and removable media, collectively known as mobile computing equipment when it has been purchased or authorised by the practice.
The procedures take into account the increased risk to personal information posed by this way of working and they complement the procedures and guidelines regarding the protection of patient information.
NOTE: Team members NEVER take patient photographs on a personal smartphone or tablet as this would breach our security and confidentiality policy. Patient photographs are only taken with a phone or tablet that is owned by the practice and specifically kept for the purpose of patient photography.
Only authorised staff have access to mobile computing equipment. Any member of staff allowing access to any unauthorised person deliberately or inadvertently may be subject to disciplinary action. Staff should not use their own (or unauthorised) computing equipment for practice business but they may use a personal mobile phone for the mobile application.
Be aware of security measures in place
To reduce the risk of loss and unauthorised access we have the following measures:
Team members do not:
Personal use of practice email, internet and phones – policy and procedure
We permit the incidental use of internet, and telephone systems to send personal email, browse the internet and make personal telephone calls subject to certain conditions set out below. Personal use is a privilege and not a right. It must be neither abused nor overused and we reserve the right to withdraw our permission at any time. The following conditions must be met for personal usage to continue:
Team members should be aware that personal use of our systems may be monitored and, where breaches of this policy are found, action may be taken under the disciplinary procedure. We reserve the right to restrict or prevent access to certain telephone numbers or internet sites if we consider personal use to be excessive. In general, team members should not:
Misuse or excessive use or abuse of our telephone or email system, or inappropriate use of the internet in breach of this policy will be dealt with under our Disciplinary Procedure. Misuse of the internet can, in certain circumstances, constitute a criminal offence. In particular, misuse of the email system or inappropriate use of the internet by participating in online gambling or chain letters or by creating, viewing, accessing, transmitting or downloading any of the following material will amount to gross misconduct (this list is not exhaustive):
Any such action will be treated very seriously and is likely to result in summary dismissal. Where evidence of misuse is found we may undertake a more detailed investigation in accordance with our Disciplinary Procedure, involving the examination and disclosure of monitoring records to those nominated to undertake the investigation and any witnesses or managers involved in the Disciplinary Procedure. If necessary, such information may be handed to the police in connection with a criminal investigation.
Personal mobile telephones
Personal mobiles should be turned off during working hours. Messages will be taken for team members during working hours, but they would not be expected to come to the telephone unless there was an emergency. Personal calls should never be made from reception or in the treatment room if patients could overhear the conversation.
Managing Data Breaches
The GDPR states:
“You only have to notify the relevant supervisory authority of a breach where it is likely to result in a risk to the rights and freedoms of individuals. If unaddressed such a breach is likely to have a significant detrimental effect on individuals – for example, result in discrimination, damage to reputation, financial loss, loss of confidentiality or any other significant economic or social disadvantage”
The GDPR provides specific breach notification rules, including that we must notify a breach to the relevant supervisory authority the ICO within 72 hours of becoming aware of it. It is recognised that we may have to provide information in phases as our investigation takes place. If the breach is likely to have “a significant detrimental effect on individuals” we will need to notify patients without unnecessary delay. Failure to notify a breach can result in a fine of up to 4% of our total turnover or 20 million Euros. Note that the ICO currently says that a breach should be notified within 24 hours, although this may change.
The IG Lead is responsible for managing data breaches. This data breach management applies to incidents that impact on the security and confidentiality of personal information. These information incidents can be categorised by their effect on patients and their information:
When a data breach is reported to the practice
It could be reported by an affected patient, by a relative, a member of the public or by a team member, the IG Lead will:
When an Event happens – if it needs recording it is probably a Significant Event and needs Significant Event Analysis (SEA) to determine what went wrong and how to stop it happening again.
Any actual or potential information incident in the practice will be investigated and managed accordingly.
Inadequate disposal of confidential material
This type of incident may lead to a breach of confidentiality and is likely to be reported by a patient affected, a member of the public, or a member of staff. The confidential material could be on paper, hard drive, computer or storage media such as memory card or stick or tapes, etc. If the happens the IG Lead will:
Attempted or actual theft of equipment and/or access by an unauthorised person
This type of incident may lead to a breach of confidentiality, the risk that information has been tampered with, or information not being available when needed, the IG Lead will:
Computer misuse by an authorised user
This includes browsing dental records when there is no requirement to do so, accessing unauthorised Internet sites, excessive/unauthorised personal use, tampering with files, etc. The IG Lead will:
Lost or misfiled paper dental records
This type of incident could have a possibly severe impact on patient care as the information within a patient record is incorrect or is not available when required. The IG Lead will:
If a team member discovers a data breach?
If a team member discovers something that could be considered a data breach it is reported to the IG Lead. The following information is entered on the form:
Notifiable breaches will be reported to the ICO and the Local Area Team within 72 hours following the Notification Requirements above. If necessary the patient/s involved will be informed by letter without delay, advising them of the details of the breach and any actions that they need to take.
Patient concerns and feedback will be handled by the IG Lead.
Data breach notification procedure
The ‘Notification Requirements’ are at the beginning of this section. We await clarification from the ICO about reporting times.
In England NHS dental practices must use the new online Data Protection and Security Incident Reporting Tool. This will report it to the Information Commissioner’s Office, the Department of Health and Social Care and the National Cyber Security Centre.
All practices in Scotland, Wales and Northern Ireland and fully private practices in England should submit a report to the Information Commissioners office using the ICO Security breach notification form. All practices must keep a record of all personal data breaches and record the basic facts, effects of the breach and remedial action.
Lessons learned from a data breach
The practice maintains a register of all incidents occurring. A data breach is considered a Significant Event and is evaluated.
Significant Events and Serious Incidents are discussed at a practice meeting to provide staff with an example of what could occur, how to respond to such events and how to avoid them from happening in the future.
Remote access policy and procedure
Remote access to the practice is necessary for people who do not work from the premises at all times. Authorised users are called hosts, they need to log onto our network using a Virtual Private Network (VPN). To protect confidential personal data, it is necessary to have the highest standards of security. The purpose of this procedure is to minimise:
Our Hosts do not use VPN to logon to our network. They use a secure software called Splashtop. This is not based on VPN Technology, rather it connects on demand.
Staff confidentiality code of conduct
The practice has produced this Staff Confidentiality Code of Conduct to raise staff members’ awareness of their legal duty to maintain confidentiality, to protect personal information and to provide guidance on disclosure obligations.
Personal information is data about patients or staff, in any form (paper, electronic, tape, verbal, etc) from which a living individual could be identified including name, age, address, and personal circumstances, as well as sensitive personal information such as race, health, sexuality, bank account details etc. This code also covers information about deceased patients.
Recognise your obligations
A duty of confidence arises out of the common law duty of confidence, employment contracts and your professional obligation as a registered dental professional. Breaches of confidence and inappropriate use of records or computer systems are serious matters, which could result in disciplinary proceedings, dismissal and possibly legal prosecution. So, you must not:
Keep personal information private
To keep personal information protected make sure you observe the practice policies and procedures listed in the Data Protection and Information Security Policy.
Disclose with appropriate care
It is the aim of the practice to ensure that patients are adequately informed about the use and disclosure of their personal information. You should be familiar with it and seek advice from the IG Lead if you are unable to answer patients’ questions.
If you are authorised to disclose personal information you should ensure you do so in accordance with information handling procedures and you must only:
If you are authorised to disclose information that can identify an individual patient for non-healthcare purposes (e.g. research, financial audit) you must only do so if:
Under the common law duty of confidence, identifiable personal information may be disclosed without consent in certain circumstances, these are:
You must refer all requests for disclosure of personal information without the consent of the patient, including requests from the police, to the IG Lead who will consult the medical indemnity provider before releasing the information.
Information disclosure over the phone
Before information can be disclosed a staff member should:
Data Opt Out
We do comply with the National data opt-out policy. We do not share confidential patient information for purposes beyond their direct care, such as research or audit.
Staff Declaration Form
By adding my signature below, I confirm that I have received the Information Governance Procedures. I understand that it is my responsibility to read, understand and comply with the received information and guidelines and to raise any queries or concerns with the Information Governance Lead.
Team member name in capitals