The Data Protection Act 1998

Are you Compliant or at Risk?

In today’s Healthcare Sector, there has never been more pressure on Dental Practices to continually adapt to the ever-changing demands of the industry, including the provision of services, operational infrastructure, financial management and legal compliance. It is therefore little wonder, that some areas of vital operational and legal importance get overlooked.

Data Protection is one such area and like many other business sectors which gather, retain and use personal information, Practitioners often fail to register as Data Controllers under the Data Protection Act 1998, and those that do, may be failing to implement suitable Policy and Procedures or comply with the eight principles of the Act. The penalties for failing to register or comply with the provisions of the Act can be severe resulting in criminal prosecution and large financial penalties being imposed.

The Data Protection Act 1998 gives individuals the right to know what information is held about them. It provides a framework to ensure that personal information is handled properly.  The Act works in two ways. Firstly, it states that anyone who possesses personal information must comply with the eight principles, which ensure that personal information is:

• Fairly and lawfully processed
• Obtained only for specified and lawful purposes and further processed only in a compatible manner
• Adequate, relevant and not excessive
• Accurate and up-to-date
• Not kept for longer than is necessary
• Processed in accordance with the rights of the data subjects
• Kept secure
• Not transferred to other Countries without adequate protection

The Second area covered by the Act provides individuals with important rights, including the right to find out what personal information is held on a computer and most paper records.

Where an individual or organisation believe they are being denied access to any personal information they are entitled to view, or feel their information has not been handled in accordance with the said principles, they can refer to the Information Commissioner’s Office for help. Complaints are usually dealt with informally, but if this is not possible, enforcement action can be taken.

All Dentists who keep personal information on a computer or computer network must notify the Information Commissioner and comply with the Data Protection Act 1998. These principles establish standards of procedures to protect an individual against misuse, unauthorised access, unauthorised disclosure, inaccuracy and loss of the computerised personal information held. These principles must also be observed by holders of manual (paper based) records.

Practices need to notify the Information Commissioner if their records include:

• Patient databases and recall systems
• Patient health care information (including details of dental care and treatment)
• Personal staff data which is used for any purpose other than calculating payrolls, pensions and accounts (for example, sick leave records)

When examining the application of the Data Protection Act in your Practice consideration should be given to the following points:

• It is a criminal offence to process personal data on a computerised systemwithout being registered under the Data Protection Act
• All Practice staff must be aware of the need for strict Patient confidentiality
• Data must not be disclosed to third parties without prior Patient consent
• Only registered data users/staff may access the stored data
• Data entries should be logged, with individual passwords allocated to staff
• The computer system should have a full audit trail facility which prevents data being accidentally deleted or tampered with
• Adequate back-up records must be maintained in case of accidental destruction
• The back-up copies must be stored in a secure and fire-proof container
• Practices should have policies covering information security, data protection and confidentiality
• Retention of Patient records must be managed in accordance with the Act.  See BDA website for guidance
• Other data should be kept for as long as is necessary for its intended purpose

We would recommend that Practice Principals examine their current Data Protection arrangements including Policy and Procedures and address any compliance issues in a timely manner. Don’t adopt an 'Out of sight out of mind' approach because you could end up 'Out of pocket or out of business'.

If you would like any help or guidance on this or any other business issues please contact us via our website at: http://www.psds-solutions.com/contact/contact.asp