Everyone working at Cardiff Dental and Aesthetics Centre is under a legal duty to keep patients’ personal information confidential. This policy explains how we protect that information, the principles we follow, and the limited circumstances in which information may need to be shared.

The purpose of this policy is to ensure all staff members at the practice are aware of their legal duty to maintain confidentiality, to set out the processes we have in place to protect personal information, and to provide guidance on disclosure obligations.

Everyone working for the practice or elsewhere within the business is under a legal obligation to keep patients’ personal information confidential. Patients who believe their confidence has been breached may make a complaint to the practice, and they could take legal action or report it to the ICO. In the case of a registered dental professional, the patient could also make a complaint to the General Dental Council, which in worst-case scenarios may end in erasure from the GDC register.

This policy is concerned with protecting personal information about patients, although its content would apply equally to staff or business-sensitive information.

Personal information is data in any form (paper, electronic, tape, verbal, etc.) from which a living individual could be identified, including:

– Name, age, address and personal circumstances, as well as sensitive personal information such as race, health and sexuality

– Information regarding appointments

– Information regarding medical histories

– Information regarding finances, including any bad debts

Although the Data Protection Act 2018 is only relevant to the personal information of living individuals, this code also covers information about deceased patients. This policy applies to all staff, including permanent, temporary, and locum staff members.

Under the Data Protection Act 2018 and UK GDPR, dental practices must keep personal data about their patients safe and secure and ensure it is only accessed by persons who need to see it for the purposes of providing safe, effective care.

Registered dental professionals have an ethical and legal duty to keep all patient information confidential.

Dental practices are also required to ensure that they do not ‘advertise’ to other patients or the public that a particular person is a patient of the practice, or that they have had appointments or have appointments due. This means that day lists, appointment cards that identify the patient, and record cards must not be seen by other patients in the practice. It is also important that confidential telephone calls that name a particular patient are not held in earshot of other patients. Messages should not be left with a third party confirming or cancelling appointments.

The Caldicott Principles are the guidelines for ensuring people’s information is kept confidential and used or shared appropriately within a healthcare setting. All NHS organisations must have an appointed Caldicott Guardian. This won’t apply to most dental practices, although there should be someone within the practice who is responsible for ensuring patient information is kept confidential and shared appropriately when required.

– Principle 1 — Justify the purpose for using the confidential information

– Principle 2 — Use confidential information only when it is necessary

– Principle 3 — Use the minimum necessary confidential information

– Principle 4 — Access to confidential information should be on a strict need-to-know basis

– Principle 5 — Everyone with access to confidential information should be aware of their responsibilities

– Principle 6 — Comply with the law

– Principle 7 — The duty to share information for individual care is as important as the duty to protect patient confidentiality

– Principle 8 — Inform patients and service users about how their confidential information is used

Personal information relating to a patient should only be shared with third parties where the patient has given consent, or in exceptional circumstances (GDC Standards 4.3).

Examples of where information may be shared without consent include:

– Safeguarding concerns, where it is not possible to gain consent and a referral needs to be made to the local authority or to the police

– Where information has been ordered by a court or by a coroner — only the minimum amount of information should be disclosed

Before disclosing information to third parties where consent has not been obtained, our clinicians are advised to contact their indemnity provider.

The relationship between clinician and patient is based on the understanding that any information revealed by the patient to the clinician will not be divulged without the patient’s consent. Patients have the right to privacy, and it is vital that they give clinicians full information on their state of health to ensure that treatment is carried out safely and effectively.

The intensely personal nature of health information means that many patients would be reluctant to provide the clinician with information if they felt the information would be passed on.

Care must be taken to ensure that confidentiality is never breached, even to the most minor degree, in the use of social media or websites (GDC Standards 4.2.3).

A duty of confidence arises out of the common law duty of confidence, employment contracts, and — for registered dental professionals — professional obligations. Breaches of confidence and inappropriate use of records or computer systems are serious matters that could result in disciplinary proceedings, dismissal and possibly legal prosecution.

Every member of our team is required to make sure they do not:

– Put personal information at risk of unauthorised access

– Knowingly misuse any personal information or allow others to do so

– Access records or information they have no legitimate reason to look at — this includes records and information about family, friends, neighbours and acquaintances

Dental care professionals have an ethical and legal duty to ensure they are familiar with and comply with the GDC’s Standards for the Dental Team. All practice team members must also follow this guidance and ensure patient confidentiality. Copies of the full publication are available as PDF downloads from the GDC’s website at gdc-uk.org.

4.2 — You must protect the confidentiality of patients’ information and only use it for the purpose for which it was given.

4.2.1 — Confidentiality is central to the relationship and trust between you and your patients. You must keep patient information confidential. This applies to all the information about patients that you have learnt in your professional role, including personal details, medical history, what treatment they are having and how much it costs.

4.2.2 — You must ensure that non-registered members of the dental team are aware of the importance of confidentiality and that they keep patient information confidential at all times.

4.2.3 — You must not post any information or comments about patients on social networking or blogging sites. If you use professional social media to discuss anonymised cases for the purpose of discussing best practice, you must be careful that the patient or patients cannot be identified.