Dental practices confused over data protection, says report

CONFUSION exists over when a dentist is required to register with the Information Commissioners Office (ICO) in compliance with the Data Protection Act, according to a recent report.

The ICO visited 21 dental practices across the UK and conducted an online survey in order to understand the information risks and challenges that dentists face. It found there was confusion over data protection requirements, with some dentists registering with the ICO when it is not necessary and others not registering as required.

The report also found that dentists do not always have written contracts with external suppliers containing appropriate clauses about information security, particularly with IT contractors. The ICO also found that some practices utilising new technologies, such as mobile and personal devices, were not appropriately controlling associated risks.

There was also a lack of clarity in some practices over retention policies (to determine when records, both physical and electronic, should be destroyed). Retention periods were not always clear, and not generally applied to electronic records.

Investigators found that overall dentists are "not always engaged with sources of best practice and new guidance in relation to information governance".

The report states: "Dentists operate within a number of different complex structures, including individual practices, partnerships, expense-sharing arrangements, limited liability companies and dental corporates. This has led to some confusion about the circumstances in which a dentist is (or is not) a data controller, responsible under the DPA for patient data, and also for registration with the ICO."

It encourages practices to visit the ICO website where there is a self-assessment tool and also specific dental practitioner FAQs. You can also phone their registration helpline at 0303 123 1113.

Link: Information Governance in Dental Practices