Valley Dental Practice takes seriously its obligations, both in law and against professional standards, to maintain a high standard of security around all data which it holds and processes, and particularly personal and special (health) data (as defined in the Data Protection Act 2018 and the General Data Protection Regulation (EU)).
Mrs Robinson is designated as the Information Security Officer for the practice.
All issues related to Information Security shall be reported to the information Security Officer without delay.
- All employment contracts and contracts for services contain a confidentiality clause, which includes a commitment to comply with the practice confidentiality policy
- Access to personal data is on a ‘need to know’ basis only. Access to information is monitored and breaches of security will be dealt with swiftly by Mrs Robinson
- We have procedures in place to ensure that personal data is regularly reviewed, updated and, when no longer required, deleted in a confidential manner. For example, we keep patient records for at least 10 years or until the patient is aged 25 – whichever is the longer.
Physical security measures
- Personal data is only removed from the practice premises in exceptional circumstances and when authorised by Mrs Robinson. If personal data is taken from the premises it must never be left unattended in a car or in a public place
- Records are kept in a lockable fireproof cabinet, which is not easily accessible by patients and visitors to the practice
- Efforts have been made to secure the practice against theft by, for example, the use of intruder alarms, lockable windows and doors
- The practice has in place a business continuity plan in case of a disaster. This includes procedures for protecting and restoring personal data.
Access to Personal Data – Digital
All employees and contractors with access to personal data held by the practice must adhere to the following requirements:
- A personal log-in and secure password (as approved by the practice) must be used on each occasion that digital data is accessed
- Under no circumstances shall the password be divulged to any other person nor shall it be written down or stored on any device
- Passwords must be changed every 3 months
- No personal data shall be accessed or processed in any way other than for the purposes it was obtained as set out in the practice’s Privacy Statement
- All computers and other devices must be locked to a secure screen-saver mode when not in active use
- Computers and other devices shall not be used so as to permit any unauthorised viewing or processing of personal data
- No personal data shall be copied, downloaded or transmitted to any device or storage medium other than those authorised by the Information Security Officer
- No applications, programs or other functionality shall be downloaded or placed on any practice computer or device other than those authorised by the Information Security Officer
- Extreme care shall be taken when opening any file attachment originating outside the practice and in any case of doubt the Information Security Officer shall be advised before so doing
- No information about practice systems, log-in or other technical details may be provided to any person without the authority of the Information Security Officer
- No device or computer may be connected to the practice internet router or any server without the prior consent of the Information Security Officer
- Dental computer systems have a full audit trail facility preventing the erasure or overwriting of data. The system records details of any amendments made to data, who made them and when
All employees and contractors of the practice must adhere to the following requirements to ensure that the practice maintains security around personal data:
- All patient records, radiographs, correspondence and other items which can identify an individual person shall be kept in a secure location which is locked or suitably protected from unauthorised access as approved by the Information Security Officer
- The practice premises must be securely locked against unauthorised entry when closed and any alarms must be set and checked by those authorised to do so
- All desks and work surfaces shall be cleared of material which could identify an individual person when not in use including telephone and other notes
- Incoming telephone recording messages shall be cleared and deleted from the system once they have been actioned
- No material which can identify an individual person shall be left in such a position that it can be viewed by unauthorised people
Internet and External Security
The practice will apply suitable security programs to all systems so as to prevent the introduction of malware or allow unauthorised access, including but not limited to firewalls and anti-virus software as approved by the Information Security Officer. All software, including the above, will be regularly updated as required.
Penetration testing of the computer, security and telephone systems may take place at intervals and may not be advised in advance to staff and contractors who should therefore maintain vigilance at all times
All personal data will be backed-up on a daily basis using personnel, processes and devices as approved by the Information Security Officer. Back-ups will be audited and confirmed as effective on a regular basis.
Daily and weekly back-ups of computerised data are taken and stored in a fireproof safe and also in the cloud. Back-ups are also tested at prescribed intervals to ensure that the information being stored is usable should it be needed
Data stored on cloud computing facilities has in place a rigorous service level agreement with our cloud provider to ensure that all our obligations in this policy are fulfilled and that all information is secure.
Off-site Data and Security
Where the information Security Officer has authorised that any personal or other data may be taken or transferred off-site (outside the practice location):
- All such authorisations shall be written and a record kept
- Authorised data and devices shall be used only for the purposes and period authorised
- The requirements in Clause 2 of this Policy will apply to all such instances
- Any loss or damage to devices or data must be immediately reported to the Information Security Officer and a Data Breach notification template prepared
- Devices and data must be secured and out of sight to unauthorised persons whilst in transit and shall be kept in a locked environment when not in use
When digital payments are taken from patients or other parties at the practice, all staff or contractors will:
- Ensure that the requirements of the EFTPOS (Electronic Funds Transfer – Point of Sale) device/s and systems supplier are followed at all times
- Ensure that PCI (Payment Card Industry) best practice guidance is followed
- Take all precautions against fraud or misuse of payment cards
- In particular ensure that no payment card details are written down
Internet and E-mail Use
All staff and contractors will follow the practice rules for use of the internet and e-mails and adhere in particular to any requirements or restrictions on:
- Personal internet browsing
- Sending or receiving personal e-mails
- The encryption of authorised practice e-mails containing patient or other personal data
Destruction of Data
Data shall only be destroyed with the explicit written consent of the Information Security Officer and using methodology which is secure and approved. Paper data such as notes, jotters which contain personal information will be shredded on the premises or using an authorised contractor.
Devices to be de-commissioned will have all data securely removed from them using an authorised contractor: it is acknowledged that routine formatting or factory re-setting will not suffice.
All staff and contractors shall at all times take utmost care and diligence in protecting all data, including personal and health-related data, within the practice.
The practice undertakes to regularly train and update staff on the processing of data held, whether digital or otherwise in order to assure the competence of all users and maintain awareness of data protection and information security.
All and any concerns about the security of data held by the practice, however apparently slight, shall be brought at once to the attention of the Information Security Officer and it shall be the policy of the practice that any such information shall be positively and constructively received to encourage prompt and vigilant awareness of the importance of data security.
Any breach of the terms of this policy may lead to disciplinary action against staff or contractors and repeated or serious breaches may be regarded as serious misconduct resulting in termination of employment or engagement.