Patients Data Protection Policy

Data Protection Policy — For Patients

St James Dental Surgery complies with the 1998 Data Protection Act and this policy describes our procedures for ensuring that personal information about patients is processed fairly and lawfully.

Principles of Data Protection

There are eight data protection principles that require that data shall be:

Processed fairly and lawfully and shall not be processed unless certain conditions are met
Obtained for a specified and lawful purpose and shall not be processed in any manner incompatible with that purpose.
Be adequate, relevant and not excessive for those purposes
Be accurate and, where necessary, kept up to date.
Not be kept for longer than is necessary for that purpose
Be processed in accordance with the data subject’s rights
Be kept secure from unauthorised or unlawful processing and protected against accidental loss, destruction or damage by using the appropriate technical and organisational measures.
Not be transferred to countries outside the European Economic Area, without adequate protection.

What personal data do we hold?

In order to provide our patients with a high standard of dental care and attention, we need to hold personal information about them. This personal data comprises of:

Their past and current medical and dental conditions: personal details such as age, address, telephone number and their doctor`s details
Radiographs, clinical photographs and study models

Information about the treatment that we have provided or propose to provide and its cost
Notes of conversations/incidents that might occur for which a record needs to be kept
Records of consent to treatment
Any correspondence relating to the patient with other health care professionals for example in the hospital, specialists or community services.

How do we process data?

We process personal data that we hold about patients in the following way:

Give patients the opportunity to withhold permission for you to share information about them.

Where a patient allows you to share information about them, make sure patients understands:

– what you will be releasing
– the reasons you will be releasing it, and
– the likely consequences of releasing the information.

If you have permission to release information, make sure anyone you share that information with understands that the information is confidential
If you are given information about the patient to help you provide care for them, by law you must keep the information confidential.
Other people may ask you to provide patient information, for example, to help teaching or research, or you may want to use patient information, for example, patient images such as photographs, for teaching or research. If so, make sure you apply the principles of this policy by:

– getting the patients consent;
– making sure the patient understands exactly what they are agreeing to and how the information will be used; and
– If it is not necessary for the patient to be identified, make sure that the patient cannot be identified from the information you release.

Preventing information being released accidentally

• Make sure that you protect the confidential information you are responsible for when you receive it, store it, send it or get rid of it.
• Store records securely and don’t leave them where they might be seen by other patients, unauthorised healthcare staff or members of the public.
• Do not talk about patients where you can be overheard.

Your Rights

Where consent is required, we will obtain your consent before processing data that relates to you.

You are entitled, upon request, to be informed whether personal data about you is being processed, and to be provided with a description of the data, any information available as to its source (if known), the purposes for which it is being processed, and details of the recipients to whom it is being disclosed. We will provide this information upon request although we reserve the right to make a charge for providing this information. In certain circumstances and upon request, we will stop processing personal data about you if it is likely to cause substantial damage or distress to you or someone else. Any requests relating to the above should be made in writing to our Data Protection Officer, Maurice Dadoun

We will endeavour not to make any decisions that significantly affect you which are based solely on automatic processing of personal data. However, where such a decision is made, you will be informed of the way in which the decision was made and be given an opportunity to make representations to challenge the decision. In such circumstances, we will consider your representations and review the decision with a view to ensuring that a correct and fair decision is made.

Your Obligations

You are required to make yourself familiar with and follow our Data Protection Policy and Code of Practice, which sets out the way in which we require personal data to be treated in order to comply with the law.

Personal data is confidential and is held solely for the purpose of carrying out company business. Breach of our Data Protection Policy or Code of Practice may amount to misconduct and result in disciplinary action. Persistent breaches or a serious breach may result in your dismissal.


We will ensure that appropriate measures are adopted to guard against unauthorised and unlawful processing, or the accidental loss, destruction of or damage to data.


The subject of data protection is a complicated one. If you require guidance or assistance you should contact our Data Protection Officer who will be pleased to help you and answer any queries that you may have.

Policy Relating to Accidental Disclosure of Confidential Information

At St James Dental Surgery, we are very aware of Principle Seven of the Data Protection Act which states that

‘appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.’

If a breach occurs we would take the following steps:

1. Containment and recovery
2. Assessment of ongoing risk
3. Notification of breach
4. Evaluation and response

Containment and recovery

As soon as a breach of confidentiality is discovered we would assign a person to be responsible for ensuring that the breach is contained. We would establish who needs to be aware of the breach and how they can help in containing it. This may involve shutting down computer systems or establishing new access codes, finding new safe storage for record cards, or changing locks on doors.

We would act to recover the data as soon as possible, restoring lost or damaged data from off-site back up and/or data that is backed up securely to the “cloud”

If we felt it was appropriate we would inform the police.

Assessment of ongoing risk.

We would access the type of data involved and its level of sensitivity. We would also assess how much data was involved and the number of people affected.

We would endeavour to find out what has happened to the data and if stolen, whether it could be used harmfully. We would assess whether the data could lead to physical risk or damage of reputation for the people involved. We would also assess whether the information could lead to identity fraud or financial loss.

Dependent on the type of data, we would also assess the damage to the reputation of the practice.

Notification of breach

We would decide who needed to be informed of the breach. This would be based on who was involved and the type of information. We would make sure that we were meeting our security obligations with regard to the seventh data protection principal. We would also make sure we have a clear purpose as to our reasons for notifying individuals.

We would discuss with our defence organisation how we should inform the people involved and what we should say to them. We would make sure we had a contact point (data protection officer) in the practice for anybody who had queries to be able to contact

If it was felt necessary we would inform the ICO. For guidance on whether to inform them we would go to

Evaluation and response

We would investigate the cause of the breach and how we responded to it. We would review all aspects and update our policies and procedures in light of what we found.

We would look for any weak points in our system and work to improve them.
This may involve further training of staff, assignation of responsibilities and ongoing monitoring.


St James Dental Surgery, uses a software management system provided by iSmile.
User access to iSmile is protected through a secure login.

Each user is a member of a user group with different permissions i.e. nurses, dentists, practice managers etc.

No single user group has access to the entire set of patient/practice data. Passwords are masked when entered and each password is restricted by length and type of characters that must be included.

All user activity and changes to the patient data/clinical charts/clincial notes is logged for audit purposes.

Access to the iSmile database is restricted to only administrators on the LAN with a valid username and password for SQL server.
The LAN is protected through network firewalls.
The iSmile database is backed-up and encrypted automatically using the AES 32 bit Encryption technique.

Access to the backup data is restricted to Administrators who have access to the back-up location and also have access to the back-up password to decrypt the data.
Admin users have been trained to take backups offsite – back-up data is stored in encrypted AES 32 bit form on a secure USB device and the device is left in a secure location off premises.

Where the practice has subscribed to the Online Backup Service, the locally encrypted backup files are uploaded securely to the iSmile Cloud Data Centre, which is physically located in Manchester.
All online backup data is held in this location alone. Access to the cloud data centre is restricted to iSmile support team members, who have a unique username and password to access where the encrypted data files are kept. This is further protected by Cisco Adaptive Security Appliance (ASA) Software installed on Cisco ASA firewalls and McAfee anti-virus software. The firewall is maintained and updated by our Admin team.