Specially adapted for Vital by Fiona Ryan from an article due to be published in the BDJ.

Introduction

Patient information can be defined as anything that is used to identify a patient either directly or indirectly and is bound by legal and ethical obligations of confidentiality.1 All members of the dental team, clinical and non-clinical, are obliged to maintain patient confidentiality. Information offered in confidence should not be used or disclosed in any way that might identify a patient without his or her explicit consent. Some exceptions to this rule do exist but it applies in most circumstances. Practice staff must all be aware of the importance of absolute confidentiality and should not disclose information to anyone except under the direction of the patient's dentist.2

The management of confidential patient information is central to the principles of clinical governance and its importance is highlighted by the fact that it is outlined twice in the Department of Health's ten-point list on the main components of clinical governance.3

The Caldicott Committee was set up by the Department of Health as a result of concerns that had arisen about the security of patient-identifiable information. The Caldicott Report (1998) highlighted weaknesses in the way confidential patient data was handled in the NHS and suggested six principles to govern the use of patient information (Table 1).5

Table 1 The Caldicott Principles of personal data use within the NHS
Full size table

The Caldicott Principles incorporate the Data Protection Act (1998), which governs the use of personal information through eight principles (Table 2).6

Table 2 The Data Protection Principles
Full size table

In early 2007, the Government announced that prison sentences are to be introduced for the first time for certain offences under the Data Protection Act,6 and while there would have to be a major breach of the Act to incur such a sentence, it is clear that an increasingly stringent approach is being taken.

Materials, subjects and methods

Using published guidance as a reference, a questionnaire with 19 multiple choice questions and answers was devised (Appendix 1).1,2,3,4,5,6,7,8,9,10 The questionnaire was distributed to all NHS clinical members of staff in our orthodontic department.

Results

The results of a selection of the questions posed in the questionnaire are presented in this section; each question is listed together with the right answer and the percentage of participants who responded correctly. For some questions a definitive answer does not exist and these are considered in more detail.

Question 2: If you are approached by the police for information regarding one of your patients, can you provide it?

Correct answer: Yes, but they must confirm that it is to prevent or detect serious crime, or to apprehend or prosecute offenders. The release of the information is at your discretion except if the police produce a court order.

The police are not automatically entitled to access to personal patient data unless they produce a court order. When considering such a breach, the clinician must satisfy him or herself that there is a definite public interest justification and document it clearly in the patient's notes. In addition, care must be taken that only the minimum data are revealed. If in doubt, advice from your defence organisation or trust should be sought.

70% of respondents answered this question correctly.

Question 3: The mother of a 17-year-old patient telephones and enquires whether her son has been attending his appointments with you (he always attends alone). What do you do?

Correct answer: Decline, explaining that the information is confidential and can only be provided if authorised by her son.

General Dental Council guidance highlights the importance of protecting the confidentiality of patients' information.7 In the United Kingdom, 16 is the legal age of consent, and this patient can therefore receive dental or medical care without their parents' knowledge.

In addition, if a patient is under 16 years of age but has demonstrated insight and understanding into their treatment and its implications (Gillick competent: Gillick v West Norfolk and Wisbech Health Authority [1986] AC 112), only they can consent to treatment or information about their treatment being disclosed. However, it is advisable to encourage the patient to seek support from their parents where appropriate.

89% of respondents answered this question correctly.

Question 6: The envelopes used in postal correspondence with patients should be:

Correct answer: Marked strictly private and confidential and any NHS/practice logos and addresses must not be visible.

This question was answered correctly by 37% of respondents.

The General Dental Council specify that confidential information should be protected when ‘you receive it, store it, send it or get rid of it’.

Question 7: When calling patients to the surgery, you should ideally:

Correct answer: Collect the patient and escort them to the surgery.

81% of respondents answered this question correctly.

Question 8: Which filing system offers the most protection?

Correct answer: A computerised system with access control security and responsible users who apply the Data Protection and Caldicott Principles.1,5,6

This was a well answered question with 91% of respondents selecting the correct answer.

Question 9: Should a wife be informed that her husband is HIV positive, when she does not know, and her husband specifically demands she is not told?

Correct answer: Yes, in exceptional circumstances, in the interest of public wellbeing.

According to the ‘Confidentiality: NHS Code of Practice’ document, issued by the Department of Health, ‘risk of harm disclosures to prevent serious harm or abuse warrant breach of confidence’.1 However, this is a contentious issue and anybody in this position should seek advice from their defence organisation.

56% of respondents answered this question correctly.

Question 10: A 12-year-old patient's father calls following an appointment his child had with you that he was not present at. He wants to know what happened at the appointment. What should you do?

Correct answer: Tell him you cannot discuss this over the phone, but would be happy to give him details if he comes to the clinic.

When receiving telephone calls, the health professional should always confirm the identity of the person they are speaking to. Ideally, if someone has called you and you are not sure who they are, it is advisable to ring them back. The other factor that should be taken into consideration is the impact of disclosing this information. Furthermore, it may be that the father does not have parental responsibility. The Children Act (2004) states that parental responsibility is held by the child's parents if they are married to each other or have jointly adopted a child; or it is held by the child's mother, but not father, if they are not married. Exceptions to this are if the father has acquired parental responsibility via a court order or the couple subsequently marry. This is not automatically the case for unmarried parents. A father only has this right if he has acquired legal responsibility for his child either by:

  • Jointly registering the birth of the child with the mother (after 1 December 2003)

  • A parental responsibility agreement with the mother

  • A parental responsibility order, made by a court.

In addition, if the mother dies, parental responsibility does not automatically pass to the father if unmarried.9

56% of respondents answered this question correctly.

Question 11: A referring dentist rings you asking for details of a patient's orthodontic treatment plan. What do you do?

Correct answer: Write to him or her with the information.

The Confidentiality NHS Code of Practice states that ‘explicit consent is not usually required for information disclosures needed to provide healthcare. Even so, opportunities to check that patients understand what may happen and are content should be undertaken’.1

83% of respondents answered this question correctly.

Question 12: A patient asks to have a copy of their notes. What should you do?

Correct answer: Tell them to contact the medical records department.

Under the Data Protection Act (1998) patients have a right to see and/or have copies of their medical and dental records.6

89% of respondents answered this question correctly.

Question 14: Hospital notes must be kept on trust/practice property.

Correct answer: True, with exceptions.

This was a well answered question with 91% of respondents giving the correct answer.

The Confidentiality NHS Code of Practice supports this answer and states that ‘staff should not normally take patient records home’.1 However, the statement continues to state ‘that where this cannot be avoided, procedures for safeguarding the information effectively should be locally agreed’ demonstrating that the guidelines are not always entirely clear and clinical judgement should be used for each case.

Question 16: Are you currently personally registered with the Data Protection Register? If so, what is your number?

Twelve respondents (32%) were registered with the Data Protection Register. Whether or not clinicians need to be individually registered with the Data Commissioner as data controllers is not straightforward and depends on for what purposes the information is being used or intended to be used. The definition of a data controller is ‘a person who alone, jointly or in common with other persons determines the purposes for which and the manner in which any personal data are processed or are to be processed.’ The Data Controller is required to register with the Information Commissioner. When working in a hospital department, the trust should be registered and ultimate responsibility lies with the Caldicott Guardian when patient data are used for NHS purposes. However, although such employees will not be classed as data controllers, they will have a contractual obligation to abide by the data protection principles.2

Within a practice setting, unless working as an assistant or locum practitioner, all dentists, whether a principal, partner or associate, are advised by the British Dental Association to be individually registered as they are responsible for their patients' clinical records.2 In addition, every practice must have a Data Protection Policy, a Confidentiality Policy, and an Information Policy in place and all members of staff must comply with this.2

When using confidential data for any other purposes other than the delivery of healthcare, for example teaching/lecturing, examinations or research, explicit written consent should be sought from the patient and the clinician should be registered.

Question 17: Asked respondents to specify what they considered to be patient identifiable information out of: name, address, postcode, photos or NHS number. All of these were patient identifiable details and most respondents recognised this. However, out of 37 respondents, ten did not consider a postcode to be patient identifiable information.

Question 18: Keeping confidential patient information secure is:

Correct answer: a legal, ethical and NHS contractual obligation.

86% of respondents answered this question correctly. The General Dental Council's document Principles of patient confidentiality in its opening pages states that a dentist has an ‘ethical and legal duty to keep patient information confidential’.6 The Department of Health also states that ‘patient information is generally held under legal and ethical obligations of confidentiality’.1

Discussion

This audit was carried out as it was apparent that there was confusion among staff regarding the correct protocol with respect to information governance in our department. However, a review of current Department of Health, NHS, and General Dental Council guidelines together with local trust policy revealed that there are many areas where absolute guidance cannot be given and a combination of policy and clinical judgement must be exercised. In many of the scenarios listed in the questionnaire, the correct answer may be obvious. However, it is important to understand the guiding principles behind such decision-making. The source documents used for the scenarios were lengthy and quite difficult to read and there is often conflicting information in these complex documents. Furthermore, many Department of Health/Trust policies refer to ‘locally agreed policy' which does not actually exist or is not published and exemptions and exceptions apply to many principles but are not, in fact, specified.

Having said that, knowledge of information governance exhibited by the clinicians within this department was quite good. Figure 1 depicts the percentage of correct answers to all questions. Most questions were answered fairly well, with few falling below the 50% mark. This was perhaps more to do with good clinical judgement rather than explicit knowledge or understanding of published guidelines.

To improve local knowledge and due to the limitations of the published guidance on information governance, locally agreed, concise guidelines are being devised for our department. Once finalised, these will be published and distributed to all clinical staff and this audit will be repeated. Staff must also be aware that legislation and policy are subject to change and should endeavour to remain up-to-date at all times.

Conclusions

Clinicians' knowledge and practices of information governance principles in our department was good, with an overall correct response rate of 73%. However, there is scope for improvement and as dental professionals we are continually being trusted with confidential patient information. Thus it is imperative that all members of the dental team are aware of our ethical, legal, and contractual obligation towards our patients.

Figure 1
figure 1

Percentage of correct answers for each question

Full size image