Data Security Policy

This policy describes Inglewood House's procedures for ensuring the security of personal data held by the practice. It should be read in conjunction with our GDPR Privacy Policy and Confidentiality Policy.

 

Confidentiality

In order to ensure confidentiality, we take the following measures:

 

  • All staff employment contracts contain a confidentiality clause.

  • Access to personal data is on a "need to know" basis only.  Access to information is monitored and breaches of security will be dealt with swiftly by the Business Manager, Karen Dorrington.

  • We ensure that personal data is regularly reviewed, updated and deleted in a confidential manner when no longer required.  Where a person ceases to be a patient of the practice, we keep patient records for at least 11 years or until the patient is aged 25 - whichever is the longer.

 

For further information, please refer to our Confidentiality Policy.

 

Physical security measures

In order to ensure that data we hold (whether on paper records or on computer) remains physically secure, we observe the following rules:

 

  • Personal data may only be taken away from the practice premises in exceptional circumstances and with authorisation from the Business Manager, Karen Dorrington.  If personal data is ever taken off practice premises, it must never be left unattended in a car or public place.

  • Patient records are now stored on computer. The only patient information retained on paper are the medical history forms, which are retained and original incoming correspondence (eg letters), which must be retained for medico-legal reasons notwithstanding that this is also scanned into the computerised records.  A lockable cabinet is provided in the cellar to store these.  Archived records are stored in the cellar which is kept locked when not in use.  This makes our remaining paper records inaccessible to patients or other visitors to the practice premises.

  • The practice premises are secured when not in use.  All doors have at least two locks or bolts.  The practice windows also have security locks.  The practice also has a security and fire alarm system, which is linked to a remote monitoring service that automatically summons keyholders, in the event of an intrusion or fire.

  • The practice has a business continuity plan in place which will be implemented in case of a disaster (eg fire, flood, earthquake, tsunami, hurricane), which includes procedures for protecting and restoring

            personal data.

  • When physical patient records are destroyed, this is done in a secure fashion: written records, correspondence, photographs, x-ray films and mounts are shredded using a cross-cut shredder for maximum security.

  • Credit card numbers printed on streamline slips are securely filed in Karen Dorrington's office, which is locked at all times, until no longer needed when they are shredded.

  • Phone calls are now recorded, so card payments taken over the phone need to have recording paused.

 

 

Information held on computer

Information held on computer requires particular precautions. We follow these procedures to protect it:

 

  • The practice uses passwords to protect computerised records.  These are known only to the people who require access to the information.  Staff are instructed never to write down passwords.

  • Staff using computers are given training in how to avoid unintentional deletion or corruption of information.

  • Computer system users are granted access to system functions only where they are strictly necessary to perform the particular functions of their job.  Administrative functions are reserved to the Business Manager only, reducing the risk of accidental alterations to system settings that may result in data corruption.

  • Specialist dental computer software used for maintaining clinical records have a full audit trail facility to prevent the overwriting or erasure of data.  The software records details of any amendments made to data, who made them and when.

  • The practice computer system is protected by antivirus and firewall systems in order to minimise the risk of unauthorised access, data corruption or data loss.

  • The practice computer system automatically updates operating system software so as to minimise system vulnerability to viruses, trojans and other malware and to reduce the risk of unauthorised access, data corruption or data loss.

  • We operate an off-site backup system to ensure that data is not lost.