Earn CPD by reading this dilemma and the sidebar resources and then taking the quiz linked below.
The scene
A concerned DDU practice owner member contacted the advice line about a data breach. A member of staff at the practice had accidentally given a patient a paper copy of the surgery day list, which included other patient's names, contact details and medical histories. Our member was seeking advice on what to do next.
DDU advice
Our adviser explained that this unfortunate incident was a data breach, and as such should be treated as an information security Incident. The practice data controller (if this was not the member), and data protection officer (DPO) would need to be informed as soon as possible, as would the patients concerned. The patient should be informed to return the day list to the practice securely, and without delay.
Due to the significant impact on the affected patients, including the potential for confidential medical details to become known to others, our member was advised that notifying the Information Commissioners Office (ICO) that a data breach had occurred was likely to be advised by the practice's DPO.
In this case, the member was advised that any report to the ICO should be made without undue delay, and no later than 72 hours after becoming aware of the breach. A local adverse incident investigation within the practice would also be necessary. Keeping good, clear records at every stage would be important.
Our advisor suggested that in situations such as this, in-house staff training would be appropriate so that lessons could be learned, and to prevent something similar from happening again in the future. The member was very grateful for the advice.
Learning points
An incident like this can happen all too easily, and it's important that robust practice procedures are in place so data breaches can be correctly detected, investigated, managed and reported. As outlined in the GDC's Standards, dental registrants have a professional responsibility to be honest and act with integrity.
GDPR regulations define a personal data breach as "a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed." In this case, both personal data and sensitive personal data had been accidentally disclosed without authorisation, but in nearly all cases, it is sensible to tell patients about any data breaches that occur.
Not every data breach meets the threshold for notification to the ICO. To identify those that do, members can access the ICO's self-assessment breach tool on the organisation's website.
A data breach in Scotland, Wales and Northern Ireland must be reported via the ICO breach reporting tool in each jurisdiction.
All breach notifications need to include the type of personal data breach, including:
- the categories and approximate number of individuals concerned
- categories and approximate number of personal data records concerned
- name and contact details of DPO or other contact point
- description of likely consequences of the breach
- description of measures taken or proposed to deal with the breach, including measures to mitigate possible adverse effects.
In-house policies should include a named person (such as the DPO) to lead on the local investigation and incident management into any data breach.
All staff, including trainees, should be aware of what constitutes a data breach, and induction procedures should ensure that all staff receive GDPR training.
Get verifiable CPD
If you've read this article and the advice linked in the sidebar, you'll be ready to complete our assessment and get 45 minutes of verifiable CPD.
To get your CPD certificate you'll need to score at least 80% on the assessment. You'll also need to add your name, DDU membership and GDC registration number so they're included on your certificate.
Click here to take the CPD quiz.
Not a member?
Join us today and become part of the DDU. We provide reassurance and peace of mind to UK dental professionals.
To get your verifiable CPD certificate, simply provide your contact details when asked and then score at least 80%. One of our dental liaison managers will then get in touch to discuss your requirements and provide you a quote for DDU membership.
This page was correct at publication on 10/11/2022. Any guidance is intended as general guidance for members only. If you are a member and need specific advice relating to your own circumstances, please contact one of our advisers.