What do Edward Snowden and UK health professionals (including dentists) have in common? Well, we are all working to increase security of information in our hands and quality assurance in confidentiality. The difference is that we may not end up in Guantánamo Bay! In a fascinating and insightful interview with the Guardian newspaper in Moscow, the NSA whistleblower has urged all those with a duty to protect confidentiality, such as lawyers, doctors and accountants, to upgrade their security in communications after his revelations concerning surveillance. According to the Guardian, Snowdon believes that professionals are ‘failing in their obligations to their clients, sources, patients and parishioners in what he describes as a new and challenging world’.
"What last year's revelations showed us was irrefutable evidence that unencrypted communications on the internet are no longer safe. Any communications should be encrypted by default.
"If you think your HIV status is secret from GCHQ, forget it," he said to the Guardian. "The tools are available to protect data and communications but only if you are important enough for your doctor or lawyer to care."
Niall Dickson, the General Medical Council chief executive, says: "Modern communication offers huge benefits for patients in terms of research, access to professionals, as well as speed of care and treatment. But of course it also carries risk, and confidentiality and trust are at the heart of the doctor-patient relationship”. Although the General Medical Council provides guidance to UK doctors about protecting information, dentists have patchy practical help with this. We all know what we should be doing in principle but it is difficult to apply this to everyday life in busy practise.
We have a responsibility, to several different bodies with which we are registered, to keep all data confidential.
- It is one of the main tenets of the new General Dental Council standards and our main professional registration is dependent on this.
- It is part of our agreement with the Information Commissioner’s Office, which we all have to take up in order to keep personal data. It has meted out fines of £150,000 to organisations who lose data or make it public.
- It is part of our contract with the NHS to be familiar and up-to-date with the Information Governance Toolkit. Our ability to work depends on this contract.
So this is pretty heavy stuff. However, above all the official responsibility, it is part of our personal and professional relationship with each individual patient to keep their information safe. This is paramount – or we let them down.
So, what can we do?
Quality Compliance Systems’ Policy and Procedure for Confidentiality contains the basic guidance for meeting our responsibilities. The purpose is to protect the rights of patients and ensure information is shared within the bounds of confidentiality. This applies to all staff within a practice and to all subcontractors, relatives and visitors to the premises.
The basic idea is that data is kept safe from unauthorised access. This might range from a professional attempt to hack data to a member of staff gossiping about a patient! It means that there is no discussion with, or disclosure to, a third party without the explicit agreement of the patient concerned.
We have to be sure that the transfer of data between cooperating service providers is sufficient for service provision, restricted to relevant material, and safe. A practical example of this is a simple referral letter to the local Oral Surgery Department. Information should:
- Be comprehensive for the purpose
- Not include personal details that are superfluous or embarrassing
- Not contain names in the subject line of an email
Now, we should be considering all such letters be sent by Special Delivery or by encrypted attachments within emails. This is actually easy to accomplish with `one click` encryption in newer versions of MS Office. The password is then sent under separate cover.
It is the responsibility of the Practice Manager to keep up-to-date with all the guidelines and law concerning confidentiality. The principles should then be included in both contracts of employment and practice induction for new staff. In fact, all staff should be made aware of their responsibilities regarding confidential data and should sign a written statement (often contained in the contract of employment) about their responsibilities to maintain data protection at all times.
Treat information about patients as confidential and only use it for the purposes for which it is given. For instance, you cannot use privileged contact information for contacting patients for personal reasons, unless they have given you their address and phone number in circumstances outside of work.
Apart from the obvious need to store primary records securely, back-ups need to be kept safe too. The biggest day-to-day problem is keeping information safe from nosey patients, relatives and visitors. Ensure that no records are left, or used, in a manner in which other people can read them, and that conversations cannot be overheard. For instance:
- Try to find a safe and private place for confidential discussions with a patient
- Try to ensure telephone conversations with, or about, a patient cannot be overheard in the public areas
- Make sure all computers are password protected, and staff ‘log out’ when not sitting at a computer
- Design reception areas in such a way that people leaning over the desk cannot see the computer screens
What are the exceptions?
Information can be released with the written agreement of the patient, for insurance purposes or when involved in a complaint. In exceptional circumstances it may be justified to make confidential patient information known without consent if it is in the public or patient’s interest. Limited reasons for disclosure are:
- On referral to another provider
- In the wider public interest, involving serious risk to the public or serious crime. Be prepared to justify this in a court
- By court order, but only the minimum information required to comply
Specific examples of when NOT to disclose are:
- Requests from a school about the attendance of a child
- Requests from a parent (unless sure of being legal guardian) about the attendance of a child
- Request from a solicitor for information, or someone acting on behalf of a third party
- Request from a family member, even a spouse, about the attendance of a patient, or to discuss treatment
Be aware that any breach of confidence is likely to be reported to the relevant professional bodies to be investigated. These days, it is best to be doubly safe and never give information out without speaking to the patient directly. Remember, Guantánamo Bay beckons!
*All information is correct at the time of publishing