- There is confusion around when a dentist should register with the ICO, with some dentists registering when it is not necessary, and others not registering when it is required.
- Dentists do not always have written contracts, with appropriate clauses about information security, in place with contractors, particularly IT contractors. There was also evidence that some of the risks of new technologies, such as working on mobile and personal devices, are not being appropriately controlled.
- Retention policies (to determine when records, both physical and electronic, should be destroyed) were not in place at all sites visited.
- Retention periods were not always clear, and not generally applied to electronic records.
- There was some evidence that dentistsare not always engaged with sources of best practice and new guidance in relation to information governance.
- Responsibility for compliance and registration
- Information security arrangements
- Retention of personal data
- Engagement with the wider information governance landscape
The document includes further detailed guidance to support implementation. For a complete treatment of data protection, and what it means for dental practices, please consult the Practice Support Manual (login required).