Records Management and Data Quality Policy
The availability of accurate and up-to-date data is vital for the safety of the people we care for and the safe and responsible running of our organisation. We hold and maintain information about the business and our patients that is necessary for the efficient running of the practice and the effective provision of dental care.
To ensure that the practice complies with data protection legislation, this policy describes:
- How long information is kept
- How information is stored
- How we ensure accuracy
- How we correct errors
- How we archive information
- How we dispose of information
This policy applies to all the information (hardcopy and digital) that we process, including personal information.
All members of the dental team (including temporary staff) must understand and adhere to this policy.
The practice Confidentiality policy describes the need for all members of the dental team to keep patient information confidential and practice procedures for handling information about patients; it must be followed always. The arrangements for keeping information safe are described in the practice Data security policy, which includes the measures for physical and electronic security.
The practice Privacy Notice for patients helps them understand how the practice uses and protects their personal information.
Information about the business and its patients is kept for no longer than required.
- Patient records are maintained and kept up to date while the individual remains a practice patient. When they cease to be a patient of the practice, their records are retained for ten years following their last visit to the practice or until age of 25, whichever is the longer.
- Personnel and associate records are maintained and kept up to date whilst the individual works at the practice as an employee or self-employed contractor. Following their departure from the practice their records are retained for six years from the date of leaving the practice. Records relating to workplace accidents or injuries are retained indefinitely. Records for associates are kept for up to eight years.
- Financial records are retained for at least six years.
- Business records, including contracts with suppliers, are retained for at least six years.
All members of the team must protect information held by the practice and store it securely. Information is only accessed on a need-to-know basis: where it is necessary to carry out required tasks; in the delivery of care to patients; or upon the direct instruction of a senior person within the practice.
For records held electronically, access is password protected and restricted to those who, as part of their work duties, require the information. Electronic records are regularly backed-up by Leigh Boulton and the backups are stored off-site in a physically secure location.
Non-electronic (paper) records are stored in a location that is not accessible to patients, visitors to the practice or other members of the public. To ensure that patient record cards, financial information and personnel records are stored securely they must be kept in lockable cabinets at the end of each working day and the keys retained by Maciej Wozniak.
Patient record cards are stored securely in the locked cabinets behind reception.
Financial information and personnel records are stored securely in the practice manager office.
Data accuracy procedures
To ensure that all information recorded at the practice is accurate, we check that it is:
- Authentic – the information was created by individual who ‘signed’ the record and at the time claimed. Staff use their personal profiles to enter information.
- Reliable – the information is complete and accurate and was created at the time of or as close as possible to the event and by those involved
- Integrity – The information is complete and unaltered; any alterations are clearly marked and identify the person who made them
- Useable – The information can be located when needed. The practice system for storing information is followed routinely.
The principal purpose of patient records is to record and communicate information about the individual and their care. The records provide an accurate, complete and contemporaneous record and include the patient’s information, oral health status, treatment options discussed and the decisions taken. The principal purpose of staff records is to record employment details for payroll and business planning purposes.
To fulfil these purposes, we:
- Use standardised layouts for the contents of records in the EXACT software.
- Ensure documentation reflects the full range of care, that all care is person centred and that care records are viewable in chronological order
- Provide a clearly written treatment plan when more treatment than an examination is required and we ensure that records are maintained, updated and shared with everyone involved
- Train staff on the creation and use of records (see induction plan) and provide annual training on good record keeping
- Have procedure that enables patients and staff to have access to their records on request
All staff who record information (on any practice system and whether hardcopy or electronic) are responsible for ensuring that the information is accurate and as complete as possible.
Correction of errors
Individuals have the right to access their personal data that we process and store and to request that inaccurate or incomplete records are rectified. Any team member may receive this request and all team members know to pass the request to the practice Data Protection Officer (DPO). Where we have shared information with a third party, we will inform them of any rectifications (if appropriate).
We will respond to a request for rectification within one month and may request identifying documents. If the request is complex, we may extend this to two months and provide the individual with the reasons for the extension. If the individual claims that the record is incomplete, the individual should provide the supplementary information.
When assessing a request to rectify record, we will restrict further processing. If we refuse the request, we will provide a full explanation in writing within one month of the receiving the request and inform the individual of their right to complain to the ICO and seek a judicial remedy.
The practice DPO keeps a record of rectification requests and outcomes
Where records need to be retained but are no longer required on a day-to-day basis, they are archived and stored securely. Records will be stored in a way that ensures easy identification and retrieval. The final decision on archiving information is taken by Maciej W
Electronic records that need to be retained but are not required on a day-to-day basis are, in the first instance, archived within the IT system. Where electronic storage space is at or near capacity, archived electronic data will be copied onto a suitable electronic format with copies stored securely at the practice premises and off-site.
The practice has systems for reviewing archived information that is no longer needed.Patients records and personnel information are reviewed in December each year.
Secure disposal of old records
Records that are no longer required are disposed of securely by shredding, pulping or incineration. The services of a professional contractor will be used where necessary; a certificate of confidential destruction is obtained and retained by the practice as evidence of DPA compliance.
Patient study models are disposed of as soon as they are no longer required, and at the latest at the same time as the records associated with the patient are disposed of. All names are removed from models and models are sent to be destroyed by certified provider.
Records held electronically and backups of electronic information are disposed of using the secure deletion option on the practice computer system
The final decision on disposing of records will be taken by Maciej Wozniak.
The following individuals have data protection and quality responsibilities:
- Data Controller Maciej Wozniak is responsible for reviewing the data quality policies and procedures at least annually
- Data Protection Officer Maciej Wozniak has responsibility for training staff in data quality, monitoring data quality throughout the practice, and responding to and recording rectification requests
- Data Security Lead – Maciej Wozniak is responsible for the quality of records and ensuring that staff understand their commitments in ensuring data quality.
All team members are responsible for the quality of information they record and for reporting any errors to the Data Protection Officer. All team members understand that information accuracy and security is a contractual and legislative requirement and that breach of this policy might result in disciplinary action.