The Dental Defence Union (DDU) is reminding dental practices to regularly review and enforce data protection policies after the Information Commissioners Office (ICO) issued the first fines to organisations breaching the Data Protection Act.
It warned that the loss of NHS data was the most commonly reported.
Using new powers gained in April 2010, the ICO issued a fine of £100,000 to Hertfordshire County Council for faxing information about a child abuse case to the wrong recipients, while an employment company was fined £60,000 for the loss of an unencrypted laptop containing the personal information of 24,000 people. 
While neither case involved a healthcare organisation, the ICO has reported that losses of NHS data are relatively common. More than 1,000 security breaches have been reported to the Information Commissioner’s Office in total since the end of 2007.
Of these, more than 300 – or just under a third – were losses within the NHS .
Deputy head of the DDU, Bryan Harvey said: ‘Health organisations that manage highly sensitive patient information, particularly when held electronically, may be vulnerable to an accidental loss of data and of course, this includes dental practices.
‘It’s therefore important to start the year with robust systems in place to protect patient data and ensure that all members of the practice abide by the rules.
‘The ICO has recently begun to use its power to impose fines for serious, deliberate or reckless breaches of the Data Protection Act, such as using unencrypted laptops containing personal information.
‘To avoid falling foul of the law, dentists who act as data controllers need to take reasonable steps to prevent breaches of the Act, such as carrying out a risk assessment or having a policy in place to encrypt all portable devices including laptops. Data which is held electronically can be particularly vulnerable, because it is more easily transmitted and portable.’
The DDU’s advice to members to reduce the risk of accidental confidentiality breaches from electronic records includes:
• Avoid storing identifiable personal data on mobile devices
• Have an information security policy in place and ensure all staff are aware of it
• Train all staff to keep information confidential and include a confidentiality clause in all employment contracts
• Never store patient data on staff home computers or laptops
• Be aware of relevant ethical and legal guidance, specifically from the GDC and the NHS
• Prevent unauthorised access to confidential information, for example by using password protection and providing members of staff, including locums, with unique passwords
• Ensure electronic means of communication such as fax and email are secure before sending the information
• Report any loss of data straightaway to the nominated senior person in your practice, so that action can be taken to prevent further breaches and the Information Commissioner can be informed, if appropriate
• Take advice from IT specialists on ensuring the security of any patient information which is held electronically and this extends to sharing that data and disposing of it securely when it is no longer needed. Ensure you have a written contract, outlining confidentiality requirements, with third party suppliers such as the company that repairs and maintains your computer.