The Dental Defence Union (DDU) is advising dental professionals thinking of storing their patient records on virtual servers that individual consent from patients may be needed.
Some dental professionals may have concerns about their legal and ethical responsibilities when using virtual servers accessible over the internet, known as ‘data clouds’, to store patient information.
The DDU advises that dental professionals consider very carefully the risks involved in storing confidential patient information in third party off-site cloud facilities.
Leo Briggs, DDU dento-legal adviser, explained: ‘Traditionally, information such as patient records has been stored locally within the practice. But cloud computing can offer a convenient alternative, not least because the information can be accessed from any computer. However, the potential security and confidentiality risks of doing so may, for the present time, outweigh the benefits.
'Dental professionals are obliged by the GDC to ensure that personal information about patients is protected at all times against improper disclosure. Dental professionals who are data controllers also have a legal duty imposed by the Data Protection Act (DPA) to ensure that patient information is held securely and protected from unauthorised or unlawful processing.
‘The DPA also requires that personal data should only be handled in ways people would reasonably expect. It is questionable whether patients would expect sensitive dental information to be held in an off-site storage facility not under the direct control of the dental professional involved in their care. In the DDU’s view it would therefore be necessary to seek the consent of each patient to store their data in such a way, making patients aware of any risks involved, and as far as possible, in which countries the data will be stored.’
Dental professionals should be aware of guidance from the information commissioner on using cloud computing which advises organisations to be as open as possible with their customers and to take appropriate steps to tell them about the processing arrangements. It also suggests those considering using cloud computing ask providers a number of questions including:
Will the data be encrypted when in transit?
What are the deletion and retention timescales?
Will the data be deleted securely if you withdraw from the cloud?
What audit trails are in place to monitor who is accessing the data?
Which countries does the provider process data in, given that the DPA prohibits transfer of personal data outside the EU?
Does the written contract include confidentiality clauses?