Simon Kidd, dento-legal adviser at the Dental Defence Union (DDU), discusses the legalities and professional obligations in maintaining patients' confidentiality.

figure 1

Confidentiality is one of the most important aspects of your relationship with patients. The General Dental Council (GDC), in its guidance, ‘Standards for the dental team',1states that as a dental professional you should ‘protect the confidentiality of patients' information and only use it for the purpose for which it was given [and] this applies to all the information about patients that you have learnt in your professional role.'

figure 2

©StudioGraphic/iStock/Getty Images Plus

What does the law say?

Following the introduction of General Data Protection Regulation (GDPR), all dental practices providing NHS treatment are considered as public authorities and are required to appoint a Data Protection Officer. This individual must have proven expert knowledge of data protection law and practice, will need to keep up to date with any changes and clarifications and understand the impact any changes will have on the practice.

All information contained in a patient's record, regardless of whether it is a digital or paper record, is subject to data protection law, which regulates the collection, processing and disclosure of personal data, and intends to protect against its misuse.

In addition to GDPR, the Access to Medical Reports Act 19882 also applies to dental practices. It enables patients to see reports written about them, for example, for employment or insurance purposes, by a registered dental professional who they usually see in a ‘normal' clinician/patient capacity. The patient can ask the dental professional not to send a report.

Confidential records must only be accessed when necessary and it is important to only release a patient's information without their permission in exceptional circumstances.

Are there any instances where I should break patient confidentiality and disclose information to third parties?

Confidential records must only be accessed when necessary and it is important to only release a patient's information without their permission in exceptional circumstances. Any dental professional may be committing a criminal offence if they disclose confidential personal information inappropriately. Also remember to put a detailed note in the patient's record any decision to share information. Be prepared to explain and justify your decisions and actions.

Here are some examples of how to respond if you are asked for a patient's confidential information from various organisations and/or healthcare bodies.

1. Relatives and carers

If a patient is unable to give consent, then you may only share necessary information - provided it is in the patient's best interests.

2. Other healthcare workers

You should only share information on a ‘need-to-know' basis, and you must respect a patient's objections to disclosure.

3. NHS bodies

You should comply with their lawful requests, but only subject to patient consent.

4. Healthcare regulators

You may be required to disclose information to organisations such as the GDC, the CQC and/or the relevant ombudsman. Anonymised information can be provided in some circumstances, so seek advice from your dental defence organisation.

The GDC may require a dental professional to produce patient records as part of its fitness to practise procedures, but you should still normally seek the patient's consent to such a disclosure.

5. Social services

Consent is usually required before disclosing information to social services. However, there may be occasions when it is necessary to disclose information about a patient without consent, either because the patient lacks capacity and it is in the patient's best interests or is otherwise in the public interest.

6. The police

The police do not have an automatic right to information about patients. However, there are specific provisions that require disclosure, such as S172 of the Road Traffic Act 19883 and S38B of the Terrorism Act 2000.4

Additionally, dental professionals in England and Wales have had a legal obligation to notify the police if they discover that an act of FGM [female genital mutilation*] appears to have been carried out on a girl under the age of 18.

It might be appropriate to release information if it is to help with the prevention or detection of a serious crime. Again, seek advice from your defence organisation before releasing any information. If the police have a valid court order, then information should be released to them.

7. Solicitors

Disclosure to solicitors, other than those acting for the patient, requires the patient's specific consent, unless the solicitors provide proof of a court order requiring disclosure.

8. Courts, tribunals and coroners/procurators fiscal

A judge and presiding officers at tribunals can make an order to produce confidential documents. The coroner (or procurator fiscal in Scotland) has a right of access to a deceased patient's records.

Does patient confidentiality extend to a patient who has died?

Your duty to respect confidentiality continues after a patient's death so if you want to release a deceased patient's records, you will need to obtain authority from an executor of the estate or the patient's personal representative.

An individual who makes a claim following a patient's death may also be entitled to see the patient's dental records under the Access to Health Records Act 1990.5

To access the full library of dento-legal guidance and advice from the DDU, visit https://www.theddu.com/guidance-and-advice.

*For more about child protection in relation to FGM, read https://www.nature.com/articles/bdjteam201681.