1 Information Governance in Dental Practices Summary of findings from ICO reviews September 2015
2 Executive summary The Information Commissioner s Office (ICO) is the regulator responsible for ensuring that organisations comply with the Data Protection Act 1998 (DPA) and for promoting good practice in information handling. The DPA consists of eight principles with which all organisations processing personal data must comply. Between June 2014 and June 2015, we visited 21 dental practices across the UK in order to understand the information risks and challenges that dentists are facing. We also conducted an online survey and held discussions with the British Dental Association (BDA), the Medical Defence Union (MDU) and Dental Protection. Our visits could only cover a small number of dental practices and were predominantly to practices in England, due to the practices who were willing to participate. Despite these limitations, we believe that there are common themes and challenges faced by dentists in complying with the DPA. These challenges are set out below. Summary of findings: There is confusion around when a dentist should register with the ICO, with some dentists registering when it is not necessary, and others not registering when it is required. Dentists do not always have written contracts, with appropriate clauses about information security, in place with contractors, particularly IT contractors. There was also evidence that some of the risks of new technologies, such as working on mobile and personal devices, are not being appropriately controlled. Retention policies (to determine when records, both physical and electronic, should be destroyed) were not in place at all sites visited. Retention periods were not always clear, and not generally applied to electronic records. There was some evidence that dentists are not always engaged with sources of best practice and new guidance in relation to information governance.
3 Recommendations 1. Responsibility for compliance and registration Under the DPA, those responsible for the processing of data are called data controllers. A data controller must be a person recognised in law, that is to say: an individual, an organisation or another corporate or unincorporated body of persons. Data controllers determine why and how particular personal data will be used. Dentists operate within a number of different complex structures, including individual practices, partnerships, expense-sharing arrangements, limited liability companies and dental corporates. This has led to some confusion about the circumstances in which a dentist is (or is not) a data controller, responsible under the DPA for patient data, and also for registration with the ICO. Most individuals access their dental care through a named dentist at their local practice. Payment is provided to the practice, and the patient will deal with the practice through its reception staff. The common perception is therefore that the practice is the organisation responsible for treatment and for data protection. The actual picture of data controllership is far more complex. It can be difficult to decide who is responsible for data protection in some of the above structures. This can be seen in the confusion amongst some dentists about who must register with the ICO (unless exempt, data controllers are required to register and then renew annually). It also leads to the risk that personal data is not protected properly because it is unclear who should be leading the work. Whilst it is not possible to give a single rule that will fit every situation, there are a number of questions that might clarify whether a particular dental practitioner is a data controller. 1. Are you responsible for the control and security of patient records, and do you have other responsibilities associated with the data? 2. Do you have a patient list separately from the practice in which you treat patients, that would follow you if you left? 3. Do you treat the same patient at different practices? 4. If a complaint was made by a patient, or data was lost, would you be legally responsible for dealing with the matter? If you answer yes to any of the above questions, you are likely to be a data controller and will need to register with the ICO. You can register by visiting our website and selecting the link on the front
4 page Register your organisation. It will take around 15 minutes to complete. If in doubt, the ICO has a self-assessment tool and also specific dental practitioner FAQs, as well as a Registration helpline Example 1 A self-employed associate dentist works across two practices, each led by a principal dentist. Although the principal dentists organise the premises and IT systems for their own practices, the associate also maintains their own laptop and dental treatment software. They are legally responsible for the records of the patients they treat, which are stored on their laptop and are taken from site to site. The patients treated by the associate may be treated at either of those sites. The associate is likely to be a data controller, and should therefore register with the ICO. Example 2 A self-employed associate dentist works for a small practice, led by a principal dentist. The principal dentist organises the premises and IT systems. The associate treats only those patients who come to the practice, and does not treat patients at any other practice. When the associate leaves the practice, he does not take any patient data with him. The associate is unlikely to be a data controller, and therefore will not need to register with the ICO. 2. Information security arrangements Information security is a wide-ranging topic. It covers everything from physical security of records and premises, to using firewalls and anti-virus software, to training staff appropriately. Dentists have a number of requirements placed upon them in relation to maintaining the security and integrity of records. Beyond the DPA, the General Dental Council (GDC) publish Standards for the Dental Team; Principle 4 is to Maintain and protect patients information. Similarly, Outcome 21: Records of the CQC s Outcomes Framework outlines the controls against which dental providers can be audited.
5 Under the DPA, organisations must have appropriate security to prevent the personal data you hold being accidentally or deliberately compromised. In particular, the DPA requires data controllers to take specific steps when using a third party (a data processor) to process personal data on their behalf. The DPA requires that data controllers: choose a data processor providing sufficient guarantees regarding information security; take reasonable steps to ensure compliance with those measures; and have a contract in place, in writing, specifying that: o the data processor is to act only on instructions from the data controller; and o the data processor must comply with information security measures comparable to those in the DPA. In most of the practices we visited, general information security was fairly good. Dentists and dental staff are trained healthcare professionals, and therefore understand the requirements of confidentiality. However, there were some areas of information security where many dentists struggled; notably, ensuring that third parties (such as IT contractors) were covered by an appropriate formal contract, and managing some of the new ways of working (through mobile or personal devices, or at home). Data processor contracts In many of the smaller practices we visited, information technology support was provided by small-scale IT contractors. The arrangements for the IT support were often informal, either not written down, or else amounting to a small service-level agreement. They rarely included clauses concerning information security measures. In some cases, this was justified on the basis that the contractor was unlikely to have access to personal data (working with hardware under supervision, or installing software only to new equipment). Nevertheless, it remains a possibility that contractors would be able to access personal data in the course of their work. Home and mobile working Home and mobile working was not, at the time of our visits and survey, widespread in dental practices, although it did appear to be becoming more prevalent, with dentists reporting that they were aiming to have the facility available.
6 In those places currently using home-working, or likely to do so in the immediate future, few procedures had been implemented to control how patient data would be used. There were examples of: typing up patient notes at home and ing them, or transferring them on USB memory sticks to their practice (sometimes encrypted, sometimes not); using pseudonymised or anonymised patient data for CPD; using third party remote access software to access practice systems through personal computers; and staff bringing their own personal devices to use at work for work purposes (Bring Your Own Device, or BYOD, as it has become known). It is important that dentists should consider carefully the risks associated with the use of mobile and home working (although it is entirely possible to use these tools securely). For example: Do home computers have appropriate security software to prevent unauthorised access (by other users or if they are lost or stolen)? How are home computers destroyed at the end of life? Are USB memory sticks appropriately encrypted when transferring data (to prevent accidental loss)? Are USB memory sticks properly scanned to prevent the potential import of malware into practice systems? The ICO information security page contains useful information about applying information security principles, as well as links to our BYOD and encryption guidance and a practical guide to IT security for small businesses. 3. Retention of personal data The DPA states that personal data should be retained for no longer than is necessary. However, it does not go on to specify how long is necessary for different categories of personal data. The following questions therefore tend to be asked (in descending order of importance): Is there any other legislation that requires that personal data be retained (for example, for income tax purposes)? Are there any agreed industry standards for retention (for example, an industry regulator or association has established rules for bodies within the industry)? What is your organisation using the records for, and when is the soonest they will not be of any use?
7 In the case of dental records, the BDA have established the following recommendation for retention of dental records: 11 years for adults For children 11 years or up to their 25th birthday, whichever is the longer The BDA took this decision based on the various limitation periods for bringing legal claims for personal injury, clinical negligence or breach of contract. These recommended retention periods are reiterated in the NHS Code of Practice: Records Management (which notes that they are derived from the BDA). Not all dentists are members of the BDA, nor do all dentists provide NHS treatment. However, other industry bodies have tended to give broadly similar advice. It should be noted that the discussed retention periods are maximum retention periods; that is, the length of time before records become unnecessary, and therefore, under the DPA, should be securely destroyed. There are very few circumstances in which retaining records indefinitely will be compliant with the DPA. It should also be noted that there is some variance in retention periods across the UK. Although the UK DPA sets out no specific retention periods, the Regulation and Quality Improvement Authority (RQIA), Northern Ireland's independent health and social care regulator, has established regulations laying out particular retention periods for records (records should be kept for 10 years or until the patient reaches the age of 27, if they were 17 years old or younger when the treatment was provided). These retention periods are established as minimums; therefore, there is no conflict with the other retention periods previously discussed. Many respondents did not know how long they were required to retain patient data, leading to a wide variety of practice. Industry bodies have designed standards, to which some dentists adhere for manual records. All dentists interviewed retained electronic records indefinitely. Where practices had policies in place and followed them, they destroyed only manual or physical personal data. However, most practices are now moving to electronic dental records. None of the respondents to our research disposed of electronic records, or had the facility to do so. The ICO recommends that dental practitioners implement a retention policy. A retention policy is a short document or schedule that lists when personal data should be destroyed, based on the questions and industry
8 standards discussed above. This means that there is an easy, accessible answer when asking if a given piece of information should be destroyed. Retention periods apply to manual and electronic records. Although practices were archiving inactive patient records (according to the facilities of their systems), these records remained intact and accessible at the push of a button. It is important that the dental sector begins to consider the importance of securely destroying electronic records at the end of their retention period. In the meantime, for practices which do not have the technical capability to delete personal data due to system constraints, our guidance on deleting personal data lays out some important principles for putting such information beyond use. The data controller: is not able, or will not attempt, to use the personal data to inform any decision in respect of any individual or in a manner that affects the individual in any way; does not give any other organisation access to the personal data; surrounds the personal data with appropriate technical and organisational security; and commits to permanent deletion of the information if, or when, this becomes possible. 4. Engagement with the wider information governance landscape All organisations must keep up-to-date with how to keep information secure. The way in which some practitioners are failing to adapt effectively to the new use of mobile and personal devices within the workplace highlights the importance of being alert to guidance and advice about using new technology securely. Pressures on the time of dental professionals seeking to run their own businesses (still the vast majority of dental providers within the UK) mean they can struggle to engage with more involved information governance issues. There have been a number of examples of nationwide information governance projects (including this one) which have gathered responses from only a few dental providers. Most dental practitioners are understandably focused on delivering care to their patients, and cannot spend large amounts of time addressing complex information governance matters. The ICO is pragmatic about the requirements of running small businesses.
9 The general response from the dental sector to this piece of work (and engagement with pieces of information governance work led by other organisations, to which the ICO was party) suggests that additional channels of communication with the sector would be valuable. The sector has industry bodies (GDC, BDA, MDU and Dental Protection) as well as smaller web-based or geographically localised communities and sectoral press. Effectively marketing guidance messages using these channels will be key to improving the sector s responsiveness to new information governance challenges. Further actions The ICO has produced a range of guidance to help organisations manage and secure personal information. This guidance can be found on our website, ico.org.uk, with particular health guidance at ico.org.uk/health. Other useful guidance A practical guide to IT security Bring Your Own Device (BYOD) Guidance on the use of cloud computing IT security top tips Retaining personal data Advice and Assistance The ICO s helpline can answer queries about data protection compliance and can be contacted on The ICO also has offices in Scotland, Wales and Northern Ireland which can answer questions specific to those legislation and regulations in those areas. The Scottish office can be contacted on The Welsh office can be contacted on The Northern Irish office can be contacted on or
10 Appendix Methodology We invited a large number of dental providers to take part in our visit programme or complete our national survey (although only a fraction of the total; the August 2014 Care Quality Commission publication, A fresh start for the regulation and inspection of primary care dental services, places the number of dental care locations at 10,102 in England alone). Visits were delivered to 21 practices, covering sole traders, partnerships, limited companies and members of dental corporates. Some practices offered private treatment only; others mixed NHS and private treatment. We visited (as far as possible given the voluntary nature of the visits) dental providers in different geographical regions. Our visits took the form of a half-day, onsite informal review of the dental provider. We looked at how the organisation handled personal information, offered practical advice and guidance on relevant topics and provided a short summary after the visit. The visits typically covered information security, records management, training and requests for personal data. In a small number of cases we contacted the dental provider by phone to discuss these topics. We also issued a national survey, asking dental providers a series of information governance questions. This was issued directly to a number of corporate dental chains and practices and indirectly through promotion by the BDA, MDU and Dental Protection. Despite the coverage achieved in this way (and the length of time the survey remained open), we received only 49 responses. Nevertheless, those responses agreed with the picture formed from our visits. Finally, we approached three of the largest relevant industry bodies. The BDA, the MDU and Dental Protection discussed the current information governance challenges they identified as being most serious within the dental sector, and gave us access to the type of advice they are providing to their members. We recognise the difficulties such a small response gives to effectively establishing what key risks face the dental sector. In addition to having insufficient respondents to recognise statistically significant trends, those practitioners that did respond will be subject to a volunteer bias; that is, one would expect that they are keen to engage with information governance, possibly leading to their practices having a better information governance baseline than the norm. However, we hope that the wide experience of dental sector challenges provided by the industry bodies will serve as a partial corrective to this problem.
Data protection A practical guide to IT security Ideal for the small business The Data Protection Act states that appropriate technical and organisational measures shall be taken against unauthorised or
ICO lo Data Protection Act Contents Introduction... 1 Overview... 2 What the DPA says... 3 Create an asset disposal strategy... 3 How will devices be disposed of when no longer needed?... 3 Conduct a risk
Data Protection Act 1998 Bring your own device (BYOD) Contents Introduction... 3 Overview... 3 What the DPA says... 3 What is BYOD?... 4 What are the risks?... 4 What are the benefits?... 5 What to consider?...
Findings from ICO audits and reviews of community healthcare providers June 2013 to December 2014 Introduction The Information Commissioner s Office (ICO) is the regulator responsible for ensuring that
University of Westminster Personal Data Protection Policy For Compliance with the Data Protection Act 1998 1. Background 1.1 The Data Protection Act 1998 (DPA) defines personal data as data and information
Corporate Policy and Strategy Committee 10am, Tuesday, 30 September 2014 Information Governance Policies Item number Report number Executive/routine Wards All Executive summary Information is a key asset
- 26 March 2009 Professional indemnity insurance Executive summary and recommendations Introduction The subject of professional indemnity insurance was previously discussed by the on 3 July 2008 (in their
INFORMATION GOVERNANCE AND DATA PROTECTION POLICY WN CCG Information Governance & Data Protection Policy July 2013 1 Document Control Sheet Name of Document: Information Governance & Data Protection Policy
BRITISH COUNCIL DATA PROTECTION CODE FOR PARTNERS AND SUPPLIERS Mat Wright www.britishcouncil.org CONTENTS Purpose of the code 1 Scope of the code 1 The British Council s data protection commitment and
APPENDIX ONE: SUMMARY TABLE OF SURVEY FINDINGS AND ACTIONS TAKEN ANNUAL PATIENT AND PUBLIC SURVEY 2013: SUMMARY OF KEY FINDINGS Topic Finding Action taken/planned Awareness of the GDC Unprompted awareness
Submission of the Office of the Data Protection Commissioner (DPC) on the data-sharing and Governance Bill: - Policy Proposals (dated the 1 st of August 2014) Public Consultation regarding Data Sharing
Protection of Personal Data RPC001147_EN_WB_L_1 Table of Contents Data Protection Rules Foreword From the Data Protection Commissioner Introduction From the Chairman Data Protection Responsibility of Employees
Security & Privacy Current cover and Risk Management Services Introduction Technological advancement has enabled greater working flexibility and increased methods of communications. However, new technology
Corporate 2013 2015 Public confidence in dental regulation www.gdc-uk.org Contents 01 Introduction 02 About this strategy 04 Future opportunities 06 Strategic objectives Our role is to protect the public
Policy documents Aims of the Policy apetito is committed to meeting its obligations under data protection law. As a business, apetito handles a range of Personal Data relating to its customers, staff and
Data Access Request Service Guidance Notes on Security Version: 4.0 Date: 01/04/2015 1 Copyright 2014, Health and Social Care Information Centre. Introduction This security guidance is for organisations
The Medical and Dental Defence Union of Scotland Protecting you since 1902 Essential guide to medical and dental records The MDDUS The MDDUS is a mutual indemnity organisation which has provided advice
INFORMATION GOVERNANCE STRATEGY NO.CG02 Applies to: All NHS LA employees, Non-Executive Directors, secondees and consultants, and/or any other parties who will carry out duties on behalf of the NHS LA.
Proposed Public Records Legislation Consultation Question 1 Do you agree that a public record is one that is created or received by a publicly funded authority, or do you think that the public status of
Birmingham Women s NHS Foundation Trust Data protection audit report Executive summary January 2015 1. Background The Information Commissioner is responsible for enforcing and promoting compliance with
DATA PROTECTION ACT 1998 COUNCIL POLICY Page 1 of 5 POLICY STATEMENT Blackpool Council recognises the need to fully comply with the requirements of the Data Protection Act 1998 (DPA) and the obligations
Data Protection and Community Councils Briefing Note This briefing note has been prepared in response to specific queries raised by Community Councils in Marr in relation to their Data Protection requirements.
I Data Protection Act How we deal with complaints and concerns A guide for data controllers 1 Data Protection Act How we deal with complaints and concerns The ICO is the UK s independent public authority
Information Governance Policy Implementation date: 30 September 2014 Control schedule Approved by Corporate Policy and Strategy Committee Approval date 30 September 2014 Senior Responsible Officer Kirsty-Louise
Public Records (Scotland) Act 2011 Healthcare Improvement Scotland and Scottish Health Council Assessment Report The Keeper of the Records of Scotland 30 October 2015 Contents 1. Public Records (Scotland)
Secure Storage, Disposal and Destruction of Electronic Equipment and Media Policy Page 1 of 8 Secure Storage, Disposal and Destruction of Electronic Equipment and Media Policy EXECUTIVE SUMMARY Key Messages
[Type text] RECORDS MANAGEMENT POLICY POLICY TITLE Academic Year: 2013/14 onwards Target Audience: Governing Body All Staff and Students Stakeholders Final approval by: CMT - 1 October 2014 Governing Body
Information Sharing Policy REFERENCE NUMBER IG 010 / 0v3 February 2013 VERSION V1.0 APPROVING COMMITTEE & DATE Clinical Executive Committee 5.2.13 REVIEW DUE DATE February 2016 West Lancashire CCG is committed
COVER SHEET OF POLICY DOCUMENT Code Number Policy Document Name Introduction Removable Media and Mobile Device Policy Removable media and mobile devices are increasingly used to enable information access
Everyone in the workplace has a legal duty to protect the privacy of information about individuals AEP/BELB/LJ/2010 Awareness Session During 2007 alone, 36,989,300 people in the UK have had their private
Data Protection Act 1998 Guidance on the use of cloud computing Contents Overview... 2 Introduction... 2 What is cloud computing?... 3 Definitions... 3 Deployment models... 4 Service models... 5 Layered
Lord Chancellor s Code of Practice on the management of records issued under section 46 of the Freedom of Information Act 2000 Lord Chancellor s Code of Practice on the management of records issued under
Guidelines This guideline offers an overview of what the Data Protection Act requires in terms of information security and aims to help you decide how to manage the security of the personal data you hold.
Data protection Report on the data protection guidance we gave schools in 2012 Contents 1. Background 2. Summary of recommendations 3. tification 4. Personal data 5. Fair processing 6. Information security
STAR has teamed up with Prevention of Fraud in Travel (PROFiT) and the Fraud Intelligence Network (FIN) to offer our members the best advice about fraud prevention. We recognise the increasing threat of
DATA PROTECTION CORPORATE POLICY Information Management V1.1 03 July 2012 Not protectively marked This policy must be complied with fully by all Members, Officers Agents and Contractors of Plymouth City
Education and Training Committee, 10 March 2011 Professional indemnity insurance Executive summary and recommendations Introduction This paper appeared as a paper to note at the Council meeting on 10 February
Information Management Handbook for Schools London Borough of Barnet Document Name Document Description Information Management Handbook for Schools This document is intended for use by Barnet Borough Schools.
Best Value toolkit: Information management Prepared by Audit Scotland July 2010 Contents Introduction 2 The Audit of Best Value 2 The Best Value toolkits 4 Using the toolkits 4 Auditors evaluations 5 Best
Position statement on the education and training of 1 of health care care assistants (HCAs) Introduction This document provides commissioners, education providers and employers with guidance on best practice
Good Practice Audit outcomes analysis Police Forces April 2013 to April 2014 This report is based on the final audit reports the ICO completed in the Criminal Justice sector, specifically of Police forces,
Revalidation of nurses and midwives An independent report by KPMG on the impact of revalidation on the health and care system for the Nursing and Midwifery Council (NMC) Appendices 10 August 2015 Contents
May 2013 Bring Your Own Device Policy Template for Further Education Please Note: This guidance is for information only and is not intended to replace legal advice when faced with a risk decision. Table
Data Protection Workshop: How the Law Affects You Practice Questions 1. Which of the following is not personal data covered by the Data Protection Act (pick one or more): A. Comments about an individual
INFORMATION GOVERNANCE AND SECURITY 1 POLICY DRAFTED BY: INFORMATION GOVERNANCE LEAD 2 ACCOUNTABLE DIRECTOR: SENIOR INFORMATION RISK OWNER 3 APPLIES TO: ALL STAFF 4 COMMITTEE & DATE APPROVED: AUDIT COMMITTEE
Information Governance Policy Information Governance Policy Issue Date: June 2014 Document Number: POL_1008 Prepared by: Information Governance Senior Manager Insert heading depending on Insert line heading
Information Governance Statement: Protocol on data collected by the audit Definitions Within this document, the commissioning body, Healthcare Quality Improvement Partnership, will be referred to as HQIP.
Good Practice in Records Management and Information Security BELB LJ Schools 2013 How Valuable are Records & Documents? Valuable only because of the information they contain. Usable if they can be accessed
technical factsheet 176 Data Protection CONTENTS 1. Introduction 1 2. Register with the Information Commissioner s Office 1 3. Period protection rights and duties remain effective 2 4. The data protection
Human Resources Policy No. HR46 Maintaining Personal Files and ESR Records Additionally refer to HR04 Verification of Professional Registration HR33 Recruitment and Selection HR34 Policy for Carrying Out
Highland Council Information Security Policy Document Owner: Vicki Nairn, Head of Digital Transformation Page 1 of 16 Contents 1. Document Control... 4 Version History... 4 Document Authors... 4 Distribution...
DATA PROTECTION POLICY DATA PROTECTION POLICY Document Control Information Title Data Protection Policy Version V1.0 Author Diana Watt Date Approved 21 February 2013 Review Date Annually, on the anniversary
Policy: Remote Working and Mobile Devices Policy Exec Director lead Author/ lead Feedback on implementation to Clive Clarke SHSC Information Manager SHSC Information Manager Date of draft 16 February 2014
Macmillan Cancer Support Volunteering Policy Introduction Thousands of volunteers dedicate time and energy to improve the lives of people affected by cancer. Macmillan was started by a volunteer and volunteers
Reference number RM001 Approved by Information Management and Technology Board Date approved 23 rd November 2012 Version 1.1 Last revised July 2013 Review date May 2015 Category Records Management Owner
Cloud Software Services for Schools Supplier Self Certification Statements with Services and Support Commitments Supplier Name One Team Logic Limited Address Unit 2 Talbot Green Business Park Heol-y-Twyn
Outcomes of the consultation on guidance for registrants about the statutory requirement to have appropriate professional indemnity cover as a condition of registration Summary of responses to the consultation
Third Party Information Security Questionnaire This questionnaire is to be completed by the system administrator and by the third party hosting company if a separate company is used. Name: Position held:
Central London Community Healthcare NHS Trust Data protection audit report Executive Summary July 2014 1. Background The Information Commissioner is responsible for enforcing and promoting compliance with
Procedures on Data Security Breach Management Version Control Date Version Reason Owner Author 16/09/2009 Draft 1 Outline Draft Jackie Groom Indirani 02/11/2009 Draft 2 Include JG s comments Jackie Groom
BYOD BRING YOUR OWN DISASTER? Síobhra Rush, Session Chair Leman Solicitors, Ireland BYOD - INTRODUCTION! Agenda! What is BYOD?! Why should businesses consider it?! Potential downsides to BYOD! An explanation
Research Governance Standard Operating Procedure The Management and Use of Research Participant Data for Secondary Research Purposes SOP Reference: Version Number: 01 Date: 28/02/2014 Effective Date: Review
NHS FORTH VALLEY Information Governance Remote Working Guidance Date of First Issue 09 / 12 / 2011 Approved 12 / 09 / 2013 Current Issue Date 12 / 09 / 2013 Review Date 01 / 12 / 2015 Version V 3.2 EQIA
EU DIRECTIVE ON GOOD CLINICAL PRACTICE IN CLINICAL TRIALS DH & MHRA BRIEFING NOTE Purpose 1. The Clinical Trials Directive 2001/20/EC heralds certain additional responsibilities for the Medicines and Healthcare
Cloud Software Services for Schools Supplier self-certification statements with service and support commitments Please insert supplier details below Supplier name Address Contact name Contact email Contact
Cloud Software Services for Schools Supplier self-certification statements with service and support commitments Please insert supplier details below Supplier name Address Contact name Contact email Contact
Cloud Software Services for Schools Supplier self-certification statements with service and support commitments Supplier name Address Contact name Contact email Meritec Limited Meritec House, Acorn Business
Briefing / Q&A on licensing of social care workers and healthcare support workers Introduction The HM Government White Paper Building the National Care Service was published in April 2010. The White Paper
WEST LOTHIAN COUNCIL DATA PROTECTION ACT 1998 POLICY Version 3.0 DATA PROTECTION ACT 1998 POLICY CONTENTS 1. INTRODUCTION... 3 2. PROVISIONS OF THE ACT... 4 3. SCOPE... 4 4. GENERAL POLICY STATEMENT...
Data Protection in Ireland 0 Contents Data Protection in Ireland Introduction Page 2 Appointment of a Data Processor Page 2 Security Measures (onus on a data controller) Page 3 8 Principles Page 3 Fair
Insurance, indemnity and medico-legal support Statutory requirement for doctors to have insurance or indemnity We know doctors work hard to deliver good quality healthcare. But sometimes, things go wrong.
UNIVERSITY OF ABERDEEN POLICY ON DATA PROTECTION The Data Protection Act 1998 (DPA) was passed in order to implement the EU Data Protection Directive (95/46/EC) and applies to all data relating to, and
Safer recruitment scheme for the issue of alert notices for healthcare professionals in England November 2006 The issue of alert notices for healthcare professionals Summary 1. NHS Employers and the Department
Advice TUPE Regulations Staff contracts when you buy or sell a practice Advice Note 20 The Transfer of Undertakings (Protection of Employment) Regulations 2006 (known as TUPE ) provide legal protection
October 2010 Practice Note 10 (Revised) AUDIT OF FINANCIAL STATEMENTS OF PUBLIC SECTOR BODIES IN THE UNITED KINGDOM The Auditing Practices Board (APB) is one of the operating bodies of the Financial Reporting
UNIVERSITY HOSPITALS OF LEICESTER NHS TRUST POLICY FOR TRUST INDEMNITY ARRANGEMENTS (IN RESPECT OF CLINICAL NEGLIGENCE AND OTHER THIRD PARTY LIABILITIES) 21 st November 2003 APPROVED BY: Trust Executive
MONMOUTHSHIRE COUNTY COUNCIL DATA PROTECTION POLICY Page 1 of 16 Contents Policy Information 3 Introduction 4 Responsibilities 7 Confidentiality 9 Data recording and storage 11 Subject Access 12 Transparency
Information Commissioner s Office ICO response to the discussion paper on the Rehabilitation of Offenders Act 1974 14 November 2013 1 Contents Introduction Response Further issues About the ICO The ICO
A fresh start for the regulation and inspection of primary care dental services Working together to change how we regulate primary care dental services The Care Quality Commission is the independent regulator
Small businesses: What you need to know about cyber security March 2015 Contents page What you need to know about cyber security... 3 Why you need to know about cyber security... 4 Getting the basics right...
The Manitowoc Company, Inc. DATA PROTECTION POLICY 11FitzPatrick & Associates 4/5/04 1 Proprietary Material Version 4.0 CONTENTS PART 1 - Policy Statement PART 2 - Processing Personal Data PART 3 - Organisational
WSIC Integrated Care Record FAQs How your information is shared now Today, all the places where you receive care keep records about you. They can usually only share information from your records by letter,
Data protection Subject access code of practice Dealing with requests from individuals for personal information Contents 3 Contents 1. About this code of practice 4 Purpose of the code 4 Who should use
April 2011 Country of Origin: United Kingdom Protection of Computer Data and Software Introduction... 1 Responsibilities...2 User Control... 2 Storage of Data and Software... 3 Printed Data... 4 Personal
Information retention and disposal guide Date: 31 October 2014 Version: 2.0 Contents 01. Guidelines The data challenge 5 Compliance what is it and why is it important? 6 The compliant data journey 7 Case
SMALL BUSINESSES WHAT YOU NEED TO KNOW ABOUT CYBER SECURITY ONE CLICK CAN CHANGE EVERYTHING SMALL BUSINESSES My reputation was ruined by malicious emails ONE CLICK CAN CHANGE EVERYTHING Cybercrime comes