1 ib1  Thumbnail0
1 ib2  Thumbnail0
1 ib3  Thumbnail0
1 ib4  Thumbnail0
1 ib5  Thumbnail0
Join Now Forgot password?

Audit Tool : Data Protection

Standard: Appropriate standards and measures are in place to ensure the legal collection, usage and protection of patient information in accordance with the Data Protection Acts of 1988 and 2003.

 

Date: __________________        Surgery/Practice: _________________

Auditor (print name): ______________________

 

Compliance Officer: ____________________         Job title: _______________

 

Rule

Data Protection Rules

 

 

1

Is personal data obtained and processed fairly?

 

 

2

Is personal data kept for one or more specified, explicit and lawful purpose?

 

 

3

Is personal data used and disclosed in ways compatible with the specified, explicit, lawful purposes?

 

 

4

Is personal data kept safe and secure?

 

 

5

Is retained personal data accurate, complete and up-to-date?

 

 

6

Is personal data adequate, relevant and not excessive for the purpose or purposes?

 

 

7

Is personal data retained for no longer than is necessary for the purpose or purposes?

 

 

8

Is there a clear procedure in place to provide a copy of his/her personal data to that individual, on request?

 

 

 

 

All questions must be answered Yes to achieve a Pass in each section, except where otherwise indicated.

 

 

 

 

Principle: Obtain and process personal data fairly.

Yes

No

1.1

Is the data collection process explained to a patient?

  • What information is being collected
  • Why is the information being collected
  • Who within the practice has access to the information
  • Who outside the practice may have access to the information

 

 

1.2

Is a patient aware of the consequences of not providing valid information?

 

 

1.3

 

Is a patient aware of his/her rights?

  • Access to personal data
  • Rectification of personal data

 

 

1.4

Is patient aware of how his/her information is stored?

 

 

Optional

Is a patient provided with a practice Patient Privacy Statement?

 

 

 

                

 

Principle: Keep personal data only for one or more specified, explicit and lawful purposes.

Yes

No

2.1

Is the data collected solely for the dental care of a patient?

 

 

2.2

Is a patient aware of any other use which may be made of his/her personal data?

 

 

2.2

Is valid consent received prior to using data for purposes other than providing dental care?

 

 

2.3

Is a patient aware of the different types of data collected and retained?

  • Personal details
  • Medical history
  • Dental record
  • Financial information

 

 

2.4

Is a patient aware that his/her personal data may be used other than for dental care?

  • Report to dental insurance company
  • Medico-legal report
  • Teaching/lecturing purposes
  • Continuing professional development
  • Internal audit
  • External research
  • State schemes
  • Direct marketing

 

 

2.5

If information has been gather for the purpose of direct marketing has the patient’s consent been obtained?

 

 

2.6

If electronic mail is used for direct marketing can the recipient UNSUBSCRIBE immediately and for free?

 

 

2.7

Are all disclosures of data legitimate?

 

 

 

 

 

Principle: Personal data should be used and disclosed in ways which are compatible with the reasons for which it was obtained.

Yes

No

3.1

Is ‘Confidentiality’ upheld in accordance with Dental Council Code of Practice (Section 10, Professional Behaviour and Ethical Conduct, 2012)?

 

 

3.2

Is patient confidentiality included in staff training?

 

 

3.3

Is access to patient records on a ‘need to know’ basis?

  • To a guardian/carer
  • Within the practice staff
  • Upon referral to a colleague
  • Medical healthcare provider

 

 

3.4

Does the transfer of personal data respect the individual’s rights?

  • Consent to transfer
  • Accuracy of data transferred
  • Confidentiality
  • Security of data transfer

 

 

3.5

Are the individual’s rights respected whenever data is transferred?

  • When a patient transfers to another healthcare professional within the practice
  • When a patient transfers to another practice
  • Upon retirement, death or closure of a practice
  • Sale of a dental practice

 

 

Optional

Is there a professional confidentiality code within the practice?

 

 

Optional

Does the practice have a means of auditing when patient information has been accessed and by whom?

 

 

 

 

Principle: Keep personal data safe and secure.

Yes

No

4.1

Who, in the practice, is responsible for the security of data?

­­­­­­­­­­­­­­­­­­­­­­­­­­­Name:_______________________  Job title:_________________

 

 

 

4.2

Is access to patient records on a ‘need to know’ basis?

 

 

4.3

Is data protection included in staff training?

 

 

4.4

Is the premises locked and alarmed when not in use?

 

 

4.5

Is a fax machine used to transmit personal data?

(If ‘Yes’ please answer 4.6. If ‘No’ please go to 4.7)

 

 

4.6

Is the fax machine in a secure area not accessible to the public?

 

 

4.7

Are patient records kept manually?

(If ‘Yes’ please answer 4.8, 4.9. If ‘No’ please go to 4.10)

 

 

4.8

Is access to the manual record system barred to the public?

 

 

4.9

Is the filing room/filing cabinet(s) locked when not in use?

 

 

4.10

Are patient records kept on computer or any other form of electronic storage?

(If ‘Yes’ please answer the remaining questions as indicated. If ‘No’ please go to 4.30)

 

 

4.11

Is the relevant staff trained in the appropriate and secure use of the practice computer systems and the internet?

 

 

4.12

Are screens/monitors out of view of the public?

 

 

4.13

Does each workstation have a password-protected screensaver?

 

 

4.14

Are CDs, DVDs or disks kept in locked drawers?

 

 

4.15

Is all software legally owned by the practice?

 

 

4.16

Is the practice software password-protected?

 

 

4.17

Is the operating system updated regularly?

  • Automatically
  • Manually
  • By the maintenance provider

 

 

4.18

Is anti-virus/internet security software, compatible with your operating system, installed and running?

 

 

4.19

Is the anti-virus/internet security software regularly updated?

 

 

4.20

Are regular full-system scans undertaken?

 

 

4.21

Are servers housed in secure, appropriate conditions?

 

 

4.22

Is personal data stored on portable devices (laptops, smartphones, tablets, external drives or any other form of electronic storage)?

(If ‘Yes’ please answer 4.23 – 4.26. If ‘No’ go to 4.27)

 

 

4.23

Are all portable devices stored securely when not in use?

 

 

4.24

Are all portable devices password protected?

 

 

4.25

Is all personal data stored on mobile devices encrypted?

 

 

4.26

Is a name and contact information affixed to all portable devices in case of loss?

 

 

4.27

Are all patient records backed up daily?

 

 

4.28

Is the data controller satisfied that the back-up system is secure?

 

 

4.29

Is there a contract in place delineating the responsibilities for security of data*, present and into the future, and the retrieval of data (disaster recovery measures) for all online backup services?

(*Equivalent to those imposed on the data controller under the Data Protection Acts)

 

 

4.30

Is there a written practice policy on breach management?

 

 

4.31

Who, in the practice, is responsible for dealing with a breach incident?

Name:____________________   Job title: __________________

 

 

 

4.32

In the case of loss/theft of retained personal data is it appropriate to notify persons/authorities?

  • People about whom personal data was retained
  • An Garda Síochána
  • The Data Protection Commissioner

 

 

Optional

Are patients aware of the use of online backup services, e.g. Patient Privacy Statement?

 

 

Optional

Is there a written practice policy on the use of emails?

 

 

Optional

Is there a written practice policy on the use of the internet?

 

 

Optional

Is there a written practice policy on the use of fax machines?

 

 

 

 

 

Principle: Keep personal data accurate, complete and up-to-date.

Yes

No

5.1

Is personal data updated?

  • Every visit or
  • Annually

 

 

5.2

Is the information gathered accurate, complete and contemporaneous?

 

 

5.3

Is the information dated?

 

 

5.4

Is the information comprehensible and legible?

 

 

5.5

Is the information well organised for efficient retrieval?

 

 

 

 

 

Principle: Ensure that personal data is adequate, relevant and not excessive.

Yes

No

6.1

Is the data adequate to serve its purpose effectively?

 

 

6.2

Is the data relevant, and not excessive, for its purpose?

 

 

Optional

Is there a written practice policy on the production of effective patient records?

 

 

 

 

 

Principle: Retain personal data for no longer than is necessary for the specific purpose(s).

Yes

No

7.1

Is there a practice policy on the retention of personal data?

  • Patient records
  • Staff records

 

 

7.2

Does the policy oversee the management of different retention systems?

  • Manual records
  • Electronic records

 

 

7.3

Is the destruction of manual records certified?

 

 

7.4

Is the destruction of information stored on hard drives (internal/external), CD, DVD, floppy disc, microfiche or any other form of electronic storage device certified at the time of equipment upgrades?

 

 

7.5

Are the certifications of destruction retained?

 

 

 

 

 

Principle: Individuals are entitled to a copy of their records.

Yes

No

8.1

Is there a clear, legally-compliant practice policy re: request to access of personal data?

 

 

8.2

Is there a named person to process access requests?

             Name: ____________________    Job Title: ______________________

 

 

 

8.3

Does the practice policy comply with the requirements of the Data Protection Acts (1998, 2003)?

  • Right of Access
  • Right of rectification/erasure of inaccurate data
  • Consent obtained for marketing
  • Right to be removed from direct marketing/mailing list
  • Right to complain to the Data Protection Commissioner

 

 

 

Appendix:

Personal Data Security Breach Code of Practice

[Approved by the Data Protection Commissioner under Section 13 (2) (b) of the Data Protection Acts, 1988 and 2003]

 

1. The Data Protection Acts 1988 and 2003 impose obligations on data controllers [1] to process personal data entrusted to them in a manner that respects the rights of data subjects to have their data processed fairly (Section 2(1)).Data controllers are under a specific obligation to take appropriate measures to protect the security of such data (Section 2(1)(d)).This Code of Practice does not apply to providers of publicly available electronic communications networks or services.[2]

 

2. This Code of Practice addresses situations where personal data has been put at risk of unauthorised disclosure, loss, destruction or alteration. The focus of the Office of the Data Protection Commissioner in such cases is on the rights of the affected data subjects in relation to the processing of their personal data.

 

3. Where an incident gives rise to a risk of unauthorised disclosure, loss, destruction or alteration of personal data, in manual or electronic form, the data controller must give immediate consideration to informing those affected.[3] Such information permits data subjects to consider the consequences for each of them individually and to take appropriate measures. In appropriate cases, data controllers should also notify organisations that may be in a position to assist in protecting data subjects including, where relevant, An Garda Síochána, financial institutions etc.

 

4. If the data concerned is protected by technological measures such as to make it unintelligible to any person who is not authorised to access it, the data controller may conclude that there is no risk to the data and therefore no need to inform data subjects. Such a conclusion would only be justified where the technological measures(such as encryption) were of a high standard.

 

5. All incidents of loss of control of personal data in manual or electronic form by a data processor must be reported to the relevant data controller as soon as the data processor becomes aware of the incident.

 

6. All incidents in which personal data has been put at risk should be reported to the Office of the Data Protection Commissioner as soon as the data controller becomes aware of the incident, except when the full extent and consequences of the incident has been reported without delay directly to the affected data subject(s) and it affects no more than 100 data subjects and it does not include sensitive personal data or personal data of a financial nature.[4]In case of doubt- in particular any doubt related to the adequacy of technological risk-mitigation measures - the data controller should report the incident to the Office of the Data Protection Commissioner.

 

7. Data controllers reporting to the Office of the Data Protection Commissioner in accordance with this Code should make initial contact with the Office within two working days of becoming aware of the incident, outlining the circumstances surrounding the incident. This initial contact may be by e-mail (preferably), telephone or fax and must not involve the communication of personal data. The Office of the Data Protection Commissioner will make a determination regarding the need for a detailed report and/or subsequent investigation based on the nature of the incident and the presence or otherwise of appropriate physical or technological security measures to protect the data.

 

8. Should the Office of the Data Protection Commissioner request a data controller to provide a detailed written report of the incident, the Office will specify a timeframe for the delivery of the report based on the nature of the incident and the information required.Such a report should reflect careful consideration of the following elements:

  • the amount and nature of the personal data that has been compromised;
  • the action being taken to secure and / or recover the personal data that has been compromised;
  • the action being taken to inform those affected by the incident or reasons for the decision not to do so;
  • the action being taken to limit damage or distress to those affected by the incident;
  • a chronology of the events leading up to the loss of control of the personal data; and
  • the measures being taken to prevent repetition of the incident.

 

9. Depending on the nature of the incident, the Office of the Data Protection Commissioner may investigate the circumstances surrounding the personal data security breach. Investigations may include on-site examination of systems and procedures and could lead to a recommendation to inform data subjects about a security breach incident where a data controller has not already done so. If necessary, the Commissioner may use his enforcement powers to compel appropriate action to protect the interests of data subjects.

 

10. Even where there is no notification of the Office of the Data Protection Commissioner, the data controller should keep a summary record of each incident which has given rise to a risk of unauthorised disclosure, loss, destruction or alteration of personal data. The record should include a brief description of the nature of the incident and an explanation of why the data controller did not consider it necessary to inform the Office of the Data Protection Commissioner. Such records should be provided to the Office of the Data Protection Commissioner upon request.

 

11.This Code of Practice applies to all categories of data controllers and data processors to which the Data Protection Acts 1988 and 2003 apply.

 

29 July 2011:

[1]  Unless otherwise indicated, terms used in this Code – such as ?personal data?, ?sensitive personal data?, ?data controller?, ?data processor? – have the same meaning as in the Data Protection Acts 1988 and 2003.

 

[2] The European Communities (Electronic Communications Networks and Services) (Privacy and Electronic Communications) Regulations 2011 (SI 336 of 2011) place specific obligations on providers of publicly available electronic communications networks or services to safeguard the security of their services. Further information is available in the Guidance Note that accompanies this Code of Practice.

 

[3] Except where law enforcement agencies have requested a delay for investigative purposes. Even in such circumstances consideration should be given to informing affected data subjects as soon as the progress of the investigation allows.

 

[4] 'personal data of a financial nature' means an individual's last name, or any other information from which an individual's last name can reasonably be identified, in combination with that individual's account number, credit or debit card number