This question raises a number of important considerations, and unfortunately the simple answer is there that is no simple answer. A lot depends on the individual circumstances involved.

It's fundamental to data protection and patient confidentiality that you should only ever access a patient's records, which are sensitive personal data within the meaning of the legislation, if you have a legitimate and lawful reason for doing so.

Accordingly, patient records should only be accessed on a need-to-know basis, and not out of general interest or on a whim. The Information Commissioner recently fined a company where an employee was accessing personal data held on the company's database out of personal interest and not for any legitimate business reason.

Access to records - context and background

Clinical records held by a dental practice are under the control of the ICO-registered data controller, who should restrict access permissions to those with a legitimate reason, in line with GDPR and the practice's privacy policy. This will include a lawful reason for holding and processing a patient's personal data.

This lawful reason is usually based not on the consent of the data subject, but on other reasons, such as legal and contractual obligations. For example, there is a statutory requirement in the NHS Regulations to make clinical records and retain them for a specified period.

In general, the only people who should access a patient's records are those directly involved in that patient's current care. This would include treating clinicians, the dental nurse supporting them, practice receptionists and others involved in administrative tasks related to the patient's dental care (such a making and cancelling appointments, issuing invoices and receiving payments), and those investigating complaints. Those same people may themselves make entries in the records relating to their work on behalf of the patient.

Patients themselves have a legal right to access their records, and under GDPR they must be given copies within 30 days of making a request. They don't have to give a reason, and no charge can be made for providing the copies.

Anybody else requesting the records should usually be authorised by the patient, or someone with parental responsibility if the patient is a minor, and a signed form of authority supplied. This applies to those making complaints on behalf of patients, to solicitors, and to the police (with very few exceptions), and if in doubt members should seek our advice.

Coroners can request dental records when investigating a death, when they would usually be disclosed voluntarily to assist the coroner's investigation. And if a third party has obtained a court order compelling disclosure there is generally no option but to comply.

The GDC sets out its ethical guidance on maintaining and protecting patient's information at Section 4 of Standards for the Dental Team. This recognises that there may be occasions when it's in the patient's or the public interest to disclose records to a third party without the patient's expressed consent.

Accessing records after retirement

If, after you retire, a complaint or claim is made by a patient about treatment you provided, you would be expected to respond if you're in a position to do so (and remember, if this is ever the case, the DDU can help with your response).

If you sell the practice, the new owner has an obligation to operate a complaints procedure, and as data controller has an obligation to disclose the records to the patient or their authorised representative. However, it's obvious that only you can respond in detail to a complaint or claim about your own treatment, and it's in your interests to do so.

When selling a practice or an interest in a practice, it's normal for the contract of sale to include a requirement for the purchaser/successor to keep your clinical records safe and confidential, and to give you reasonable access in case a complaint or claim arises.

Accordingly, if you need access to a patient's records to respond to a complaint or claim, you should approach the current data controller, setting out your legitimate reason for wanting copies. They will then seek the patient's consent as appropriate.

From helping members deal with these types of enquiries, we're aware of situations when a practice has supplied records to a former dentist without the patient's authority - such as in connection with a complaint or claim - and patients and their solicitors have objected strongly and threatened to report the matter to the ICO.

It's therefore prudent to always seek the patient's consent in these circumstances, and a practice complaints procedure will normally include an explanation about the need to disclose the clinical records to the respondent(s).

Need help?

If you're facing a dento-legal dilemma, our advisers are on hand to answer your questions and offer guidance and support when you need it. Contact us here.