This Policy describes our procedures for ensuring that personal information about patients is processed fairly and lawfully. We are fully computerised and are registered as a Data Controller with the Information Commissioner for this purpose – Registration number ZA091792
Under the GDPR, the data protection principles set out the main responsibilities for organisations.
- Processed lawfully, fairly and in a transparent manner in relation to individuals;
- Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;
- Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
- Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
- Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals; and
- Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
The GDPR provides the following rights for individuals:
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object
- Rights in relation to automated decision making and profiling.
In order to comply with the this law we have adopted the following procedures:
- Made available a data privacy notice which is displayed in the waiting room, provided as leaflets and included on our website.
- Have implemented a data map which details what information we hold and how we keep it secure
- Identified the lawful basis for processing personal data and the condition for processing special categories of data. This is also included on our data map.
- Maintained our registration with the ICO
- Have controller to processor and controller to controller agreements in place or privacy notices on file so we are confident that any other party who we share our information with, comply with the GDPR
- Reviewed our IT procedures to confirm the security and integrity of our computers and website
- Updated our subject access policy, retention of records policy and data breach policy
- Provided employee privacy notices to our staff
- In order to provide our patients with a high standard of dental care and attention, we need to hold personal information about them. The personal data comprises:
- Personal details such as their name, age, address, telephone numbers, email address and their general medical practitioner;
- Their past and current medical and dental condition;
- Radiographs, clinical photographs and study models;
- Information about the treatment we have provided or propose to provide (and its cost);
- Notes of conversations or incidents that might occur for which a record needs to be kept;
- Records of consent to treatment;
- Any correspondence (relating to the patient) with other healthcare professionals: such as referrals to specialists or from referring dentists, for example.
We keep several categories of personal data on our employees in order to carry out effective and efficient processes. We keep this data in a personnel file relating to each employee and we also hold the data within our computer systems, for example, our payroll software.
Specifically, we hold the following types of data:
- Personal details such as name, address, phone numbers
- Name and contact details of next of kin
- Staff photograph
- Gender, marital status, information of any disability there may be or other medical information
- Right to work documentation
- Information on race and religion for equality monitoring purposes
- Information gathered via the recruitment process such as that entered into a CV or included in a CV cover letter
- References from former employers
- Details on your education and employment history etc
- National Insurance numbers
- bank account details
- Tax codes
- Driving licence or passport
- Criminal convictions
- Information relating to your employment with us, including:
- Job title and job descriptions
- The wider terms and conditions of employment
- Details of formal and informal proceedings such as letters of concern, disciplinary and grievance proceedings, annual leave records, appraisal and performance information
- Internal and external training modules undertaken
- Information on time off from work including sickness absence, family related leave etc
In the main, we process staff data in order to comply with a legal requirement or in order to effectively manage the employment contract we have with them.
In order to work effectively with referring dentists we hold the following information about them:
- Their name and contact details
- Their referred patient details
We rely on the lawful basis of fulfilling a contract to process these details
We will store information about any contractors that we use to carry out works or provide services to the practice. We hold the following information:
- Name and contact details
- Any bank account details provided on their invoice
We process contractor data to maintain effective financial and performance records and to fulfil a contract.
Where personal information is stored
Personal data is held in the practice’s computer system and/or in a manual filing system which are locked when not in use. The information is not accessible to the public and only authorised members of staff have access to it. Our computer system has secure audit trails and we back up information on every working day.
All information sourced to an external company such as back-ups to cloud or text reminders are stored within the EU.
We have a Data Retention Policy which details how long we keep each category of personal information. For health care records, we will keep them for 10 years after the patient has ceased to be a patient at the practice. (Or up to the age of 25 for a child).
Subject access rights
A patient can request a copy of their dental records for no charge and this request must be provided without delay and at least one month of receipt.
A charge of £10 can be made when a request is manifestly unfounded or excessive, particularly if it is repetitive. This fee can also be made to comply with requests for further copies of the same information.
More details can be find in our Subject Access Rights Policy available at reception.
Staff are trained on an annual basis in data protection, GDPR and confidentiality issues and our policies are reviewed annually.