We, at Byfleet Dental Boutique, need to keep comprehensive and accurate personal data about our patients in order to provide safe, appropriate and high quality dental care. We may also process personal data to answer any queries as a prospective patient. This Notice has been produced to aid with transparency on what data we collect and what we do with it.
What Personal Data Do We Hold?
To provide you, the data subject, with a high standard of dental care and attention, we need to hold personal information about you. This personal data is obtained from you, or in the case of a dependent, we may need to obtain some of this information from a parent/guardian or carer. This can be face-to-face, over the phone or through an internet query.
The data we hold and the reason for this is explained below:
Medical history and patient notes need to be recorded accurately and fully to comply with our legal / regulatory obligations as a health service. The data we collect for this legal requirement includes:
• your past and current medical and dental condition;
• personal details such as your age, national insurance number/NHS number, address, telephone number;
• details for your general medical practitioner.
This data is classified as special category data under the GDPR as information related to health is sensitive. Therefore, safeguards are in place to maintain confidentiality, and these details are only seen by those working in the practice that have signed a confidentiality agreement.
Before undertaking any treatment the dentist will discuss your options with you and gain agreement (either verbally or written). Legally this is defined as a contract, so we may need to process your personal data in order to complete the requirements of the contract, or as a prerequisite to undertaking the agreed treatment:
• radiographs, clinical photographs and study models
• information about the treatment that we have provided or propose to provide and its cost
• notes of conversations/incidents about your care, for which a record needs to be kept
• records of consent to treatment
• correspondence relating to you with other health care professionals, for example in the hospital or community services
• finance applications, payment details and credit card receipts
Some of this information will need to be processed by third parties too, such as:
• WorldPay – for processing card payments
• PracticePlan – for processing applications to join the Byfleet Dental Plan
• Dental Laboratories – to produce the required dental work for the treatment
We may need to contact you to further discuss your on-going treatment, to (re)arrange appointments or to answer a query you have raised. In these instances we will use your personal data to contact you, if we deem it is in your best interests to do so.
How We Process Personal Data
We will process personal data that we hold about you in the following way:
We will retain your dental records while you are a practice patient and after you cease to be a patient, for at least 11 years or for children until age 25, whichever is the longer.
Security of Information
Personal data about you is held in the practice’s computer system and/or in a manual filing system. The information is not accessible to the public; only authorised members of staff have access to it. Our computer system has secure audit trails and we back up information routinely.
Disclosure of Information
To provide proper and safe dental care, we may need to disclose personal information about you to:
• your general medical practitioner
• the hospital or community dental services
• other health professionals caring for you
• NHS payment authorities
• the Inland Revenue
• laboratories completing work for your dental treatment
• private dental schemes of which you are a member
Disclosure will take place on a ‘need-to-know’ basis, so that only those individuals or organisations who need to know in order to provide care to you and for the proper administration of Government (whose personnel are covered by strict confidentiality rules) will be given the information. Only information that the recipient needs to know will be disclosed. Records will be kept of any data disclosed and to whom, as per the Accountability Principle of the GDPR.
In very limited circumstances or when required by law or a court order, personal data may have to be disclosed to a third party not connected with your health care. Where possible you will be informed of these requests for disclosure. In all other situations, disclosure that is not covered by this Policy will only occur when we have your specific consent.
Data Subject Rights Under GDPR
Right to be Informed
Individuals have the right to be informed about the collection and use of their personal data for transparency. This privacy information is available to patients through this policy document and the Privacy Notice in the practice.
Right of Access
You have the right of access to the data that we hold about you and to receive one electronic copy in our standard format free of charge. Access may be obtained by making a request in writing and provided within 30 days. Any requests for the data in an alternative format may incur a charge. Data subjects also have the right to obtain from the data controller, Dr S Dhanoa, confirmation as to whether or not personal data concerning them is being processed, where and for what purpose. If there are grounds to refuse the access request, the reasons for this will be explained and you will have the right to complain to the Information Commission’s Office (ICO).
Right to Rectification
Individuals have the right to have inaccurate personal data rectified and/or incomplete personal data can be completed. Where there is a dispute of opinion as to the accuracy of the data and the practice decide not to process the amendment, the data subject will be informed and have the right to complain to the ICO. The data subject will need to be informed within one month of receipt of the request.
Right to be Forgotten (Data Erasure)
The right to be forgotten entitles the data subject to have the data controller erase his/her personal data, cease further dissemination of the data, and potentially have third parties halt processing of the data. The conditions for erasure, include the data no longer being relevant to original purposes for processing, or a data subject withdrawing consent. These requests will be responded to within one month.
The right to erasure, however, is not applicable to information held to satisfy legal obligations.
The data controller will need to compare the subjects' rights to "the public interest in the availability of the data" before completing such requests.
You will be asked if you would like a copy of your data before it is erased. Any hardcopies not taken by the data subject will be shredded and electronic information will be permanently deleted from the hard-drive and back-up drive.
Right To Restrict Processing
An individual can make a request to restrict or suppress their personal data verbally or in writing. The request should be completed within one calendar month.
Right of Data Portability
You have the right to obtain your personal data, that has been acquired on the basis of a contract, and reuse this elsewhere. The practice is not required to adopt or maintain processing systems that are technically compatible with other organisations. Therefore, the process when this right is exercised is the same as the Right of Access.
Right to Object
Individuals have the right to object to data processed for legitimate interests. Please discuss this with your dentist as this may affect our ability to provide you with dental care. This is not applicable to data processed for legal obligations or to fulfil contracts.
Any disclosure of personal data that is not covered by this Policy will only occur when we have your specific consent. On the consent form the purpose for data processing will be explained using clear and plain language. This consent can be withdrawn within 30 days of request.
For any further information please contact our Data Controller, Dr S Dhanoa at Byfleet Dental Boutique. To make an official complaint you can contact the Information Commissioner’s Office (ICO).