We are a Data Controller under the terms of the Data Protection Act 2017 and the requirements of the EU General Data Protection Regulation.
This Privacy Notice explains what Personal Data the practice holds, why we hold and process it, who we might share it with, and your rights and freedoms under the Law.
Types of Personal Data
The practice holds personal data in the following categories:
- Patient clinical and health data and correspondence.
- Staff employment data.
- Contractors’ data.
- Business management data.
- Marketing data.
- Suppliers data.
- Computer cookies
Why we process Personal Data (what is the “purpose”)
“Process” means we obtain, store, update and archive data.
- Patient data is held for the purpose of providing patients with appropriate, high quality, safe and effective, personalised, dental care and treatment.
- Staff employment data is held in accordance with Employment, Taxation and Pensions law.
- Contractors’ data is held for the purpose of managing their contracts.
- Business management data is held to allow effective and sustainable business management.
- Marketing data is held to allow business promotion and advertising.
- Suppliers data is held to allow sustainable business management.
- This is used to track the use and effectiveness of our website
What is the Lawful Basis for processing Personal Data?
The Law says we must tell you this:
- We hold patients’ data because it is in our Legitimate Interest to do so. Without holding the data we cannot work effectively. Also, we must hold data on NHS care and treatment, relating to our NHS contract for the care of Children, as it is a Public Task required by law.
- We hold staff employment data because it is a Legal Obligation for us to do so.
- We hold contractors’ data because it is needed to Fulfil a Contract with us.
- We hold business management data because it is needed to Fulfil a Contract with us.
- We process marketing data only when individuals have opted-in, thereby Consenting to the use of their data.
- We hold supplier data because it is needed to Fulfil a Contract with us.
Who might we share your data with?
We can only share data if it is done securely and it is necessary to do so.
- Patient data may be shared with other healthcare professionals who need to be involved in your care (for example if we refer you to a specialist or need laboratory work undertaken). Patient data is also stored securely for back-up purposes with our supplier (iDrive) who may also store it securely overseas, including outside of the EU. All data back-up information is transmitted using AES 256-bit, end-to-end encryption. In addition we utilise a personal encryption key meaning that our supplier, iDrive, cannot un-encrypt any of our data; that can only be done by us on the local machines in the Practice.
- Employment data will be shared with government agencies such as HMRC.
- Contractors’ data may be shared with authorised advisors such as our accountant or solicitor.
- Business management data may be shared with past or future owners of the business or HMRC.
- Marketing data is currently not utilised or shared with any outside body. However, it could be foreseen that future use of data may include sharing with marketing companies to deliver promotional material. Any companies engaged would be fully screened and contractually bound by these GDPR regulations.
- Suppliers data may be shared with authorised such as our accountant.
- Cookie data is used in conjunction with Google Analytics.
You have the right to:
- Be informed about the personal data we hold and why we hold it.
- Access a copy of your data that we hold by contacting us directly: we will acknowledge your request and supply a response within one month or sooner.
- Check the information we hold about you is correct and to make corrections if it is not
- Have your data erased in certain circumstances. This only relates to Marketing Data previously consented to. Our Legitimate Interest to maintain details of historic treatment, planned and or provided to you is not covered. Your details will be securely archived and securely destroyed after a period of time notified in our Retention of Records Policy.
- Transfer (a copy of) your data to someone else if you tell us to do so and it is safe and legal to do so.
- Tell us not to actively process or update your data in certain circumstances.
How long is the Personal Data stored for?
- We will store patient data for as long as we are providing care, treatment or recalling patients for further care. We will archive (that is, store it without further action) for as long as is required for legal purposes as recommended by the NHS or other trusted experts recommend. The relevant periods are laid out in our Retention of Records Policy.
- We must store employment data for a minimum of six years after an employee has left.
- We must store contractors’ data for a minimum of seven years after the contract is ended.
What if you are not happy or wish to raise a concern about our data processing?
You can complain in the first instance to our Data protection Officer, Dr Phillip Townes and we will do our best to resolve the matter. If this fails, you can complain to the Information Commissioner at www.ico.org.uk/concerns or by calling 0303 123 1113.