Burton Dental Care takes great care to protect the personal data we hold for you in line with the requirements of the General Data Protection Regulation (GDPR).
The purpose of collecting and storing personal data about you is to ensure we can:
- Provide, appropriate, safe and effective dental care, treatment and advice for you
- Fulfil any contracts we hold in relation to your care
- For business administration of your care.
Personal data held for our patients
The personal data we process (processing includes obtaining the information, using it, storing it, securing it, disclosing it, and destroying it) for you includes:
- Name, address, date of birth
- Phone numbers
- GP contact details
- Medical history
- Dental care records
- Family group
- Payment plan details
- Financial information
- Credit cards receipts
- Details of any complaints received
We keep an inventory of personal data we hold on our patients and this is available on request.
Disclosure to third parties
The information we collect, and store will not be disclosed to anyone who does not need to see it.
We will share your personal information with third parties when required by law or to en-able us to deliver a service to you or where we have another legitimate reason for doing so. Third parties we may share your personal information with may include:
- Regulatory authorities such as the General Dental Council or the Care Quality Commission
- NHS Local Authorities
- Dental payment plan administrators
- Insurance companies
- Loss assessors
- Fraud prevention agencies
- In the event of a possible sale of the practice at some time in the future.
We may also share personal information where we consider it to be in a patient’s best interest or if we have reason to believe an individual may be at risk of harm or abuse.
Personal privacy rights
Under the General Data Protection Regulation (GDPR) you have the following personal privacy rights in relation to the information we hold about you.
You have a right to:
- Access to and copies of your records.
- Have inaccuracies deleted.
- Have information about you erased. This should be seen in light of the need to keep records about your dental care in case you have any problems in the future.
- Object to direct marketing.
- Restrict the processing of your information, including automated decision-making.
- Take your data to another dental practice or anywhere else.
Patients who wish to have inaccuracies deleted or to have information erased must speak to the dentist who provided or provides their care.
Legal basis for processing data held about patients
GDPR has six lawful grounds for processing data and these are contained within Article 6 of the regulations. These are:
- the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
- processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
- processing is necessary for compliance with a legal obligation to which the controller is subject;
- processing is necessary in order to protect the vital interests of the data subject or of another natural person;
- processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
- processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
As stated above, the GDPR states that a person’s consent cannot be “freely given” if they have no genuine or free choice, or are unable to refuse or withdraw consent without suffering a detriment, e.g. being refused treatment or health care. Also, consent should not be used as the basis for processing, if there is an imbalance between the person asking for consent, and the person giving it, for example an individual and the NHS – a clear in balance of power. In addition, if consent is used the “right to be forgotten” would apply – which would be impossible in relation to medico-legal documents.
Burton Dental Care will always obtain specific, opt in consent from you for direct marketing information. This will be in the form of a written opt in consent form. If you are a new patient, we will obtain consent when you first attend the practice. If you are an existing patient, we will obtain consent when you attend for your recall appointment or for a treatment appointment.
Withdrawal of consent
After you have given your opt in consent you have a right to withdraw your consent at any time.
This practice retains dental records and orthodontic study models while you are a patient of our practice and after you cease to be a patient, for at least eleven years, or for children until age 25, whichever is the longer.
You have a right to complain about how we process your personal data. All complaints concerning personal data should be made in person or in writing to Mohammed Al-Himdani. All complaints will be dealt with in line with the practice complaints policy and procedures.
This Privacy Notice was reviewed and implemented on: [21/05/2018]. It will be reviewed annually and is due for review on: [01/06/2019] or prior to this date in accordance with new guidance or legislative changes.