At tooth we care about your personal data. On the 25th May 2018, new data protection legislation was introduced across the EEA. This is known as The General Data Protection Regulation (GDPR). GDPR gives greater protection to citizens across the EEA and makes all organisations more accountable for handling of customer’s personal information.
As a dental practice we cannot conduct our business without requesting and maintaining personal information. When you register with us you will be asked for personal information and on your first appointment you will be asked for additional health related personal information. We need this information in order to provide the best, and safest, treatments for you.
Rest assured – we will never share your personal details to a third party unless we have a GDPR compliant contract for them to process data on our behalf (for example, via our encrypted back up suppliers) and your data will be kept confidential. On occasion we need to refer patients to another practitioner or to secondary care (for example, a hospital). On these occasions we will gain your consent before any data is shared and before the referral is made. We may also need to pass personal information to an indemnity or insurance provider for the establishment, exercise or defence of legal claims.
Personal data is obtained when a patient joins the practice, when a patient is referred to the practice and when a patient contacts us to make a booking.
The data protection principles require personal information to be:
1) Processed fairly and lawfully
2) Collected for specified, explicit and legitimate purposes
3) Adequate, relevant and not excessive
4) Accurate and, where necessary, kept up to date
5) Kept for no longer than necessary
6) Kept secure
The categories of data we process are:
- Personal data
- Staff and team data for management purposes
- Patient data for the purpose of reminders, booking appointments, sending recalls etc.
- Special category data
- Health records for the delivery of health care services
- Staff and team CRB/DBS checking data for management purposes and compliance with industry regulations
The storage of personal data takes place in the EEA in digital and/or hard copy format. Personal data (encrypted back up) is also stored in digital format by GDPR compliant contractors.
We use the following lawful basis categories for the processing data, including special category data where applicable:
- Processing is necessary in order to fulfil our contractual obligation to the patient (delivery of healthcare)
- (GDPR Category: Contract)
- Processing is necessary in order to assess the working capacity of the employee or team member
- (GDPR Category: Contract)
- Processing is necessary in order to comply with statutory obligations such as those set by the GDC and CQC etc.
- (GDPR Category: Legal)
- Processing is necessary in order to deliver ongoing health care to patients
- (GDPR Category: Legitimate Interest)
How long do we keep your data?
We have an obligation to retain special category data in patient records is a minimum of ten years and this could be longer for complex records in order to meet our legal requirements. The retention period for staff records is five years.
You have the following personal data rights:
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure (clinical records must be retained for a certain time period)
- The right to restrict processing
- The right to data portability
- The right to object
Further details of these rights can be seen at the Information Commissioner’s website.
Here are some examples of your rights:
If you are a patient of the practice you have the right to:
- Withdraw consent for important notifications.
- Inform us of any errors in your personal data (such as address, spelling corrections etc)
- Withdraw consent from certain methods of communication, such as by telephone
- Obtain a copy of your patient records (we must deliver these within one month).
We have carried out a data audit to ensure that the way we use data complies with the GDPR and we have documented our decision on which lawful basis applies.
Comments, suggestions and complaints in relation to your personal data:
Should you have any comments or complaints about the way that we process your personal data, please contact our practice manager via email on email@example.com.
At tooth we are proud of all of our amazing patient feedback. We know that without our patients we are nothing so we always welcome feedback on our services and treatments. If you have any comments, good or bad, please do let us know and we'll do all we can to take action wherever appropriate.
We have a variety of ways you can leave feedback:
- speak to any of our team members
- email us on firstname.lastname@example.org
- call us on 020 7928 2875
- leave a comment on our Facebook page
- leave us a Google review
- fill out a comment card (available in reception)
To hear some of the lovely things that our patients are saying about us, click here to go to our patient testimonial page.
We do hope you never have the need to complain, but if you do, then click here to view our Code of Practice for Patient Complaints.