PRIVACY NOTICE
​
We are legally obliged to keep dental records as they are required for the provision of treatment by a registered dental professional. Please contact us if you have any queries or concerns about this notice.
• We have procedures in place to ensure that personal data is regularly reviewed, updated and deleted in a confidential manner when no longer required. For example, we are legally required to keep patient records for at least 12 years after the last course of treatment or until the patient is aged 25 – whichever is the longer.
This Dental Practice is committed to ensuring the security of personal data held by the practice. This objective is achieved by every member of the practice team complying with this policy.
Confidentiality (see also the practice confidentiality policy)
• All staff employment contracts contain a confidentiality clause.
• Access to personal data is on a “need to know” basis only. Access to information is monitored and breaches of security will be dealt with swiftly by Miss Schofield who is the named DATA PROTECTION OFFICER.
• We only contact patients in respect of appointments and billing. We do not send mailshots and do not share data with third parties.
• We do not use text or email for routine correspondence and we obtain specific consent if we are required to correspond by email for any reason.
• Records are only released to third parties (eg insures and solicitors) after written consent from the patient has been received.
Physical security measures
• Personal data is never taken away from the practice premises. Records are accessed only by surgery reception and clinical staff, and are kept in cabinets, which are not easily accessible by patients and visitors to the practice.
• Efforts have been made to secure the practice against theft by, for example, the use of intruder alarms, lockable windows and doors.
• The practice has in place a business continuity plan in case of a disaster. This includes procedures set out for protecting and restoring personal data.
• Waste- paper confidential information is cross-shredded.
​
Information held on computer
​
• Appropriate software controls are used to protect computerised records, for example the use of passwords and encryption. Passwords are only known to those who require access to the information, are changed on a regular basis and are not written down or kept near or on the computer for others to see
• Data is backed up daily online using commercial software. We use verified 256 bit encryption.
• Staff using practice computers will undertake computer training to avoid unintentional deletion or corruption of information
• Dental computer systems have a full audit trail facility – preventing the erasure or overwriting of data. The system records details of any amendments made to data, who made them and when
• Precautions are taken to avoid loss of data through the introduction of computer anti-viruses
This statement has been issued to existing staff, who have access to personal data at the practice and will be given to new staff during induction. Should any staff have concerns about the security of personal data within the practice they should contact Dr. Ashraf.
​
Privacy by Design
​
Our data handling system is regularly reviewed and revised as part of our risk assessment programme. This notice is regularly reviewed and was last updated 18/05/2019.
We have determined that it is not necessary for us to carry out data protection impact assessments.
​
Breach Policy
​
In the unfortunate event of a breach of data security, it may be required to inform the ICO and the individuals potentially affected by the breach directly.
The decision as to whether further action is required is to be decided by Dr. Ashraf after consultation with senior staff with regard to patient’s potential for discrimination, damage to reputation, financial loss, breach of confidentiality or other significant economic or social disadvantage.
​
Patients Rights
​
Every patient has the right
• To be informed
• Right of access
• Right of rectification
• Right of erasure subject to statutory legislation
• Right to restrict processing
• (Right to data portability)
• Right to object
• Right not to be subject to automated decision-making including profiling
(this might mean obtaining consent to send recall at specified intervals)
​
The patient has the right to lodge a complaint to the supervisory body for data protection. In the UK this is:
​
Information Commisioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
0303 123 1113 (local rate)