- About Us
- Refer a Patient
Keeping Your Records
This practice complies with the 1998 Data Protection Act and General Data Protection Legislation (May 2018). This policy describes our procedures for ensuring that personal information about patients is processed fairly and lawfully.
How Do We Collect Information From You?
The dental professionals caring for you keep records about your health and any treatment and care you receive from our practice. These records help to ensure that you receive the best possible care. They may be written down in paper records or held on computer.
What Personal Data Do We Hold?
In a dental context, personal information held by a dentist about a patient includes:
Why Do We Hold Information About You?
We need to keep comprehensive and accurate personal data about our patients in order to provide them with safe and appropriate dental care.
How Your Personal Information Is Used:
Your records are used to direct, manage and deliver the care you receive to ensure that:
We will retain your dental records while you are a practice patient and after you cease to be a patient, for at least eleven years or for children until age of 25, whichever is the longer.
Disclosure of Information
In order to provide proper and safe dental care, we may need to disclose personal information about you to:
Disclosure will take place on a ‘need to know basis’ so that only those individuals/organisations who need to know in order to provide care to you and for the proper administration of government (whose personnel are covered by strict confidentiality rules) will be given the information. Only that information that the recipient needs to know will be disclosed.
In very limited circumstances or when required by law or a court order, personal data may have to be disclosed to a third party not connected with your health care. In all other situations, disclosure that is not covered by this code of practice will only occur when we have your specific consent.
Where possible you will be informed of these requests for disclosure.
Disclosures To Third Parties
There are certain restricted circumstances in which a dentist may decide to disclose information to a third party or may be required to disclose by law. Responsibility for disclosure rests with the patient’s dentist and under no circumstances can any other member of staff make a decision to disclose. A brief summary of the circumstances is given below.
When Disclosure Is In The Public Interest
There are certain circumstances where the wider public interest outweighs the rights of the patient to confidentiality. This might include cases where the disclosure would prevent a serious future risk to the public or assist in the prevention or prosecution of serious crime.
When Disclosure Can Be Made
There are circumstances when personal information can be disclosed:
Disclosure of Information Necessary In Order To Provide Care And For The Functioning Of The NHS
Information may need to be disclosed to third party organisations to ensure the provision of care and the proper functioning of the NHS. In practical terms this type of disclosure means:
Personal Data Breech
The GDPR introduces a duty on all organisations to report certain types of personal data breach to the relevant supervisory authority. Redmires Dental Care will ensure this is reported within 72 hours of becoming aware of the breach, where feasible.
If the breach is likely to result in a high risk of adversely affecting individuals’ rights and freedoms, we would also inform those individuals without undue delay.
We have a robust breach detection, investigation and internal reporting procedures in place. This helps decision-making about whether or not you need to notify the relevant supervisory authority and the affected individuals.
We also keep a record of any personal data breaches, regardless of whether we are required to notify the Information Commissioners Office.
Employees are reminded that all personal data processed at the practice must by law remain confidential after your employment has terminated. It is an offence under section 55(1) of the data protection act 1998, knowingly or recklessly, without the consent of the data controller Mr Raj Patel, to obtain or disclose personal data. If the practice suspects that such an offence has been committed we will contact the office of the information commissioner.
A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes breaches that are the result of both accidental and deliberate causes. It also means that a breach is more than just about losing personal data.
Personal data breaches can include:
A personal data breach can be broadly defined as a security incident that has affected the confidentiality, integrity or availability of personal data. There will be a personal data breach whenever any personal data is lost, destroyed, corrupted or disclosed; if someone accesses the data or passes it on without proper authorisation; or if the data is made unavailable, for example, when it has been encrypted by ransom-ware, or accidentally lost or destroyed.
If a security incident takes place, our employees would report this to the management team so that they can quickly establish whether a personal data breach has occurred and, if so, promptly take steps to address it, including telling the ICO if required.
If a breach is likely to result in a high risk to the rights and freedoms of individuals, the GDPR says you must inform those concerned directly and without undue delay.
A ‘high risk’ means the threshold for informing individuals is higher than for notifying the ICO and management would make this decision as soon as practically possible.
Reporting a Suspected Breech To The Management Team
If employees become aware of a breach, they would try to contain it and report it to Mrs Lindsey Wilkinson or Mr Rajesh Patel immediately. They will then assess the potential adverse consequences for individuals, based on how serious or substantial these are, and how likely they are to happen.
Members of staff must report a suspected breach regardless of their assumption of the severity of the risk.
If, after investigation, a member of staff is found to have breached patient confidentiality, not reported a suspected data breach or not complied with this policy, he or she shall be liable to summary dismissal in accordance with the practice’s disciplinary policy.
What Breaches Does The Business Need To Notify The ICO About?
When a personal data breach has occurred, management will need to establish the likelihood and severity of the resulting risk to people’s rights and freedoms. If it’s likely that there will be a risk then you must notify the ICO; if it’s unlikely then you don’t have to report it.
However, if you we decide we don’t need to report the breach, we need to be able to justify this decision, so you should document it.
In assessing risk to rights and freedoms, it’s important to focus on the potential negative consequences for individuals. Recital 85 of the GDPR explains that:
“A personal data breach may, if not addressed in an appropriate and timely manner, result in physical, material or non-material damage to natural persons such as loss of control over their personal data or limitation of their rights, discrimination, identity theft or fraud, financial loss, unauthorised reversal of pseudonymisation, damage to reputation, loss of confidentiality of personal data protected by professional secrecy or any other significant economic or social disadvantage to the natural person concerned.” Ref: ico.org.uk
This means that a breach can have a range of adverse effects on individuals, which include emotional distress, and physical and material damage. Some personal data breaches will not lead to risks beyond possible inconvenience to those who need the data to do their job. Other breaches can significantly affect individuals whose personal data has been compromised. Ref: ico.org.uk
We would assess each case by case, looking at all relevant factors.
Lawful Data Processing
At Redmires Dental Care we make sure that any data we process is ‘necessary’ and you can’t reasonably achieve the same purpose without the processing.
For each processing activity we identify the lawful basis for processing the data.
Processing shall be lawful only if and to the extent that at least one of the following applies:
1. The data subject has given consent to the processing of his or her personal data for one or more specific purposes;
2. Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
3. Processing is necessary for compliance with a legal obligation to which the controller is subject;
4. Processing is necessary in order to protect the vital interests of the data subject or of another natural person;
5. Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
6. Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
7. The data subject has given consent to the processing of his or her personal data for one or more specific purposes;
8. Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
9. Processing is necessary for compliance with a legal obligation to which the controller is subject;
10. Processing is necessary in order to protect the vital interests of the data subject or of another natural person;
11. Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
12. Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
The lawful basis for processing patient data at Redmires Dental Care is:
The legal basis for processing personal data, such as name, DOB, address etc at Redmires Dental Care is:
If you would like any clarification regarding any aspects of this policy please direct any questions to our Practice Manager, Mrs Lindsey Wilkinson at email@example.com or via post to Redmires Dental Care, 68 Rochester Road, Sheffield, S10 4JQ or by telephone on 0114 2295020.
A very caring and conscientious dentist, and cooperative and helpful staff. They provide a relaxed atmosphere, are reliable, friendly, and punctual!"