Data Processing and Confidentiality Policy
Keeping Your Records
This practice complies with the 1998 Data Protection Act and General Data Protection Legislation (May 2018). This policy describes our procedures for ensuring that personal information about patients is processed fairly and lawfully.
How Do We Collect Information From You?
The dental professionals caring for you keep records about your health and any treatment and care you receive from our practice. These records help to ensure that you receive the best possible care. They may be written down in paper records or held on computer.
What Personal Data Do We Hold?
In a dental context, personal information held by a dentist about a patient includes:
- The patients name, DOB, current and previous addresses, telephone number/e-mail address, next of kin and other means of personal identification such as a physical description.
- Information that the individual is or has been a patient of the practice or attended, cancelled or failed to attend an appointment on a certain day
- Information concerning the patients physical, mental or oral health condition
- Information about the treatment that is planned, is being or has been provided
- Information about personal circumstances supplied by the patient
- The amount that was paid for treatment, the amount owing or the fact that the patient is a debtor to the practice.
- Your past and current medical and dental condition; personal details such as your age, national insurance number/ NHS number, address, telephone number, and your general medical practitioner
- Radiographs, clinical photographs and study models
- Information about the treatment that we have provided or propose to provide and its cost
- Records and consent to treatment
- Any correspondence relating to you with other health care professionals, for example in the hospital or community services
- Notes of conversations/ incidents that might occur for which a record needs to be kept
- Contact we have had with you such as appointments.
- Relevant information from people who care for you and know you well such as health professionals and relatives.
- Financial information for payment of any treatments
- Dental laboratory to produce medical devices
Why Do We Hold Information About You?
We need to keep comprehensive and accurate personal data about our patients in order to provide them with safe and appropriate dental care.
How Your Personal Information Is Used:
Your records are used to direct, manage and deliver the care you receive to ensure that:
- The dental professionals involved in your care have accurate and up to date information to assess your oral health and decide on the most appropriate care for you.
- Healthcare professionals have the information they need to be able to assess and improve the quality and type of care you receive.
- Your concerns can be properly investigated if a complaint is raised.
- Appropriate information is available if you see another dental professional, or are referred to a specialist.
- From time-to-time we may use your contact information to send you details of products and services offered in our practices that directly relate to your oral healthcare.
- Send you general (non-marketing) communications such as email, text, phone or letter notifications
- Provide third parties with statistical information about our users – but this information will not be used to identify any individual user;
- We will not without your express consent provide your personal information to any third parties for the purpose of direct marketing.
- Discussions with Colleges for advice /discussions / education
We will retain your dental records while you are a practice patient and after you cease to be a patient, for at least eleven years or for children until age of 25, whichever is the longer.
Disclosure of Information
In order to provide proper and safe dental care, we may need to disclose personal information about you to:
- Your General medical practitioner
- Hospital or community dental services
- Other health professionals caring for you
- NHS payment authorities
- The inland revenue
- The benefits agency, where you are claiming exemption or remission from NHS charges
- Private dental schemes of which you are a member
- R4 and Patient Comms
- Other I.T support currently with Birchenall Howden
Disclosure will take place on a ‘need to know basis’ so that only those individuals/organisations who need to know in order to provide care to you and for the proper administration of government (whose personnel are covered by strict confidentiality rules) will be given the information. Only that information that the recipient needs to know will be disclosed.
In very limited circumstances or when required by law or a court order, personal data may have to be disclosed to a third party not connected with your health care. In all other situations, disclosure that is not covered by this code of practice will only occur when we have your specific consent.
Where possible you will be informed of these requests for disclosure.
Disclosures To Third Parties
There are certain restricted circumstances in which a dentist may decide to disclose information to a third party or may be required to disclose by law. Responsibility for disclosure rests with the patient’s dentist and under no circumstances can any other member of staff make a decision to disclose. A brief summary of the circumstances is given below.
When Disclosure Is In The Public Interest
There are certain circumstances where the wider public interest outweighs the rights of the patient to confidentiality. This might include cases where the disclosure would prevent a serious future risk to the public or assist in the prevention or prosecution of serious crime.
When Disclosure Can Be Made
There are circumstances when personal information can be disclosed:
- Where expressly the patient has given consent to the disclosure
- Where disclosure is necessary for the purpose of enabling someone else to provide health care to the patient and the patient has consented to this sharing information
- Where disclosure is required by statue or is ordered by a court of law
- Where disclosure is necessary for a dentist to pursue a bona-fide legal claim against a patient, when disclosure to a solicitor, court or debt collecting agency may be necessary
Disclosure of Information Necessary In Order To Provide Care And For The Functioning Of The NHS
Information may need to be disclosed to third party organisations to ensure the provision of care and the proper functioning of the NHS. In practical terms this type of disclosure means:
- Transmission of claims/ information to payment authorities such as the DPD/SDPA/CSA
- In more limited circumstances, disclosure of information to the PCT/HB
- Referral of the patient to another dentist or health care provider such as a hospital
Personal Data Breech
The GDPR introduces a duty on all organisations to report certain types of personal data breach to the relevant supervisory authority. Redmires Dental Care will ensure this is reported within 72 hours of becoming aware of the breach, where feasible.
If the breach is likely to result in a high risk of adversely affecting individuals’ rights and freedoms, we would also inform those individuals without undue delay.
We have a robust breach detection, investigation and internal reporting procedures in place. This helps decision-making about whether or not you need to notify the relevant supervisory authority and the affected individuals.
We also keep a record of any personal data breaches, regardless of whether we are required to notify the Information Commissioners Office.
Employees are reminded that all personal data processed at the practice must by law remain confidential after your employment has terminated. It is an offence under section 55(1) of the data protection act 1998, knowingly or recklessly, without the consent of the data controller Mr Raj Patel, to obtain or disclose personal data. If the practice suspects that such an offence has been committed we will contact the office of the information commissioner.
A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes breaches that are the result of both accidental and deliberate causes. It also means that a breach is more than just about losing personal data.
Personal data breaches can include:
- Access by an unauthorised third party;
- Deliberate or accidental action (or inaction) by a controller or processor;
- Sending personal data to an incorrect recipient;
- Computing devices containing personal data being lost or stolen;
- Alteration of personal data without permission; and
- Loss of availability of personal data.
A personal data breach can be broadly defined as a security incident that has affected the confidentiality, integrity or availability of personal data. There will be a personal data breach whenever any personal data is lost, destroyed, corrupted or disclosed; if someone accesses the data or passes it on without proper authorisation; or if the data is made unavailable, for example, when it has been encrypted by ransom-ware, or accidentally lost or destroyed.
If a security incident takes place, our employees would report this to the management team so that they can quickly establish whether a personal data breach has occurred and, if so, promptly take steps to address it, including telling the ICO if required.
If a breach is likely to result in a high risk to the rights and freedoms of individuals, the GDPR says you must inform those concerned directly and without undue delay.
A ‘high risk’ means the threshold for informing individuals is higher than for notifying the ICO and management would make this decision as soon as practically possible.
Reporting a Suspected Breech To The Management Team
If employees become aware of a breach, they would try to contain it and report it to Mrs Lindsey Wilkinson or Mr Rajesh Patel immediately. They will then assess the potential adverse consequences for individuals, based on how serious or substantial these are, and how likely they are to happen.
Members of staff must report a suspected breach regardless of their assumption of the severity of the risk.
If, after investigation, a member of staff is found to have breached patient confidentiality, not reported a suspected data breach or not complied with this policy, he or she shall be liable to summary dismissal in accordance with the practice’s disciplinary policy.
What Breaches Does The Business Need To Notify The ICO About?
When a personal data breach has occurred, management will need to establish the likelihood and severity of the resulting risk to people’s rights and freedoms. If it’s likely that there will be a risk then you must notify the ICO; if it’s unlikely then you don’t have to report it.
However, if you we decide we don’t need to report the breach, we need to be able to justify this decision, so you should document it.
In assessing risk to rights and freedoms, it’s important to focus on the potential negative consequences for individuals. Recital 85 of the GDPR explains that:
“A personal data breach may, if not addressed in an appropriate and timely manner, result in physical, material or non-material damage to natural persons such as loss of control over their personal data or limitation of their rights, discrimination, identity theft or fraud, financial loss, unauthorised reversal of pseudonymisation, damage to reputation, loss of confidentiality of personal data protected by professional secrecy or any other significant economic or social disadvantage to the natural person concerned.” Ref: ico.org.uk
This means that a breach can have a range of adverse effects on individuals, which include emotional distress, and physical and material damage. Some personal data breaches will not lead to risks beyond possible inconvenience to those who need the data to do their job. Other breaches can significantly affect individuals whose personal data has been compromised. Ref: ico.org.uk
We would assess each case by case, looking at all relevant factors.
Lawful Data Processing
At Redmires Dental Care we make sure that any data we process is ‘necessary’ and you can’t reasonably achieve the same purpose without the processing.
For each processing activity we identify the lawful basis for processing the data.
Processing shall be lawful only if and to the extent that at least one of the following applies:
1. The data subject has given consent to the processing of his or her personal data for one or more specific purposes;
2. Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
3. Processing is necessary for compliance with a legal obligation to which the controller is subject;
4. Processing is necessary in order to protect the vital interests of the data subject or of another natural person;
5. Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
6. Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
7. The data subject has given consent to the processing of his or her personal data for one or more specific purposes;
8. Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
9. Processing is necessary for compliance with a legal obligation to which the controller is subject;
10. Processing is necessary in order to protect the vital interests of the data subject or of another natural person;
11. Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
12. Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
The lawful basis for processing patient data at Redmires Dental Care is:
- Processing is necessary for the purposes of preventative or occupational medicine, for assessing the working capacity of the employee, medical diagnosis, the provision of health or social care, or treatment, or management of health or social care systems and services on the basis of union or Member State Law or contract with a health professional.
The legal basis for processing personal data, such as name, DOB, address etc at Redmires Dental Care is:
- Consent received from the data subject
- Processing is necessary for the performance of a contract with the data subject or to take steps to enter into a contract.
If you would like any clarification regarding any aspects of this policy please direct any questions to our Deputy Practice Manager, Miss Bethany Dixon at firstname.lastname@example.org or via post to Redmires Dental Care, 68 Rochester Road, Sheffield, S10 4JQ or by telephone on 0114 2295020.
I totally trust the dentists’ abilities and recommendations – preventative and corrective care – not invasive. They provide excellent all-round care with special care for nervous patients – not too invasive.
A very caring and conscientious dentist, and cooperative and helpful staff. They provide a relaxed atmosphere, are reliable, friendly, and punctual!