Book Appointment Contact Us
    • 35 Maiden Lane Centre
    • Kilnsea Drive
    • Lower Earley
    • Reading
    • RG6 3HD

Data Protection

General Data Protection Regulation (GDPR) Data Protection

The Gallery Dental Centre Of Excellence aims to comply with the Data Protection Act 2018 and the General Data Protection Regulation (GDPR). This policy and the related procedures lay out how The Gallery Dental Centre Of Excellence complies with the Data Protection Act 2018 and the GDPR. All team members must ensure they read, understand and comply with our policy and procedures in relation to the Data Protection Act 2018 and the GDPR.

Ensuring that individuals’ personal information is processed in line with the requirements of the GDPR and that individuals’ privacy is respected is imperative and all team members must give this a very high priority.

To comply with the Data Protection Act 2018, our practice has notified the Information Commissioner that personal information relating to patients and team members is processed and stored within our practice.

Personal Privacy Rights

Under GDPR, all individuals who have personal data held about them have the following personal privacy rights:

  • Right to subject access.
  • Right to have inaccuracies deleted.
  • Right to have information erased.
  • Right to object to direct marketing.
  • Right to restrict the processing of their information, including automated decision-making.
  • Right to data portability.

Automated Decision Making

This includes all decisions made without human intervention e.g. email reminders to book an appointment or text or email reminders of appointments, direct marketing i.e. all decisions that are taken automatically.

Data Portability

The ability to take personal data elsewhere e.g. to another dental practice or employer.

Data Protection Officer (DPO) and Data Protection Lead

A DPO is a person designated or appointed to ensure the organisation or business complies with GDPR.

In our practice the DPO is Caroline Driver.

GDPR Principles

The Gallery Dental Centre Of Excellence aims to comply with GDPR requirements that state that personal data must be:

  • Processed lawfully, fairly and in a transparent manner.
  • Collected for specified, explicit and legitimate purposes.
  • Adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed.
  • Accurate and kept up to date (inaccurate personal data must be erased or rectified without delay).
  • Kept in a form which permits identification of data subjects for no longer than is necessary.
  • Processed in a manner that ensures appropriate security of personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage.

Personal data inventories (patients and team members)

Our personal data inventories list all the personal data we process for patients and team members together with the risks attached to each type of data.

As required by GDPR, the data inventories also list:

  • Why we are you holding the data.
  • How we obtained it.
  • The retention periods.
  • How secure it is in terms of encryption and accessibility.
  • Whether it is ever shared with third parties and if so, on what basis.
  • Our legal basis for processing the personal data.
  • Whether we ever transfer the data outside the EU e.g. laboratory work.
  • How aware we have made the patient or team member that we are processing each piece of data.

Access Rights

Access to records

All data subjects have the right of access to and copies of their personal data whether they are held on paper or on computer.

Patient records

A request from a patient to see records or for a copy must be referred to the patient’s dentist.

Care should be taken to ensure that the individual seeking access is the patient in question and where necessary the practice will seek information from the patient to confirm identity. A copy of the record must be supplied within one month at the very latest from the request being made. Every effort should be made to supply the information requested without delay and as soon as possible following receipt of the request.

The fact that patients have the right of access to their records makes it essential that information is properly recorded.
Records must be:

  • Contemporaneous and dated.
  • Accurate and comprehensive.
  • Signed by the dentist.
  • Strictly necessary for the purpose.
  • Not derogatory.
  • Such that disclosure to the patient would be unproblematic.

We have processes in place to ensure that we can respond to a data subject’s request for access to or copies of their records within one month (four weeks). We do not charge a fee for access to or copies of records.

In some situations, we may refuse an access request if we think it is unfounded or excessive. In those situations, we have clear refusal policies and procedures in place and will always ensure we can demonstrate why the request meets these criteria.

We provide additional information to people making requests, including our data retention periods and the right to have inaccurate data corrected.

Access refusal policy

Under certain, very limited circumstances we may refuse access to or copies of personal records. These could include:

  • Where we have concerns about safety or a safeguarding concern.
  • Excessive or repeated requests for the same information that has already been provided.

In these circumstances we will demonstrate how the request fits these criteria in accordance with GDPR and we will provide the individual with an explanation for the refusal unless this could put them at risk.

Consent to data processing

Consent is one of the legal bases for processing personal data. Consent is not appropriate as a legal basis for processing personal data in relation to patient care or to administer an employment contract or a self-employed associate agreement.

Consent must always be obtained for direct marketing.

We also obtain consent for the following:

  • Text messages for appointment reminders.
  • Emails for appointment reminders to ask a patient to book an appointment.
  • Taking and using photographs.
  • Sharing personal information with a referral practice.
  • Sharing information relating to appointment details, treatment details or costs with a named individual.

Gaining Consent

We understand that gaining consent is a complex process and we ensure that all the conditions described below are satisfied.

When using consent to process data for the purposes listed above, we ensure that:

  • Consent is freely given, specific, informed and unambiguous.
  • Patients and team members are never forced into consent, nor are they unaware that we are processing their personal data.
  • They know exactly what they are consenting to and we take precautions to ensure there can be no doubt that they are consenting.
  • Consent is always obtained by a positive indication of agreement, it is never inferred from silence, pre-ticked boxes or inactivity.
  • Consent is verifiable, and individuals are informed in advance of their right to withdraw consent.
  • We can demonstrate that consent was given, and we have an effective audit trail.

Data Protection Officer (DPO)

Our DPO is Caroline Driver.

Our DPO’s duties are:

  • To inform and advise the practice and its employees about our obligations to comply with GDPR and other data protection laws.
  • To monitor compliance with GDPR and other data protection laws, including managing internal data protection activities, advise on data protection impact assessments, train staff and conduct internal audits.
  • To be the first point of contact for individuals whose data is processed, e.g. patients, employees, associates and supervisory authorities.

Personal Information – patients

Personal information about our patients includes:

  • The patient’s name, current and previous addresses, bank account/credit card details, telephone number/e-mail address and other means of personal identification such as his or her physical description.
  • Information that the individual is or has been a patient of the practice or attended, cancelled or failed to attend an appointment on a certain day.
  • Information concerning the patient’s medical history, including their physical and/or mental condition and their oral health or condition.
  • Information about discussions undertaken and agreements reached on treatment options, including costs of any proposed treatment.
  • Information about the treatment that is planned, is being undertaken or has been provided.
  • Information about family members and personal circumstances supplied by the patient or others.
  • The amount that was paid for treatment, the amount owing, or the fact that the patient is a debtor to the practice.

Retention Periods

The Gallery Dental Centre Of Excellence retains records of personal data only for as long as is required for the purposes for which it was collected or as required by law or to comply with statutory requirements.

Retention periods for individual items of data are documented in our Data Inventory records, in our Privacy Policy and in our Privacy Notices as required by the GDPR.

Retention – patients

This practice retains dental records and orthodontic study models while the patient is a patient of the practice and after they cease to be a patient, for at least eleven years, or for children until age 25, whichever is the longer.

Sending of Information Electronically

To comply with GDC Standards and GDPR, we ensure that if we are sending confidential information, we use a secure method. If we are sending or storing confidential information electronically, we will ensure that it is encrypted.

We are aware that the incorrect use of ‘BCC’ & ‘CC’ via an email is one of the top data breaches reported to the ICO. Great care must be taken when using these options, if personal information is likely to be shared, a more secure option must be used.

Our email system can be configurated to:

  • Provide alerts when ‘Carbon Copy (CC)’ is activated.
  • Set delays, allowing time for errors to be corrected, before an email is sent.
  • Turn-off auto-complete email address function in the recipient’s box.
  • Use the National Cyber Security Centre (NCSC) email security check tool: < href="https://basiccheck.service.ncsc.gov.uk/email-security-check" target="_blank">https://basiccheck.service.ncsc.gov.uk/email-security-check

Disclosure of Information to Third Parties

The information we collect, and store will not be disclosed to anyone who does not need to see it.

Disclosure of Information – patients

The information we collect, and store will not be disclosed to anyone who does not need to see it.

We will share our patients’ personal information with third parties when required by law or to enable us to deliver a service to them or where we have another legitimate reason for doing so. Third parties we may share patients’ personal information with may include:

  • Regulatory authorities such as the General Dental Council or CQC
  • NHS Local Authorities.
  • Dental payment plan administrators.
  • Insurance companies.
  • Loss assessors.
  • Fraud prevention agencies.
  • In the event of a possible sale of the practice at some time in the future.

We may also share personal information where we consider it to be in a patient’s best interest or if we have reason to believe an individual may be at risk of harm or abuse.

Right to Object

Data subjects have the right to object to their personal data being processed or disclosed. Patients and team members who wish to object should discuss the matter with practice manager Joanna Gozdowska or DPO Caroline Driver. This may affect our ability to provide patients with dental care or it may affect our ability to fulfil the contract or agreement we hold with a team member.

This Policy, Code of Practice and the related practice procedures was implemented on 02/01/2024.

Get in Touch