Data Protection Policy
and Code of Practice

This practice collects and stores information and is therefore legally obliged to ensure that all personal data is protected. The practice is registered under the Data Protection Laws with the Information Commissioner and there are heavy penalties for infringement of the Data Protection Act 2018 and UK GDPR (2021).

It is important therefore that every team member understands how and why we use such data and how it must be stored and handled securely. We only hold information that is relevant and only for as long as it is needed.

Our data protection code of practice provides the required procedures to ensure that we comply with the Data Protection Act 2018 and UK GDPR 2021. It is a condition of engagement that everyone at the practice complies with the code of practice.

Introduction

Please read the following policy carefully. You should ask Amanda Bailey (GDC No. 134525) (Data Controller named in the GDPR, who is in charge of the correct operation of this policy) if there is anything about which you are unsure.

Team members must

At all times, comply with the principles of the Data Protection Act 2018 and UK GDPR (2021):

  • Never name, or discuss identifiable information, about a patient/staff member outside the practice, including with friends or relatives of the patient/staff member.

  • Never post pictures or information which could identify a patient/staff member on any social media site.

  • Store patient records securely and confidentially where it is not possible for other patients or individuals to read them or any visiting providers.

  • Store all staff records securely and confidentially.

  • Ensure that information about patients is never left unattended (e.g. reception screens, paper records).

  • Store paper records in lockable systems that are locked when unattended.

  • Not disclose to any person/agency whether a patient attended an appointment unless required.

  • Not provide appointment details to employers.

  • Ensure telephone/in-person conversations cannot be overheard.

  • Ensure no patient discussions take place in public areas.

  • Ensure messages about care are never left with third parties; only “please call the practice” may be left.

  • Ensure password-protected records are backed up daily.

  • Ensure screens are not visible to the public.

  • Ensure appointment books/day lists are not visible.

  • Never disclose patient information to third parties without explicit consent.

  • Never remove data from the practice unless securely encrypted for referrals.

  • Post all written communication in envelopes.

  • Do not demonstrate systems using actual patient information.

  • Ensure safe-haven procedures for transmitted information.

What is ‘personal information’?

In a dental context, personal information includes:

  • Name, nickname, addresses, bank/credit card details, contact details.

  • Attendance, cancellation, or non-attendance details.

  • Physical, mental, or oral health information.

  • Treatment planned, ongoing, or completed.

  • Family/personal circumstances.

  • Fees paid, owed, or outstanding balances.

Staff information includes similar personal, financial, health, and training records.

Disciplinary Action

A team member breaching Data Protection may face summary dismissal.

Access to records

Patients have the right to access their health records. Formal applications must be in writing to Amanda Bailey (GDC No. 134525) and accompanied by applicable fees (if any).

Requests must be referred to the patient’s dentist. Identity checks may be required. Access must be provided within 30 days.

Subject Access Request

Patients may request their data (free of charge unless excessive). Practices may refuse only if manifestly unfounded or excessive, and must inform patients of their right to complain to the ICO.

Important

Records must be:

  • Contemporaneous

  • Accurate

  • Comprehensive

  • Signed

  • Necessary

  • Not derogatory

  • Suitable for disclosure

If a patient does not agree

If a patient objects to how data is used, they may discuss with their dentist, but this may affect our ability to provide dental care.

After employment ends

Confidentiality continues after employment. Unlawful disclosure may lead to prosecution.

Right to erasure (‘right to be forgotten’)

Applies only in certain circumstances. Requests must be answered within one month. It does not apply where data is required for medical care or legal obligations.

Special category data includes:

  • Racial/ethnic origin

  • Political opinions

  • Religious beliefs

  • Trade union membership

  • Genetic/biometric data

  • Health data

  • Sex life or sexual orientation

DATA PROTECTION CODE OF PRACTICE — INFORMATION FOR PATIENTS & STAFF

Our practice complies with GDPR and ensures information is processed lawfully.

Information we hold

  • Medical/dental history

  • Personal details

  • Radiographs, photos, models

  • Treatment details

  • Notes and correspondence

  • Consent records

  • Employment/training records

  • EDBS records

Why we hold your information

To provide safe dental care and fulfil NHS requirements.

Retention

We retain dental records for 11 years or until age 25 for children; staff records up to 5 years.

Security

Records are stored securely, accessible only to authorised staff and CQC inspectors.

We may disclose information to:

  • GP

  • Hospitals

  • Other health professionals

  • NHS authorities

  • HMRC

  • Benefits Agency

  • Dental schemes

Disclosure is on a need-to-know basis.

Other disclosures

Only when required by law or with explicit consent.