The practice aims to meet the requirements of the Data Protection Act 2018, and the General Data Protection Regulation (GDPR). This notice describes our procedures for ensuring that personal information about our patients and employees is processed fairly and lawfully.
The data controller is the Clinical Director Dr Masoud Memari and Dr Gholam Sarrami. The Information Governance Lead is Practice Manager Sheema Ghilani and the Data Protection Officer is Mrs Nicola Mitchell.
This Privacy Notice is available on the practice website at www.davincidentistry.co.uk or at reception in the Practice Information Booklet.
Description of processing
The following is a broad description of the way this organisation/data controller processes personal information. To understand how your own personal information is processed you may need to refer to any personal information communications you have received, check any privacy notices the organisation has provided or contact the organisation to ask about your personal circumstances.
Reasons/purposes for processing information
We process personal information to unable us
- To provide safe and effective healthcare services to our patients
- Maintain our own accounts and records
- Promote and advertise our services
- To support and manage our employees
Who the information is processed about
We process personal information about:
- Advisers, consultants, other professional experts
Type/classes of information processed
- Personal details
- Medical History
- Dental cast models
- Family details
- Goods and services
- Financial details
- Education and employment details
Who the information may be shared with
We sometimes need to share the personal information we process with the individual themselves and with other organisations i.e. specialist referrals. Where this is necessary we are required to comply with all aspects of the Data Protection Act (DPA). What follows is a description of the types of organisations we may need to share some of the personal information we process with one or more reasons.
Where necessary or required we share information with:
- Healthcare professionals
- Social and welfare organisations
- Dental Practice Board – GDC
- Central government
- Financial organisations
- Current, past and prospective employers
- Educators and examining boards
- Family, associates and representatives of the person whose personal data we are processing.
- Quality Care Commission (CQC)
CCTV – Crime Prevention
CCTV is used to maintain security of the premises and for preventing and investigating crime. For these reasons the information processed may include visual images, personal appearance and behaviours. This information may be about staff, customers and clients, offenders and suspected offenders or members of the public. Where required this information may be shared with the data subjects themselves, employees, the service provider, police forces and persons making an enquiry. We have a CCTV policy in place and is available on request.
It may be necessary to transfer personal information overseas. When this is needed information is only shared within the European Economic Area (EEA). Any transfers made will be in full compliance with all aspects of the data protection act.
This policy sets out how our practice uses and protects any information that you provide when you use our website. Here you can read further information about how we use your data.
When using our practice website all transmission of personal information and other means of communication is not secure and patients use it at their own risk. Information submitted to our practice through our website is normally unprotected until it reaches us. In addition, users are also requested not to send confidential details or credit card numbers, for example by email.
Our website DO NOT give out or hold any confidential information.
Privacy Impact Assessment and Data Protection Impact Assessment
In providing you with our services, our practice will handle your personal information. Personal information is information about you from which you can be identified, such as your name and contact details. Depending on what services you receive from us, this will include sensitive personal information such as medical information.
If we make a change to any of the ways in which we process personal information, we will update our website and notice boards in the practice.
Confidential and Medical Information
The confidentiality of your personal information is of paramount concern to our practice and we comply with UK data protection law and all the applicable medical confidentiality guidelines issued by professional bodies such as the General Dental Council, ICO and the CQC.
Your confidential medical information will only be disclosed:
- To those involved with your treatment or care
- In accordance with UK law and guidelines from professional bodies
- For the purposes of clinical audit (unless you object)
If you receive services from our practice and that service transfers to a new provider, we may share your personal and confidential medical information with the new provider.
Sending information by email
Most patients have their x-rays sent by email and we ask the patients to input their email address at the time of transmission. All such transmissions are done at the patients’ own risk. Any requests for clinical information re: treatment or if the patient wishes to opt out in receiving any correspondence from us, then this must be provided in writing. This request will be processed within 48hrs of receiving it.
Sending Emails, letters and texts to patients
If you let us know we will remove your contact details so that you do not receive emails or texts. We will still hold the information but no longer use it. The only reason we would contact you after that would be if there is an overriding reason e.g. regulator GDC/CQC/ICO.
We are committed to keeping your personal information secure. We have put in place physical, electronic and operational procedures intended to safeguard and secure the information we collect. Our practice staff members have a legal duty to respect the confidentiality of your information, and access to your confidential information is restricted only to those who have a reasonable need to access it.
Personal Data Breaches
- We have in place a process to assess the likely risk to individuals as a result of a breach
- We will report certain types of personal data breach to the relevant supervisory authority within 72 hours of becoming aware of the breach, where feasible.
- If the breach is likely to result in a high risk of adversely affecting individuals’ rights and freedoms we will inform those individuals without undue delay.
- We will ensure you have a robust breach detection, investigation and internal reporting procedures in place. This will facilitate decision-making about whether or not we need to notify the relevant supervisory authority and affected individuals.
- We will keep a record of any personal data breaches, regardless of whether we are required to notify.
Information we may hold about you
The information we hold about you may include the following:
- Basic details such as name, address, contact details and next of kin
- Details of contact we have had of you
- Details of services you have received
- Payments made (we do not store credit/debit card details)
- Information about complaints and incidents
- Notes and reports about your health and any treatment and care you have received or need
- Recording of calls we receive or make
- Other information we receive from other sources, including from your use of websites and other digital platforms we operate or the other services we provide or information provided by other companies who have obtained your permission to share information about you.
When we collect information
Information about you is collected when:
- You use our services
- You submit a query for us, for example by email, telephone or social media, including where you reference our practice in a public social media post
- You participate in any marketing activity.
We may also collect personal information about you from other people when:
We liaise with
- Your family
- Health professional
- Other treatment or benefit provider
We only share information in this way where:
- We are required by law or in accordance with guidance from professional bodies.
- You have provided your consent or in circumstances where you are incapable of giving consent
- We are unable, or it is not reasonable to seek your permission.
Using your information
We use personal information to provide you with our services, and to improve and extend our services. This may include:
- Responding to your queries
- Supporting your medical treatment or care and other benefits
- Internal record keeping and administration within our practice.
- Responding to requests where we have a legal or regulatory obligation to do so.
- Checking the accuracy of this information about you, and the quality of your treatment or care, including auditing medical and billing information.
- Supporting your nurse, carer or other healthcare professional
- Assessing the type and quality of care you have received and any concerns or complaints you raise, so that these can be properly investigated.
Our practice works with other individuals and organisations to provide our services to you and this may involve them handling your personal information. This handling of your information may be done within the European Economic Area and we insure that the confidentiality and security of your personal information is protected by contractual restrictions and service monitoring.
We do not share your personal information with anyone outside of our practice to use for their own purposes, except:
- When we have your permission
- When we are permitted or obliged to do so by law (safeguarding).
- To protect the rights, property or safety of DaVinci Dental Clinic, our customers, or others.
- In order to detect, prevent and help prosecution of financial crime. For example, we may share information with fraud prevention or law enforcement agencies, and other organsations. If we suspect fraudulent activity we may inform the person or organisation who administers or funds our practice service.
We will only keep personal information for as long as is necessary and in accordance with UK law. We follow the guidelines for how long we retain data set out by:
- The General Dental Council (GDC)
- The Information Commissioner Office (ICO)
- The Quality Care Commission (CQC)
Keeping information confidential and secure
We achieve this by
- Training all staff members as part of their induction
- Ongoing and regular and frequent training of all staff members at least once a year
- Internal reporting procedures
- Robust methods of breach detection
- All data processors are required to inform the data controller of all breaches with undue delay
- Proper password policy and procedures
- Enhanced Police Checks on all staff members
- Proper storage of digital and not digital data
- Proper destruction of data that we no longer need
- Secure screensavers
- Ensuring that staff are aware of their individual responsibilities for data handling and processing
- Following best practice as advised by the GDC, ICO, CQC and DP
- Have effective working relationship with people/companies who have access or share our data
- Regular audits of our risk and of our procedures
- Feedback from staff, patients, visitors and partners.
We only keep your personal information for as long as is necessary and in accordance with UK Law.
Our Data Suppliers
The only people with access to our data and/or computer system are:
- Our computer maintenance/security partner company
- Our Dental Database company
Access to your information and records
- We need to verify that a request made is being made by a legitimate person and we therefor will always carry our security measures to determine the legitimacy of a request and this is especially true when the request is being made using email or another digital platform.
- The request should always be made in writing and handed into reception or sent by post
- Almost all requests for copies of data are dealt with on the day or within 48hrs of receiving the letter or email.
- We prefer to give patients information and data directly to the patient rather that to a third party as this limits the opportunity for breaches and also means that the patient is directly in control and responsible if the decide to subsequently share the information.
Complaints about the way we use your data
These should be addressed to:
Mrs Nicola Mitchell, Da Vinci Dental Clinic, 3 Canon Harnett Court, Wolverton, Milton Keynes, MK12 5NF If you are unhappy with our response you may complain to:
Information Commissioners Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Telephone Number: 0303 1231113 (Local Rate) or 01625 545745 if you prefer to use a national rate number.
If you have any data protection queries, please contact our practice Data protection officer Nicola Mitchell on 01908 886871 or email firstname.lastname@example.org or write to 3 Canon Harnett Court, Wolverton, Milton Keynes, MK12 5NF
If you request a copy of the personal information we hold about you and you ask to correct or remove (where justified) any inaccurate information. The charge for this is free however, there may be a small charge if you request further copies. We may also ask you to provide additional documentation to confirm your identity or, if you are seeking to access personal information of another individual, proof of their consent or your legal right to receive personal information.
We review and update this notice regularly.