The General Data Protection Regulation (GDPR) seeks to protect and enhance the rights of patients or individuals. These rights cover the safeguarding of personal data and protection against the unlawful processing of personal data. GDPR does not apply to information already in the public domain.
Data Controller at our clinic is Kate Huddleston who is also registered with ICO.
Data Protection Officer (DPO) is Kate Huddleston who will ensure that the clinic complies with data protection requirements to ensure that we collect, use, store and dispose of your information responsibly
Information Governance Lead (IG) is Kate Huddleston who will maintain a robust Information Governance (IG) Management Framework, for the current and future management of information and compliance with required legislation.
This privacy notice describes the type of personal information we hold, why we hold it and what we do with it.
In providing your aesthetic, medical care and treatment, we will ask for information about you and your health. We may receive information about you from other health providers who have been involved in providing your care.
We never pass your personal details to a third party unless we have a contract for them to process data on our behalf and will otherwise keep it confidential. If we need to refer you to our colleagues or hospital for further care, we will gain your consent and permission before any referrals are made and the personal data is shared.
We can only keep and use information for specific reasons set out in the law. If we want to keep and use information about your health, we can only do so in particular circumstances. Below, we describe the information we hold and why, and the lawful basis for collecting and using it.
CATEGORIES OF DATA
The clinic holds Personal and Special Category data as follows :
1. Patient health records, correspondence and personal details
2. Personal staff employment data which also includes health records and details of criminal record checks for the purposes of safe recruitment and performance management
3. Personal data for marketing purposes
4. Personal data for contractors
LAWFUL BASIS FOR PROCESSING YOUR DATA
“Process” means we obtain, store, update and archive data. We have a lawful basis for processing your personal and special category data as follows:
1. We hold patients’ data because it is in our Legitimate Interest to do so. Without holding the data we cannot work effectively and provide you with appropriate, high quality, safe and effective care and treatment.
2. We hold staff’s personal and special category data because it is a Legal Obligation for us to do so in accordance with Employment, Taxation and Pensions Law
3. We hold contractors’ personal data because it is needed to Fulfil a Contract with us.
Your personal details, such as information about you including your name, data of birth, address, telephone number and email address, allows us to fulfil our contract with you to manage your appointments at the clinic and send you reminders and recall appointments as we have a legitimate interest to ensure your continuing care and to make you aware of our services.
Your financial details such as information about the fees we have charged, the amounts you have paid and some payment details is kept as it forms part of our contractual obligation to you to provide care and allows us to meet legal financial requirements.
Your health records which fall into a special category, such as clinical records about your care and treatment, treatment plans, medical history records, clinical photographs, notes of any conversations about your care and treatment, appointments details, complaints and correspondence between you and other health care professionals in relation to your care and treatment.
REASONS AND INSTANCES FOR SHARING YOUR DATA
Your information is normally used only by those working at the clinic but there may be instances where we need to share it with others. We will only disclose your information on a need to know basis and will limit information that we share to the minimum necessary. We will let you know in advance if we send your health information to another medical provider and we will give you the details of that provider at that time.
Patient data may be shared with other healthcare professionals who need to be involved in your care such as specialists services through referral, your GP, debt collection agencies. Your encrypted data is also kept for back up purposes with our computer software suppliers.
Employment data will be shared with accountants, Occupational Health and government agencies such as HMRC.
Anyone who receives information from us has a legal duty to keep it confidential. We will not disclose patient or staff information to any third party without their permission unless there are exceptional circumstances, such as if the health and safety of the patient or others is at risk or if the law requires us to pass on information. In certain limited circumstances we may be legally required to share certain personal data if we are involved in legal proceedings or complying with legal obligations, a court order or the instructions of a government authority.
WAYS WE KEEP YOUR DATA SAFE
We store your personal and special category information securely on our clinic’s computer system.
Your information is only accessible to those who have a need to access your information or work at our clinic. They understand their legal responsibility to maintain confidentiality and follow clinic’s procedures to ensure this.
We have robust measures in place to ensure an overall security of the premises with restricted access to digital and hard-copy personal data.
We use high-quality specialist medical software to record and use your personal information safely and effectively. Our computer system has a secure audit trail and we back-up information routinely.
At your request, we will delete non-essential information (for example some contact details) before the end of this period but this is not applicable to your health records.
Information Governance Procedures provide further details on how we ensure security of personal data.
RETENTION PERIOD FOR PERSONAL DATA
We will store patient data for as long as we are providing care, treatment or recalling patients for further care.
The Data Protection Act states that medical records should be not kept for longer than is necessary. The DoH (Department of Health) guidance suggests that is no longer than 30 years.
We will store employment data for 6 years after an employee has left or longer in certain circumstances.
We will store contractors’ data for 7 years after the contract is ended.
You have the right to:
1. Be informed about the personal data we hold and why we hold it.
2. Access the information that we hold about you and to receive a copy but you do need to contact us directly in writing and we will supply a response within 30 days or sooner. We do not usually charge you for copies of your information but if the request is viewed to be ‘manifestly unfounded or excessive’ (for example, making repetitive requests) a fee may be charged to cover our administration costs in responding.
3. Check the information we hold about you is correct and make corrections where necessary
4. Have your data erased in certain circumstances. For legal reasons, we will be unable to erase information about your treatment, but we can delete some contact details and other non-clinical information
5. Supply your information electronically to another clinic if you request us to do so
6. Tell us to stop using your information – for example, sending you reminders for appointments or information about our services. You have the right to Opt-Out which means that at any time you may withdraw your consent but you must inform the person who is providing you with treatment that you wish to do so.
If we are relying on your consent to use your personal information for a particular purpose, you may withdraw your consent at any time and we will stop using your information for that purpose.
All requests relating to the above should be made to Kate Huddleston our Data Protection Officer (DPO) by email firstname.lastname@example.org
DPO will seek to verify the identity of the individual and that they are lawfully entitled to request this personal data. If we are unable to verify the authenticity or identity of the person requesting it, the request will be refused. If the request is authorised, the data will be provided within 30 days of the request.
IF YOU HAVE CONCERNS WITH HOW WE USE YOUR DATA
If you do not wish us to use your personal information as described, you should discuss the matter with your dentist or our Data Protection Officer ( Add Name of your DPO). Please note that if you object to the way that we collect and use your information, we may not be able to continue to provide your care.
We will do our very best to resolve the matter but if you still have any concerns about how we use your information and you do not feel able to discuss it with a dedicated member of our team, you can complain to the Information Commissioner online at www.ico.org.uk/concerns or by calling 0303 123 1113.
Document reviewed on: 31/10/22
Document reviewed by: Kate Huddleston