Wentwood House Dental Practice Privacy & Personal Data Protection Policy
The purpose of this policy is to set out the relevant legislation and to explain the actions that Wentwood House takes to ensure that it complies.
In our day to day essential running of the Practice and delivering care to our Patients, we collect and use a variety of data about identifiable people. This data includes:
Names, dates of birth, telephone numbers and addresses.
Medical history of patients and staff
Clinical treatment information and xrays.
Users of its website and face book page.
Past, present and prospective employees.
In the gathering and processing of this information, Wentwood House is subject to various legislation controlling how such activities may be carried out and the safeguards that must be put in place to protect it.
The actions and control applies to all systems, people and processed that constitute our information systems, including the directors, associates, employed and self-employed staff and all third parties who have access to Wentwood House’s information.
The General Data Protection Regulation
The General Data Protection Regulation 2016 (GDPR) is the most significant legislation to affect the way that Wentwood House carries out its processing activities and it is our policy to ensure that our compliance with GDPR and other relevant legislation is clear and demonstrable at all times.
- Personal data shall be processed fairly and lawfully and in a transparent manner in relation to the data subject.(‘lawfulness, fairness & transparency’)
We only collect, process and hold data of our patients for the specific purpose of providing a high quality of care and wellbeing.
We only collect, process and hold data of our staff for the specific purpose of monitoring and progression of performance, for salaried and pension purposes and to meet our legal requirements in terms of employment law.
Patients and employees understand how their personal data is processed and for what purpose.
- Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.(‘purpose limitation’)
Patient or employee data shall only be processed for the purpose for which it was collected.
- Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed. (‘data minimisation’)
We only collect the personal data that you need from your patients & employees.
- Personal data shall be accurate and, where necessary, kept up to date. (‘accuracy’)
We take every reasonable step to ensure that the patient and employee data we hold is accurate and up to date. If it’s inaccurate it is rectified or erased without any delay. (Within the legal boundaries we adhere to for clinical note taking.)
- Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes. (‘storage limitation’)
We do not keep personal data for longer than you need it.
We delete hard copies of data after 10 years.
We have periodic reviews in place to see if any personal data has passed the relevant retention period and have a process in place to delete it.
- Personal data shall be processed in accordance with the rights of data subjects under this Act. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.(‘integrity and confidentiality’)
We have security measures in place, to prevent unauthorised processing by staff or third parties. (Staff files are locked and confidential – Our Data Base is secured, using a secure server, encrypted and backed up by Wysdom.) See Data Map for full details.
We protect against the accidental loss, destruction or damage of any personal data – using appropriate technical and organisational measures. (All staff are aware of their data protection obligations. Emails are encrypted, 3rd party agreements or policies have been obtained by any 3rd party dealing with our data. – See Data Map for full details.
- Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.(‘integrity and confidentiality’)
No data is transferred by us outside the EEA. The only data that leaves the UK is that involved in Invisalign diagnosis and treatment. We have Invisalign’s GDPR policy and are happy they comply. This is either processed by UPS courier or secure email. Our Website designer on occasion may use programmers outside the UK, but not without our prior permission.
The hosting facilities for our Website are situated in the UK.
- We shall be responsible for, and be able to demonstrate compliance with each of the above principles (‘accountability’)
We have in place a clear audit trail to show how we adhere to the above principles.
Including evidence of policies & procedures, evidence of training of staff, evidence of agreements with third parties, and data map and assessment. The legal basis for processing personal data is clear. Rules regarding consent are followed. All procedures will be reviewed regularly.
- We process information relating to your payment transactions, including purchasing of goods & services. (‘legitimate interest’)
The transaction data may include your name, payment & product information and amount paid. This information may be shared with our accountant and Practice Plan. If payment is not made as agreed, a debt collection service may be used to retrieve the debt.
The Data Protection Act gives rights to individuals in respect of the personal data that organisations hold about them. The Act says that:
Personal data shall be processed in accordance with the rights of data subjects under this Act.
- a right of access to a copy of the information comprised in their personal data;
- a right to object to processing that is likely to cause or is causing damage or distress;
- a right to prevent processing for direct marketing;
- a right to object to decisions being taken by automated means;
- a right in certain circumstances to have inaccurate personal data rectified, blocked, erased or destroyed ( In our case the right to be erased is not fully possible, due to the legalities involved in record keeping – however the patient has a right to have their contact information erased – address/telephone number/email address.)
- a right to claim compensation for damages caused by a breach of the Act
We will not use any of our patient’s or staff’s data for any marketing or case studies without obtaining written consent first.
- Providing your data to others
We may share your data to any 3rd parties insofar as reasonably necessary to provide a quality of dental care and for the purpose of managing financial matters. To include but not limited to:
Hospitals and other Practitioners involved in your health care
Insurance companies (that you request we deal with)
Wysdom Dental technologies
Dental Defence Union
Once the data is with them they are responsible for its safety. In dealing with these companies, we have agreements in place or have agreed that their data protection protocols comply with GDPR regulations.
We may process information from your enquiry data (‘legitimate interest’)
This information will have been provided by you and may include your name, email address, telephone number and address together with any other information you see fit to provide. We may keep records of the communication content.
For our Web site security we do process and track IP addresses. We use Google Analytics to help us manage our website – this gives us information about what people are looking at on our site and how long they look at it for. In doing so Google Analytics may gather information such as your IP address, geographical location, browser type and version, operating system and referral source.
- Website management
Our website developer and host are UK based. Our developer does on occasion use 3rd parties outside the EEA. These parties are bound by their privacy agreements and data is sent to them only via password encrypted methods. (As of May 2018 non UK developers have not been used and our developer will inform us beforehand in the event that they plan to in the future.
- What we will do in the event of a breach
Wentwood House takes all practicable steps to ensure that all data is safely stored and processed. However in the event of a breach –
All personal data breaches will be reported to Malan & Elouise Cloete.
If the breach is likely to result in a risk to the rights and freedoms of data subjects (eg financial loss, breach of confidentiality, discrimination, reputational damage or other significant social or economic damage we will ensure that the Information Commissioner’s Office (ICO) is informed of the breach without delay and in any event within 72 hours are having become aware of it.
In the event that a personal data breach is likely to result in a higher risk than listed above, we will ensure that all affected data subjects are informed of the breach directly and without undue delay. To include :
1) Categories & appropriate number of data subjects concerned;
2) Categories & appropriate number of personal data records concerned;
3) The name & Contact details of a contact at the Practice;
4) The likely consequence of the breach;
5) Details of the measures taken or proposed to be taken by us to address the breach including, if applicable, measures to mitigate its possible adverse effects.
Implementation of this policy
This policy shall be deemed effective as of 25th May 2018. No part of this policy shall have retroactive effect and therefore apply only to matters occurring on or after this date.