Cliftonville Dental is registered with the Information Commissioner and registration is renewed every 12 months. The practice is committed to complying with Data Protection Act 2018, the EU General Data Protection Regulation (GDPR, from 25th May 2018), ePrivacy regulation, GDC and other standards.
We are a Data Controller under the terms of the Data Protection Act 2018 and the requirements of the EU General Data Protection Regulation.
The data held at Cliftonville Dental is:
• Obtained only for specified and lawful purposes
• Adequate, relevant and not excessive
• Accurate and up to date
• Kept for no longer than is necessary
• Processed in accordance with the rights of the data subjects
• Kept secure
Our legal basis for processing personal data is:
- Processing patients’ personal data is necessary to provide dental care and treatment, it is our Legitimate Interest to do so
- The health care data we process is called special category of data (sensitive personal data), our legal basis for processing is Article 9(2) of GDPR
- We hold staff employment data because it is a Legal Obligation for us to do so
- We hold contractors’ data because it is needed to fulfill a Contract
- In some cases we may need additional Consent from patients, e.g. for marketing purposes. It is freely given, specific and easy to withdraw.
Personal Data means any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier.
Special Categories of Data
Special category data is personal data which the GDPR says is more sensitive, and so needs more protection. The following are considered special categories of personal data under Article 9 of GDPR: racial or ethnic origin; political opinions; religious or philosophical beliefs; trade union membership; data concerning health or sex life and sexual orientation; genetic data (new); and biometric data where processed to uniquely identify a person (new).
Usage Data is data collected automatically either generated by the use of the Service (www.cliftonvilledental.co.uk) or from the Service infrastructure itself (for example, the duration of a page visit).
Cookies are small pieces of data generated by websites stored on a User’s device either temporarily for the session only or permanently on the hard disk.
Data Processor (or Service Providers)
Data Processor (or Service Provider) means any person (other than an employee of the Data Controller) who processes the data on behalf of the Data Controller.
We may use the services of various Service Providers in order to process your data more effectively.
Data Subject is any living individual who is the subject of Personal Data.
Information Collection and Use
We collect several different types of information for various purposes to provide and improve our services to you:
We ask you to provide us with certain personally identifiable information that can be used to contact or identify you (“Personal Data”).
Special categories of Data
Data concerning health includes, but may not be limited to: medical history, records of dental work carried out, clinical notes, various types of x-rays (also CT Scans), prescribed drugs, statements of manufacture for dental appliances, study models, reports and letters from and to other healthcare providers.
Dbs records for all employees.
Usage Data (website)
We may also collect information how our website www.cliftonvilledental.co.uk is accessed and used (“Usage Data”). This Usage Data may include information such as your computer’s Internet Protocol address (e.g. IP address), browser type, browser version, the pages of our Service that you visit, the time and date of your visit, the time spent on those pages, unique device identifiers and other diagnostic data.
Tracking Cookies Data (website)
Cookies are files with small amount of data which may include an anonymous unique identifier. Cookies are sent to your browser from a website and stored on your device. Tracking technologies also used are beacons, tags, and scripts to collect and track information and to improve and analyze our Service.
You can instruct your browser to refuse all cookies or to indicate when a cookie is being sent. However, if you do not accept cookies, you may not be able to use some portions of our website.
Why we process Personal Data (what is the “purpose”)
“Process” means we obtain, store, update and archive data.
- Patient data is held for the purpose of providing patients with appropriate, high quality, safe and effective dental care and treatment.
- Staff employment data is held in accordance with Employment, Taxation and Pensions law.
- Contractors’ data is held for the purpose of managing their contracts
Who might we share your data with?
We can only share data if it is done securely and it is necessary to do so.
- Patients’ data may be shared with other healthcare professionals who need to be involved in your care (for example if we refer you to a specialist or need laboratory work undertaken). Disclosure will take place on a ‘need-to-know’ basis and only the information that the recipient needs to know will be disclosed.
- Patients’ and employees’ data is stored for back-up purposes with our IT supplier who stores it securely within UK.
- In some cases we may need to use external companies to process certain types of data for us, like CT Scans. When a patient is referred to us by another dentist, the scan we take here is securely processed online using cloud base technology. This allows referring dentists to access the scan they requested for their patient.
- For patients having facial aesthetics treatments with Azzalure, we need to share their personal details (i.e. name, address, DOB) with third party dental suppliers or pharmacies for the purpose of prescription.
- For some implant cases that we carry out, we need to use special dental software to plan the case. Any images we upload are stored securely and there are no identifiable personal details shared. Each case has an assigned code instead of patient’s name.
- We would share patients’ treatment details with private dental schemes of which the patient is a member when patient’s consent is given.
- We use third party company to manage our voicemail services. The company works as our overflow team. If the practice landline is busy or practice is already closed, our phone calls are being redirected to them. They can collect some basic information on our behalf from the callers, e.g. name, contact details and what the phone call is with regard to. They pass that information on to us via email. This information is also being stored on their online portal within our client account, secured with a password, no longer than necessary.
- Our website www.cliftonvilledental.co.uk is collecting submitted data, e.g. patients’ enquiries, referrals and job offers, using encryption and storing it securely online outside of EU. Information in our database is kept no longer than necessary.
- Cookies are now considered personal data under GDPR. Cookies on our website are identified and classified by a third party services we use.
- We use third party company to manage our Facebook and Instagram accounts. We may share patient’s photos when the patient has given consent to post them on our Facebook/Instagram.
- We provide some payment plans for our patients
– we offer finance and we only share patient’s details if the patient requested finance and the consent was given.
– we also offer Denplan but again we only share patient’s details if the patient wants to join Denplan and the consent was given.
- Employment data is shared with government agencies, such as HMRC, and pension schemes.
- We use third party accountancy services for practice accounts keeping, processing employees’ salaries and contractors’ invoices.
- Under the common law duty of confidence, identifiable personal information may be disclosed without consent in certain circumstances, these are:
– where there is a legal justification for doing so, e.g. to comply with a statute
– where there is a public interest justification – i.e. where the public good that would be achieved by the disclosure outweighs both the obligation of confidentiality to the patient concerned and the broader public interest in the provision of a confidential service.
All requests for disclosure of personal information without the consent from the patient, including requests from the police, must be referred to the Practice Manager.
You have the right to:
- Be informed about the personal data we hold, why we hold it and how long we keep it.
- Access a copy of your data that we hold by contacting us directly free of charge (subject access request). Unless the request is manifestly unfounded or excessive, or when individual requests further copies of their data following a request, we may charge a “reasonable fee” for the administrative costs of complying with the request. We will acknowledge the request and supply a response within one month or sooner.
- Check the information we hold about you is correct and to make corrections if not.
- Have your data erased in certain circumstances, “right to be forgotten”, after mandatory retention period (please refer to Record Retention Policy).
- Transfer your data to someone else if you tell us to do so and it is safe and legal to do so. You have the right to request a copy of your personal information in a structured, commonly-used, machine-readable format and ask for it to be sent to another dental practice.
- In certain circumstances, you have the right to restrict or limit the extent to which we process your personal data.
- You have the right to object to us processing your personal information for certain things, including direct marketing.
How long is the Personal Data stored for?
- We will store patient data for as long as we are providing care, treatment or recalling patients for further care. We will archive (that is, store it without further action) for as long as is required for legal purposes as recommended by the NHS Code of Practice 2016 or other trusted experts recommend.
- We must store employment data for six years after an employee has left.
- We must store contractors’ data for seven years after the contract is ended.
For more information please refer to Record Retention Policy and Record Management Policy.
All staff employment contracts contain a confidentiality clause.
Access to personal data is on a “need to know” basis only. All subcontractors working on-site sign Confidentiality Agreement. We have proper agreements in place with Data Processors we use for processing our patients’ and employees’ data.
Access to information is monitored and breaches of security will be dealt with swiftly by IG Lead, Magdalena Okarmus-Zajac, and Practice Manager, Gwen Hughes-Rowlands.
We have procedures in place to ensure that personal data is regularly reviewed, updated and deleted in a confidential manner when no longer required.
Please see also the practice Confidentiality Policy.
The information is not accessible to the public and only authorised members of staff have access to it. Personal data is only taken away from the practice premises in exceptional circumstances and when authorised by Gwen Hughes-Rowlands or in her absence Magdalena Okarmus-Zajac. If personal data is taken from the premises it must be encrypted with a password and never left unattended in a car or in a public place.
The practice ensures that confidential information transferred from the practice by post or courier is done securely and following information handling procedures (please refers to Information Governance Procedures). Staff has been given training with information handling.
Patients’ dental records (hard copies) are kept in a lockable cabinet, which is not accessible by patients and visitors to the practice. Efforts have been made to secure the practice against theft by, for example, the use of intruder alarms, lockable windows and doors.
The practice has in place a business continuity plan in case of a disaster. This includes procedures set out for protecting and restoring personal data. Please refer to Disaster Planning and Business Continuity Policy, and Business Impact Analysis.
Information held on computer
Appropriate software controls are used to protect computerised records, for example the use of passwords and encryption. Passwords are only known to those who require access to the information, are changed on a regular basis and are not written down or kept near or on the computer for others to see.
Staff using practice computers will undertake training to avoid unintentional deletion or corruption of information. Staff members are required to lock computer screens when stepping away from workstation. Staff members have read and are following Information Governance Procedures.
All practice back-ups are encrypted and managed by our IT support (please refer to Back-up Procedures). Back-ups are also tested at prescribed intervals to ensure that the information being stored is usable should it be needed.
Dental computer systems all have a full audit trail facility preventing the erasure or overwriting of data. The system records details of any amendments made to data, who made them and when.
Precautions are taken to avoid any data loss through cyber-attack or computer virus. All computers are protected with anti-virus and software is being updated on regular basis. Staff members have had a proper training regarding handling emails. Same training will be given to new staff members. Should any staff have concerns about the security of personal data within the practice they should contact Magdalena Okarmus-Zajac or Gwen Hughes-Rowlands.
For more information please refer to Information and Communication Policy, Data Protection Policy, Confidentiality Policy and Information Governance Procedures.
What if you are not happy or wish to raise a concern about our data processing?
You can complain in the first instance to us, Cliftonville Dental, and we will do our best to resolve the matter.
IG Lead at Cliftonville Dental – Magdalena Okarmus-Zajac
Practice Manager at Cliftonville Dental – Gwen Hughes-Rowlands
If this fails, you can complain to the Information Commissioner at www.ico.org.uk/concerns or by calling 0303 123 1113.
What are cookies
Cookies are small pieces of text sent to your web browser by a website you visit. A cookie file is stored in your web browser and allows the Service or a third-party to recognise you and make your next visit easier and the Service more useful to you.
Cookies can be “persistent” or “session” cookies. Persistent cookies remain on your personal computer or mobile device when you go offline, while session cookies are deleted as soon as you close your web browser.
When you use and access the Service, we may place a number of cookies files in your web browser.
- To enable certain functions of the Service
- To provide analytics
We use both session and persistent cookies on the Service and we use different types of cookies to run the Service:
- Strictly Necessary Cookies
These Cookies are essential for you to be able to move around our website and use its features. They do not collect information that can be used to contact you outside this site, and they do not remain on your device after you have finished looking at this site (known as “session Cookies”).
- Performance Cookies
These Cookies collect information about how visitors use our website, such as which pages are viewed, how often, and whether it is working well. This data is used only when aggregated and does not identify you as a single visitor. These Cookies may be sent to a third party, such as Google analytics so that we can see how many people (but not who they are) have used our site. These are also session Cookies.
- Functionality Cookies
These Cookies allow our website to remember any preferences you have such as text size. They may also allow you to watch videos, blogs or access our social media pages, or to leave comments or messages for us. These Cookies may remain in place for a time after you have left our website (“Persistent” Cookies).
- Targeting Cookies
In addition to our own cookies, we may also use various third-parties cookies to report usage statistics of the Service, deliver advertisements on and through the Service, and so on. These Cookies will also persist after you leave our website.
What are your choices regarding cookies
Please note, however, that if you delete cookies or refuse to accept them, you might not be able to use all of the features we offer, you may not be able to store your preferences, and some of our pages might not display properly.
- For the Chrome web browser, please visit this page from Google: https://support.google.com/accounts/answer/32050
- For the Internet Explorer web browser, please visit this page from Microsoft: http://support.microsoft.com/kb/278835
- For the Firefox web browser, please visit this page from Mozilla: https://support.mozilla.org/en-US/kb/delete-cookies-remove-info-websites-stored
- For the Safari web browser, please visit this page from Apple: https://support.apple.com/kb/PH21411?locale=en_US
- For any other web browser, please visit your web browser’s official web pages.
Where can you find more information about cookies
You can learn more about cookies and the following third-party websites:
- AllAboutCookies: http://www.allaboutcookies.org/
- Network Advertising Initiative: http://www.networkadvertising.org/
Last Updated 23/05/18