Faversham Smiles aims to comply with the General Data Protection Regulation (GDPR) which came into effect on 25th May 2018. This policy and the related procedures lays out how Faversham Smiles complies with the GDPR. All team members must ensure they read, understand and comply with our policy and procedures in relation to GDPR. Ensuring that individuals’ personal information is processed in line with the requirements of the GDPR and that individuals’ privacy is respected is imperative. We ensure that all team members give this a very high priority.
To comply with the GDPR and the UK Data Protection Act (1998), our practice has notified the Information Commissioner that personal information relating to patients and team members is processed and stored within our practice.
GDPR defines a number of roles and responsibilities and introduces some new roles and terminology. Team members must ensure they are familiar with these.
The following are relevant and are explained below:
Includes collecting the information about an individual, using it, storing it, securing it, disclosing it, and destroying it. The GDPR applies to all businesses and organisations and to all personal data held about individuals. In a dental practice this means patients, employed and self-employed team members, referrers, and anyone else that the practice processes data for.
A data controller determines the purposes and means of processing personal data. In our practice this is Dr Shilpi Rattan.
A data processor is responsible for processing personal data on behalf of a controller. Data processors are required to maintain records of personal data and processing activities and they have legal liability if they are responsible for a breach.
All practice team members are data processors. The employer, Astrium Partnership Limited, is responsible for making all team members aware of their responsibilities in relation to data protection. The need to comply with the GDPR and other data protection laws is included in all employment contracts and associate agreements.
Data processors are also the practice management software companies, IT support companies, payment plan providers and all other organisations that handle personal data on behalf of the controller.
An individual for whom we process personal information.
Name, address, date of birth, doctor’s name and address etc. The personal and the sensitive (including special category) data we process for our patients and team members is listed in our data inventories, GDPR Inventory Patients and GDPR Inventory Staff which are located in the Office which is kept locked. Dr Shilpi Rattan, and Dr Shabat Momin have access via a key.
Includes sensitive information such as medical history, medical and dental records, ethnic origin, race, political opinions, religion, trade union membership, genetics, biometrics, health, sex, and sexual orientation. It also includes DBS checks and Hepatitis B status for all team members.
If someone who is not entitled to see details of another individual’s personal data can obtain access without permission, this is unauthorised access and a breach of GDPR.
Under GDPR, all individuals who have personal data held about them have the following personal privacy rights:
This includes all decisions made without human intervention such as email reminders to book an appointment, text or email reminders of appointments, or direct marketing.
The ability to take personal data elsewhere, for example, to another dental practice or employer.
There are six legal bases for processing personal data and we are required to be able to justify and articulate the legal basis on which we collect and process all personal data that we hold. We must also document the legal basis on which we collect and process all personal data that we hold.
A Data Protection Impact Assessment (DPIA) is the process of systematically considering the potential impact that a project or initiative might have on the privacy of individuals.
We always adopt the approach of privacy by design as our default approach. Prior to embarking on any project or initiative we always undertake a data impact assessment to identify potential privacy issues before they arise to enable us to find ways to mitigate any issues. If we cannot reduce the impact sufficiently, we would not proceed.
Our systematic considerations together with the measures to be put in place to mitigate any risks to privacy are recorded in our GDPR File and is kept in the office.
A DPO is a person designated or appointed to ensure the organisation or business complies with GDPR.
In our practice the DPO is Rhonda Hassett.
Our DPO’s duties are:
Note: A DPO should not be the Data Controller as well because of the potential for conflicts of interest. A DPO can be an employee, provided that person is given appropriate training and autonomy to be able to undertake the duties described above. The role can also be outsourced.
Faversham Smiles aims to comply with the GDPR requirements which state that personal data must be:
We have reviewed and enhanced our data protection risk management processes and recorded our actions on our GDPR risk assessment. We undertake annual data protection risk assessments and follow up to ensure actions have been completed.
GDPR compliance is discussed at our practice meetings every 6-8 weeks and actions arising are recorded and protocols adjusted accordingly.
We have a clear, robust, binding written contract with our practice management software suppliers, Service of Excellence (SOE), and all other external data processors to ensure they comply with GDPR.
All team members must ensure that they:
Our personal data inventories list all the personal data we process for patients and team members together with the risks attached to each type of data.
As required by the GDPR, the data inventories also list:
This information is provided in concise, easy to understand and clear language.
All data subjects have the right of access to and copies of their personal data whether they are held on paper or on computer.
A request from a patient to see records or for a copy must be referred to the patient’s dentist.
Care should be taken to ensure that the individual seeking access is the patient in question and where necessary the practice will seek information from the patient to confirm identity. A copy of the record must be supplied within one of the request being made, although every effort should be made to supply the information requested without delay, and as soon as possible following receipt of the request.
Records must be:
We have processes in place to ensure that we can respond to data subjects’ requests for access to or copies of their records within one month (four weeks). We do not charge a fee for access to or copies of records.
In some situations, we may refuse an access request if we think it is unfounded or excessive. In those situations, we have clear refusal policies and procedures in place and will always ensure we can demonstrate why the request meets these criteria.
We provide additional information to people making requests, including our data retention periods and the right to have inaccurate data corrected.
Under certain, very limited, circumstances we may refuse access to or copies of personal records.
These could include:
In these circumstances we will demonstrate how the request fits these criteria in accordance with GDPR and we will provide the individual with an explanation for the refusal unless this could put them at risk.
Consent is one of the legal bases for processing personal data; however, it is not appropriate as a legal basis for processing personal data in relation to patient care or to administer an employment contract or a self-employed associate agreement.
Consent must always be obtained for direct marketing.
We also obtain consent for the following:
We understand that gaining consent is a complex process and we ensure that all the conditions described below are satisfied.
When using consent to process data for the purposes listed above, we ensure that:
All breaches must be reported to the Data Protection Commissioner (DPC) within 72 hours unless the data was anonymised or encrypted. Breaches that might bring harm to an individual, such as identity theft or breach of confidentiality, must also be reported to the individual(s) concerned.
We have procedures in place to detect, report and investigate a personal data breach.
All team members understand that they must inform Dr Shilpi Rattan, Dr Shabat Momin, or Rhonda Hassett.
If, after investigation, a team member is found to have breached data protection and not reported it, he or she shall be liable to summary dismissal in accordance with our practice disciplinary policy.
Personal data about our patients and team members is held in the practice’s computer system as well as in a manual filing system. The information is only accessible to authorised team members. Our computer system has secure audit trails and we back up information routinely. Paper records are stored in lockable, fire-proof cabinets that are locked when said cabinets are unattended.
Personal information about our patients includes:
The personal information we hold on our team members is listed in our Data Inventory which is stored in the GDPR folder in the Office and to which all team members have access upon request.
Faversham Smiles retains records of personal data only for as long as is required for the purposes for which it was collected or as required by law or to comply with statutory requirements.
This practice retains dental records and orthodontic study models while the subject is a patient of the practice and after they cease to be a patient, for at least eleven years. For children, records are kept for 11 years or until they are aged 25, whichever is the longer.
We will retain team members’ personal information only for as long as we need to in order to fulfill the purposes for which it was collected. After our working relationship has terminated we will retain team members’ personal data for as long a required by law.
To comply with GDC Standards and the GDPR, we ensure that if we are sending confidential information, we use a secure method. If we are sending or storing confidential information electronically, we will ensure that it is encrypted.
The information we collect, and store will not be disclosed to anyone who does not need to see it.
We will share our patients’ personal information with third parties when required by law or to enable us to deliver a service to them or where we have another legitimate reason for doing so.
Third parties we may share patients’ personal information with may include:
We may also share personal information where we consider it to be in a patient’s best interest or if we have reason to believe an individual may be at risk of harm or abuse.
We will share our team members’ personal information with third parties when required by law or where it is necessary to administer the working relationship with them or where we have another legitimate interest for doing so.
Third parties we may share team members’ personal information with may include:
We may also share personal information where we consider it to be in a team member’s best interests or if we have reason to believe an individual may be at risk of harm or abuse.
Data subjects have the right to object to their personal data being processed or disclosed. Patients and team members who wish to object should discuss the matter with Rhonda Hassett. This objection may affect our ability to provide patients with dental care or our ability to fulfill the contract or agreement we hold with a team member.
This Policy, Code of Practice, and the related practice procedures was implemented on: 3rd May 2018.
This Policy, Code of Practice, and all related procedures will be reviewed annually and are due for review on 3rd May 2019 or prior to this date in accordance with new guidance or legislative changes.
All team members are required to read this policy and related procedures and sign to confirm they understand it and will comply with it at all times.