PRIVACY | DATA PROTECTION | GDPR DENTAL RECORDS
TwentyOneDental, 21 New Church Road, Hove BN3 4AD (Data Controller) aims to meet the requirements of the Data Protection Act 2018, the General Data Protection Regulation (GDPR], the guidelines on the Information Commissioner’s website, Data Protection (Subject Access) (Fees and Miscellaneous Provisions) (Amendment) Regulations 2001) as well as our professional guidelines and requirements.
You will be asked to provide personal information (known as data) when joining the clinic. The purpose of us processing this data is to provide optimum health care to you.
The categories of data we process are:
- Personal data for the purposes of staff and self-employed team member management
- Personal data for the purposes of direct mail/email/text marketing
- Special category data records for the purposes of the delivery of health care
- Special category data including details of criminal record checks for managing employees and contracted team members
We never pass your personal details to a third party unless we have a contract for them to process data on our behalf and will otherwise keep it confidential. If we intend to refer a patient to another practitioner or to secondary care such as a hospital we will gain the individual’s permission before the referral is made and the personal data is shared.
- Personal data is stored whether in digital or hard copy format
- Personal data is obtained when a patient joins the practice, when a patient is referred to the practice and when a patient subscribes to an email list or submits a contact form
The lawful basis for processing special category data such as patients’ and employees’ health data is:
- Processing is necessary for the purposes of preventative or occupational medicine, for assessing the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or management of health or social care systems and services on the basis of Union or Member State law or a contract with a health professional
The lawful basis of processing personal data such as name, address, email or phone number is:
- Consent of the data subject
- Processing is necessary for the performance of a contract with the data subject or to take steps to enter into a contract
The retention period for special data in patient records is a minimum of 10 years and may be longer for complex records in order to meet our legal requirements. The retention period for staff records is 6 years. The retention periods for other personal data is 2 years after it was last processed. You have the following personal data rights:
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure (clinical records must be retained for a certain time period)
- The right to restrict processing
- The right to data portability
- The right to object
If you are a patient of the clinic you have the right to withdraw consent for important notifications, newsletters, surveys or marketing. You can inform us to correct errors in your personal details or withdraw consent from communication methods such as telephone, email or text. You have the right to inspect or request a copy of your data for free. (see above for explanatory details about what data is). For dental health records we hold for you in accordance with the Data Protection Act (Subject Access) (Fees and Miscellaneous Provisions) (Amendment) Regulations 2001, these also can be requested but fees do apply. See below for more information about these.
If you are not a patient of the clinic you have the right to withdraw consent for processing personal data, to correct errors in it or to ask us to delete it. You can also withdraw consent from communication methods such as telephone, email or text.
Am I entitled to receive copies of entire documents?
Your right of access does not entitle you to receive full copies of original documents held by an organisation – only your personal information (data) contained in the document.
You make a subject access request to your bank for full copies of your bank statements.
Your bank is not required to provide copies of the actual bank statements, but they must provide you with your personal data contained within them, for example, by providing you with a list of transactions.
By doing so, they have now complied with your subject access request.
TwentyOneDental recognises that all members of the team have an ethical and legal duty to keep patient information confidential. The relationship our clinic has with each patient is based on trust that information will not be given to external persons or organisations without the patient’s consent. All members of the team are expected to comply with this policy and are advised to be aware of the confidentiality clause within their contract. Breaches of this policy could lead to dismissal. Standards for dental professionals (in the guidance from the GDC) notes that practitioners must ‘Protect the confidentiality of patients’ information’.
- Using information only for the purpose for which it is was given
- Preventing information from being accidentally received
- Preventing unauthorised access by keeping information secure at all times. Only in exceptional circumstances can breach of confidentiality be justified.
The importance of confidentiality
The relationship between dentist and patient is based on the understanding that any information revealed by the patient to the dentist will not be divulged without the patient’s consent. Patients have the right to privacy and it is vital that they give the dentist full information on their state of health to ensure that treatment is carried out safely. The intensely personal nature of health information means that many patients would be reluctant to provide the dentist with information if they were not sure that it would not be passed on. All team members must follow the General Dental Council’s rules for maintaining patient confidentiality contained in Standards for dental professionals and Principles of patient confidentiality. If confidentiality is breached, the dentist/dental hygienist/dental therapist/dental nurse faces investigation by the General Dental Council and possible erasure from the Dentists or DCP Register, and may also face legal action by the patient for damages and, for dentists, prosecution for breach of the Data Protection Act.
Principles of confidentiality
This clinic has adopted the following three principles of confidentiality:
Personal information about a patient
- is confidential in respect of that patient and to those providing the patient with health care
- should only be disclosed to those who would be unable to provide effective care and treatment without that information (the need-to-know concept), and
- such information should not be disclosed to third parties without the consent of the patient except in certain specific circumstances described in this policy.
Preventing breaches of confidentiality
Keep all confidential data stored securely and do not allow them to be placed in areas where they may be seen by unauthorised personnel
Do not provide information:
- To school about a child’s attendance
- To employers about patient’s appointments
- To third parties about appointments or leave detailed answer machine messages
- Only leave messages to return the clinics phone call
Disclosure of information
If it is necessary to release information about a patient:
- Get patient’s consent first, where possible. Make sure they understand what information you will release, why and any likely consequences.
- Release the minimum required
- Be prepared to justify decisions and follow-on action. If you are using patient information (i.e. radiographs, study models) for teaching purposes gain the patient’s consent and ensure the patient cannot be identified from the information released.
Disclosures to third parties
There are certain restricted circumstances in which a dentist may decide to disclose information to a third party or may be required to disclose by law. Responsibility for disclosure rests with the patient’s dentist and under no circumstances can any other team member make a decision to disclose. A brief summary of the circumstances is given below.
When disclosure is in the public interest
There are certain circumstances where the wider public interest outweighs the rights of the patient to confidentiality. This might include cases where disclosure would prevent a serious future risk to the public or assist in the prevention or prosecution of serious crime.
When disclosure can be made
There are circumstances when personal information can be disclosed:
- where expressly the patient has given consent to the disclosure
- where disclosure is necessary for the purpose of enabling someone else to provide health care to the patient and the patient has consented to this sharing of information
- where disclosure is required by statute or is ordered by a court of law
- where disclosure is necessary for a dentist to pursue a bona-fide legal claim against a patient, when disclosure to a solicitor, court or debt collecting agency may be necessary.
Disclosure of information necessary in order to provide care and for the functioning of the NHS
Information may need to be disclosed to third party organisations to ensure the provision of care. In practical terms this type of disclosure means:
- referral of the patient to another dentist or health care provider such as a hospital.
Data protection code of practice
The Clinics data protection code of practice provides the required procedures to ensure that we comply with Data Protection Act. It is a condition of engagement that everyone at the clinic complies with the code of practice.
Data Protection Act
Following EU-wide changes to data protection rules, GDPR was introduced in the UK as the Data Protection Act 2018 (GDPR).
The Data Protection Officer (DPO) for TwentyOneDental is Dr Adyl Asani. This does not mean that as DPO, they must deal with requests but designated members can do so.
All personal data, written and electronic, must be processed in accordance with the 8 Data Protection Principles. These Principles are set out in this document.
Access to dental health records
A patient has the right to see their dental health records. A request from a patient to see their health records or for a copy must be referred to the patient’s dentist. The patient should be given the opportunity of coming into the clinic to discuss the records and can then be given a photocopy (see fees below). Care will always be taken to ensure that the individual seeking access is the patient in question and where necessary the clinic will seek information from the patient to confirm identity. The copy of the record must be supplied within thirty days from the request being received together with payment of the fee.
Why would a patient want to access their dental health records?
The patient will have their own reason to request their dental records and they do not need to give a reason why when making a request.
Who can make a request?
A request to access dental records, or any part of the dental record, can be made by the following people:
- the patient
- a person authorised in writing to make the application on the patient’s behalf
- A person having parental or guardian responsibility for the patient
- where the patient is incapable of managing his own affairs, any person appointed by a court to manage those affairs
- where the patient has died, the patient’s personal representative and any person who may have a claim arising out of the patient’s death.
Exemptions to Access
There are two main exemptions to a patient’s right of access which are:
- information about identifiable third parties
- information likely to cause someone serious physical or mental harm
The first exemption means those who hold the information (known as data controllers in the legislation) may refuse to release it if it would reveal information about another person unless that person has given consent.
The second exemption means that access can be refused if it is likely to cause serious harm to the physical or mental health or condition of the data subject or any other person.
The term “any other person” could relate to a health professional or a relative of the patient. Subject access rights can be refused if it was considered likely to put a health professional or a family of the patient in danger.
Access to Dental Health Records – Patient Fees
(Data Protection (Subject Access) (Fees and Miscellaneous Provisions) (Amendment) Regulations 2001)
In accordance with the above regulations, patient’s fees for copies of their dental health records are as follows:
- Permanent Copy – Where a permanent copy of the patient’s dental health records are to be provided, the maximum fee of £50 may be charged by the data controller in accordance with regulation 6(2) of the 2000 Regulations & Amendment 2001.
- View Only (No Copies) – No charge is payable. This includes subject access requests to the patient’s
Following EU-wide changes to data protection rules, introduced in the UK as the Data Protection Act 2018 (GDPR), this means patients can make a subject access request for free. This right of access means a patient can ask to review and verify the lawfulness of the processing of their personal data.
The DPA 2018 sets out the framework for data protection law in the UK. It updates and replaces the Data Protection Act 1998, and came into effect on 25 May 2018. It sits alongside the GDPR, and tailors how the GDPR applies in the UK
Should you wish to access your records ie view them, please let us know so we can make necessary arrangements for you in this respect here at the clinic. There is of course no charge for this as it is deemed an accessible request and is for viewing only.
For a permanent request, fees do apply in accordance with regulations and are as follows:
- Permanent Form ie Copies – Where a permanent copy of the information is to be provided, the maximum fee of £50 may be charged by the data controller in accordance with regulation 6(2) of the 2000 Regulations.
- Accessible Record ie View Only (No Copies) – No charge is payable
Requests to access dental records of a deceased person
Access to the health records of a deceased person is governed by the Access to Health Records Act 1990. You will only be able to accept requests under the following circumstances:
- next of kin or legal executor
- permission of the next of kin
- have written permission from the deceased person given before they died.
Dental Record Requests for Treatment Outside the UK
Should a request be made by a patient who is seeking dental treatment outside the UK, the legal right to access dental records and radiographs is the same as given in the above. Patients do not have to give a reason why are requesting a copy of their dental records and it is under their own action and consent that they are disclosing personal information to a dental professional abroad. For former patients living outside of the UK, but who have undergone treatment while living in the UK still have the same rights to apply for access to their UK dental records. Such requests should be dealt with as someone making an access request from within the UK. Original health records should not be given to patients to keep/take to a new dentist outside the UK. The Department of Health recommend that original patient health records should not be sent to patients or their authorised representative because of the potential detriment to patients should the records be lost and for medico-legal purposes. For further sources of information please visit: www.ico.gov.uk or seek advice from your legal representative should you be concerned about a particular case or exemption issues.
The fact that patients have the right of access to their records (data) & (dental health records) makes it essential that information is properly recorded. Records must be:
- contemporaneous and dated
- accurate and comprehensive
- signed by the dentist
- neat, legible and written in ink
- strictly necessary for the purpose
- not derogatory
- such that disclosure to the patient would be unproblematic.
The principles of confidentiality give rise to a number of rules that everyone in the clinic must observe:
- records must be kept secure and in a location where it is not possible for other patients or individuals to read them
- identifiable information about patients should not be discussed with anyone outside of the practice including relatives or friends
- a school should not be given information about whether a child attended for an appointment on a particular day. It should be suggested that the child is asked to obtain the dentist’s signature on his or her appointment card to signify attendance
- demonstrations of the clinics administrative/computer systems should not involve actual patient information
- when talking to a patient on the telephone or in person in a public area care should be taken that sensitive information is not overheard by other patients
- do not provide information about a patient’s appointment record to a patient’s employer
- messages about a patient’s care should not be left with third parties or left on answering machines. A message to call the clinic is all that can be left
- recall cards and other personal information must be sent in an envelope
- disclosure of appointment books, record cards or other information should not be made to police officers or Inland Revenue officials unless upon the instructions of the dentist
- patients should not be able to see information contained in appointment books, day sheets or computer screens
- discussions about patients should not take place in public areas of the clinic.
If, after investigation, a team member is found to have breached patient confidentiality or this policy, he or she shall be liable to summary dismissal in accordance with the clinics disciplinary policy. Employees are reminded that all personal data processed at the clinic must by law remain confidential after your employment has terminated. It is an offence under section 55(1) of the Data Protection Act 1998, knowingly or recklessly, without the consent of the data controller, to obtain or disclose personal data. If the clinic suspects that you have committed such an offence, it will contact the Office of the Information Commissioner and you may be prosecuted by the Commissioner or by or with the consent of the Director of Public Prosecutions.
Subject Access Request (SAR)
A SAR may be made for data and/or dental health records. Please see above for an explanation as to data and dental health records together with fees, where appropriate. A SAR may be made not only by the individual but also by third parties on behalf of that individual. The following guidance covers the information required before a request can be met.
- Subject Access Request – By the Individual (i.e. the living individual, to whom records refer and who is making the request). On the submission of a written request, and verification of identity, access is permitted following the request to the patients medical/dental records in accordance with the act
- Subject Access Request – By a Third Party (i.e. on behalf of a living individual who is incapable of managing his/her affairs, any person appointed by the court to manage those affairs, or persons interested in an individual’s medical/ dental records). Before medical/dental records can be disclosed, the written consent of the individual is required. In circumstances where individuals are incapable of managing their own affairs the consent for disclosure must be obtained from the appropriate authority.
Access to any part of a health record can be refused if:
- In the written opinion of the health professional, acting on behalf of the data controller, disclosure of the records would be likely to cause serious harm to the physical or mental health of the individual (data subject) or any other person
- Information relating to or provided by someone other than the data subject could identify that individual.
- Unless that individual is a health professional who has compiled or contributed to the health record or has been involved in the treatment of the data subject
- Unless that individual has given their consent to the disclosure of the information to the person making the request.
- Unless it is reasonable in all the circumstances to comply with the request without the consent of the other individual e.g. a person with parental responsibilities for the patient or a person appointed by the court to manage the affairs of the patient
- provided that the information in the expectation that it would not be disclosed to the person making the request
- consented to any examination or investigation in the expectation that the information would not so be disclosed;
- has expressly indicated that the information should not be disclosed.
Subjects must submit a written request and forward it to the DPO. The DPO has 30 calendar days from receipt of a SAR to respond to a request. Any longer period will be a breach of the Act. A request from a patient to access their own personal data and/or dental health records must be referred to the patient’s dentist. The patient will then be given the opportunity of coming into the clinic to view their data (for free) or dental health records (fees apply).
What is data?
Data is personal data an individual has provided.
Does this mean if I want permanent copies of my dental health records, these are provided free of charge too?
Please see above for further information including fees
Data Protection Principles
The eight Data Protection Principles as laid down in the Data Protection Act (along with Caldicott Principles) must be followed at all times:
- Data must be processed fairly and lawfully
- Personal data shall be obtained only for one or more specific and lawful purposes
- Personal data shall be adequate, relevant and not excessive in relation to the purpose for which they are processed
- Personal data shall be accurate and where necessary kept up to date
- Personal data processed for any purpose shall not be kept for longer than is necessary for that purpose
- Personal data shall be processed in accordance with the rights of data subjects under the Data Protection Act
- Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data
- Personal data shall not be transferred to a country outside the EEA, unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
The Caldicott Principles
Principle 1 – Justify the purpose(s) Every proposed use or transfer of patient-identifiable information within or from an organisation should be clearly defined and scrutinised, with continuing uses regularly reviewed by an appropriate guardian
Principle 2 – Don’t use patient-identifiable information unless it is absolutely necessary Patient-identifiable information items should not be used unless there is no alternative.
Principle 3 – Use the minimum necessary patient-identifiable information. Where use of patient-identifiable information is considered to be essential, each individual item of information should be justified with the aim of reducing identifiably
Principle 4 – Access to patient-identifiable information should be on a strict need to know basis. Only those individuals who need access to patient-identifiable information should have access to it, and they should only have access to the information items that they need to see
Principle 5 – Everyone should be aware of their responsibilities. Action should be taken to ensure that those handling patient-identifiable information – both clinical and nonclinical team members – are aware of their responsibilities and obligations to respect patient confidentiality
Principle 6 – Understand and comply with the law. Every use of patient-identifiable information must be lawful. Someone in the clinic should be responsible for ensuring that legal requirements are complied with. Responsible Person Dr Adyl Asani has been appointed to be the person responsible for Confidentiality
Comments, suggestions and complaints
Please contact our Governance Lead at the clinic should you have a comment, suggestion or a complaint about your data processing at firstname.lastname@example.org or 01273 202102.
If you are unhappy with our response or if you need any advice you can find further information below under the heading “more information”.
Related practice procedures
The following practice policies or procedures have been adopted by the clinic:
- Data Protection and Information Security Policy, Consent Policy
- Privacy Impact Assessment, Information Governance Procedures
For more information on this topic, speak with our Operations Manager or Clinic Manager. Alternatively you can contact the organisations below.
General Dental Council (www.gdc-uk.org)
Information Commissioner (www.informationcommissioner.gov.uk)
This policy is reviewed on an annual basis.
Last reviewed: January 2020
Next Review: January 2021
21 New Church Road,
Brighton, & Hove BN3 4AD
Call Us01273 202 102
21 New Church Road,
Brighton, & Hove BN3 4AD