Ivydene Data Protection Policy

Ivydene Dental Practice > Ivydene Data Protection Policy

Data Protection Policy

The practice is committed to complying with the Data Protection Act 1998 by collecting, holding, maintaining and accessing data in an open and fair fashion.

The practice will only keep relevant information about employees for the purposes of employment, or about patients to provide them with safe and appropriate dental care. The practice will not process any relevant ‘sensitive personal data’ without prior informed consent. As defined by the Act ‘sensitive personal data’ is that related to political opinion, racial or ethnic origin, membership of a trade union, the sexual life of the individual, physical or mental health or condition, religious or other beliefs of a similar nature. Sickness and accidents records will also be kept confidential.

All manual and computerised records will be kept in a secure place; they will be regularly reviewed, updated and destroyed in a confidential manner when no longer required. Personnel records will only be seen by appropriate management.

Patients’ records will only be seen by appropriate team members. To facilitate patients’ health care the personal information about them may be disclosed to a doctor, health care professional, hospital, NHS authorities, the Inland Revenue, the Benefits Agency (when claiming exemption or remission from NHS charges) or private dental schemes of which the patient is a member. In all cases the information shared will be only that which is relevant to the situation. In very limited cases, such as for identification purposes, or if required by law, information may have to be shared with a party not involved in the patient’s health care. In all other cases, information will not be disclosed to such a third party without the patient’s written authority.

Access

You have the right of access to the data that we hold about you and to receive a copy.  Access may be obtained by making a request in writing. We will provide a copy of the record within 21 days of receipt of the request and fee (where payable) and an explanation of your record should you require it.

  1. General

The practice collects, holds, processes and shares personal data in accordance with the provisions of the General Data Protection Regulation and the Data Protection Act 2022. We have carried out and will review as appropriate, a Data Audit.

This Policy applies to personal data in the following categories:

  • Patients’ Records, both current and past
  • Employees’ data
  • Contractors’ data – including dental registrants

 

  1. Data Protection Principles

We shall ensure that Personal Data, including Special Data (health) will be:

  • Processed lawfully, fairly and in a transparent manner
  • Collected for specified, explicit and legitimate purposes only
  • Adequate, relevant and necessary for the purpose
  • Accurate and updated
  • Kept for no longer than is necessary
  • Processed in a secure manner and protected against loss, destruction or damage

  

  1. Lawful Basis

Data will be held and processed under the following Lawful Basis:

  • Patient Data and health records: for the Legitimate Interests of the practice in providing health care and treatment
  • Employment records: as a Legal Obligation for the provision of Employment Terms and conditions and supply of data to HM Revenue and Customs and other statutory functions such as pensions and benefits
  • Contractor Data: for the fulfilment of contracts

We will additionally secure the specific consent of patients for the provision of electronic communication under the Privacy and Electronic Communication Regulations 2011

 

  1. Data Subjects’ Rights

We will ensure that the rights of Data Subjects are respected and maintained by:

  • The issue and promotion of a Privacy Notice detailing data processed, its origin and any disclosures, the Lawful Bases for processing, and the rights of Data Subjects
  • The maintenance of a Subject Access process and the appointment of Victoria Whitfield as Data Protection Lead to oversee that process and to advise on compliance
  • A legitimate interest assessment ensuring individuals’ rights are balanced with the legitimate needs of the practice.
  • A Data Retention schedule
  • An Information Security policy
  • A Data Breach Policy
  • Contractual assurance of adequate safeguards if data is processed outside the European Union

 

  1. Subject Access Requests

All data subjects may submit a request to be informed of the data we hold about them, its lawful basis and from whom it is/was obtained and to whom it may be disclosed.  We will provide this information without charge and as soon as is reasonably possible and in any event within one month of a valid request being received.  Access requests should be addressed (or forwarded without delay) to Ketan Panwalkar.

  1. Training and Compliance

We will ensure that all staff are aware of their duty of strict confidentiality regarding personal data, both professional and under the Data Protection law.  We will provide training and assure compliance and will review and refresh training on a regular basis.

It is a condition of continuing employment that all staff are aware of, sign their acceptance of, and comply with, their obligations under this Policy. Any queries or concerns must be immediately addressed to Ketan Panwalkar. A breach of this Policy may amount to misconduct and result in disciplinary action. Serious or persistent breaches may result in dismissal.

  1. Security of Data

The practice will publish and maintain an Information Security policy to assure against any loss, damage, unlawful disclosure or non-compliant erasure of data. All staff will be trained and advised of their obligations under this Policy.