Privacy Notice
Overview
The practice aims to meet the requirements of the Data Protection Act 2018, the General Data Protection Regulation (UK GDPR), the guidelines on the Information Commissioner’s website as well as our professional guidelines and requirements.
The data controller is Riverdale Healthcare. The Information Governance Lead is John Grainger and our Data Protection Officer is John Grainger.
You will be asked to provide personal information when joining the practice. The purpose of processing your personal data is to provide you with optimum dental health care and prevention.
The categories and examples of data we process are:
- Personal data for the provision of dental health care
- Personal data for the purposes of providing treatment plans, recall appointments, reminders or estimates
- Personal data such as details of family members for the provision of health care to children or for emergency contact details
- Personal data for the purposes of employed and self-employed team members employment and engagement respectively
- Personal data for the purposes of informing you of important announcements or about new treatments or services
- Personal data – IP addresses so that we can understand our patients better and inform our marketing approach as well as improve the website experience
- Special category data including health records for the purposes of the delivery of health care and meeting our legal obligations
- Special category data including health records
- Special category data to meet the requirements of the Equality Act 2010
- Special category data details of criminal record checks for employees and contracted team members
We minimise the data that we keep and do not keep it for longer than is necessary.
We never pass your personal details to a third party unless we have a contract for them to process data on our behalf and will otherwise keep it confidential. If we intend to refer a patient to another practitioner or to secondary care such as a hospital we will gain the individual’s permission before the referral is made and the personal data is shared. Your data will be shared with the NHS in England, Scotland and Wales or the HSC in Northern Ireland if you are having NHS or HSC treatment.
- Personal data is stored in the EU whether in digital or hard copy format
- Personal data is obtained when a patient joins the practice, when a patient is referred to the practice
For full details of where your data is stored, please ask to see Information Governance Procedures.
We have established the following lawful bases for processing your data:
Our lawful bases for processing personal data:
- The legitimate interests of the dental practice
- Processing is necessary for the performance of a contract with the data subject or to take steps to enter into a contract
- Consent of the data subject
- To comply with our legal obligations
Our lawful bases for processing special category data:
- The legitimate interests of the dental practice
- Processing is necessary for the performance of a contract with the data subject or to take steps to enter into a contract
- Consent of the data subject
- To comply with our legal obligations
The reasons we process the data include:
- To maintain your contemporaneous clinical records
- To provide you with dental treatment, prevention and oral health advice
- To carry out financial transactions with you
- To manage your NHS or HSC dental care treatment
- To send your personal data to the General Dental Council or other authority as required by law
- To communicate with you as and when required including appointment reminders, treatment plans, estimates and other communications about your treatment or the practice
- To communicate with your next of kin in an emergency
- If a parent or carer to communicate with you about the person you parent or care for
- To refer you to other dentists or doctors and health professionals as required
- To obtain criminal record disclosures for team members
- For debt recovery
- To continually improve the care and service you receive from us
The personal data we process includes:
Your name, address, gender, date of birth, NHS number, medical history, dental history, family medical history, family contact details, marital status, financial details for processing payment, your doctor’s details and details of treatment at the practice. We may process more sensitive special category data including ethnicity, race, religion, or sexual orientation so that we can meet our obligations under the Equality Act 2010, or for example to modify treatment to suit your religion and to meet NHS or HSC obligations.
Retention Periods:
The retention period for special data in patient records is a minimum of 10 years and may be longer for complex records or to meet our legal requirements. The retention periods for other personal data is 2 years after it was last processed. Details of retention periods are available in the Record Retention procedure available from the practice.
How we obtain your data:
We obtain your personal details when you enquire about our care and service, when you join the practice, when you subscribe to our newsletter or register online, when you complete a registration or medical history form and when another practitioner refers you for treatment at our practice.
Occasionally patients are referred to us from other official sources such as NHS clinics or hospitals.
Your personal data rights:
- The right to be informed about the collection and use of your personal data
- The right of access – to have a copy of the data we hold about you. Generally, we will not charge for this service
- The right to rectification – to correct the data we have if it is inaccurate or incomplete
- The right to deletion of your personal data (clinical records must be retained for a certain time period)
- The right to restrict processing of your personal data
- The right to data portability – to have your data transferred to someone else
- The right to object to the processing of your personal data
- Rights in relation to automated decision making and profiling
Further details of these rights can be seen in our Information Governance Procedures or at the Information Commissioner’s website.
Examples of your rights in practice:
- Patients may withdraw consent for notifications, newsletters, surveys or marketing
- Patients can request corrections or deletion of their personal data
- Non-patients may also withdraw consent or request access, correction or deletion
We have carried out a Privacy Impact Assessment and Risk Assessment. These are available on request.
Comments, Suggestions and Complaints
Please contact the IG Lead at the practice for any comments, suggestions, or complaints about data processing via privacy@riverdalehealthcare.com, phone, or by visiting the practice. We take complaints very seriously.
If dissatisfied with our response or for further advice, you may contact the Information Commissioner’s Office (ICO) at 0303 123 1113 or online. Visit the ICO website for guidance on data protection complaints.
Related Practice Procedures
- Data Protection and Information Security Policy
- Sensitive Information Map, PIA and Risk Assessment
- Information Governance Procedures
- Record Retention
For enquiries, contact the Information Governance Lead: John Grainger – privacy@riverdalehealthcare.com
Data Opt-Out Policy
How the NHS and Care Services Use Your Information
Devonshire House works within the health and care system to improve services. When you use health services, data is recorded to ensure quality care. This data may also support wider purposes, such as:
- Improving the quality and standards of care provided
- Research into the development of new treatments
- Preventing illness and diseases
- Monitoring safety
- Planning services
This is only done with a clear legal basis. Usually, anonymised data is used. Confidential information is only used where legally permitted.
You can choose whether your confidential patient information is used this way. Visit www.nhs.uk/your-nhs-data-matters for more details, to review or change your opt-out settings.
Processing of Staff and Candidates’ Information
This section outlines how Devonshire House handles data of staff and job applicants.
What data do we have?
- Basic contact details: name, address, date of birth, NI number, next of kin
- Financial details for payment, pensions, taxes
- Training records
- Special category data such as health and mental health, race, religion, sexual orientation (with consent)
Criminal Record Checks may be required and are not retained longer than necessary.
Why do we have this data?
- To fulfil employment law requirements
- To support training, payroll, planning and HR
- To comply with public interest obligations
- To process sick/maternity pay or legal vetting
- With consent, when required
Where do we collect your data from?
- You or your legal representative
- Third parties, such as referees
We collect data via email, post, website, application forms and apps.
How do we share your data?
- HMRC
- Pension and healthcare schemes
- Payroll provider
- CQC and other legal bodies
- Police or legal enforcement (if required)
How long do we hold your data?
Staff records are retained for 6 years. Some may be held longer. Unsuccessful candidate data is retained for 1 year.
Your Rights
You have rights over your personal data, including to request access, correction, deletion, or to lodge a complaint with the Information Commissioner’s Office (ICO). You may request a copy of your personal file by contacting the practice.