Andrew Lee Dental Practice Privacy Notice
The practice aims to meet the requirements of the Data Protection Act 2018, the General Data Protection Regulation GDPR, the guidelines on the Information Commissioner’s website as well as our professional guidelines and requirements. The data controller is Andrew Lee, who is also the Information Governance Lead the Data Protection Officer is Sarah Lee.
This Privacy Notice is also available at reception and by email if you contact email@example.com and by
calling 01926 330606.
This Privacy Notice explains what Personal Data the practice holds, why we hold and process it, who we might share it with, and your rights and freedoms under the Law. You will be asked to provide personal information when joining the practice. The purpose of us processing this data is to provide optimum health care to you.
Types of Personal Data
The practice holds personal data in the following categories:
Personal data for the purposes of staff and self-employed team member management
Personal data for the purposes of [direct mail/email/text/other] marketing
Special category data including health records for the purposes of the delivery of health care
Special category data including health records and details of criminal record checks for managing employees and contracted team members
We never pass your personal details to a third party unless we have a contract for them to process data on our behalf and will otherwise keep it confidential. If we intend to refer a patient to another practitioner or to secondary care such as a hospital we will gain the individual’s permission before the referral is made and the personal data is shared.
Why we process Personal Data (what is the “purpose”)
“Process” means we obtain, store, update and archive data.
Patient data is held for the purpose of providing patients with appropriate, high quality, safe and effective dental care and treatment.
Staff employment data is held in accordance with Employment, Taxation and Pensions law.
Contractors’ data is held for the purpose of managing their contracts.
What is The Lawful Basis for processing special Category data such as patients’ and employees’ health data and Personal Data?
The Law says we must tell you this:
We hold patients’ data because it is in our Legitimate Interest to do so. Without holding the data we cannot work effectively. Also, we must hold data on NHS care and treatment as it is a Public Task required by law.
We hold staff employment data because it is a Legal Obligation for us to do so.
We hold contractors’ data because it is needed to Fulfil a Contract with us.
Who might we share your data with?
We can only share data if it is done securely and it is necessary to do so.
- Patient data may be shared with other healthcare professionals who need to be involved in your care (for example if we refer you to a specialist or need laboratory work undertaken).
- Patient data may also be stored in the EU for back-up purposes with our computer software suppliers who may also store it securely whether in digital or hard copy format.
- Employment data will be shared with government agencies such as HMRC.
- Personal data is obtained when a patient joins the practice, when a patient is referred to the practice and when a patient subscribes to an email list.
You have the right to:
Be informed about the personal data we hold and why we hold it.
Access a copy of your data that we hold by contacting us directly: we will acknowledge your request and supply a response within one month or sooner.
Check the information we hold about you is correct and to make corrections if not have your data erased in certain circumstances.
Transfer your data to someone else if you tell us to do so and it is safe and legal to do so.
Tell us not to actively process or update your data in certain circumstances.
Further details of these rights can be seen in our Information Governance Procedures or at the Information Commissioner’s website. Here are some practical examples of your rights:
If you are a patient of the practice you have the right to withdraw consent for important notifications, newsletters, surveys or marketing.
You can inform us to correct errors in your personal details or withdraw consent from communication methods such as telephone, email or text. You have the right to obtain a free copy of your patient records within one month.
If you are not a patient of the practice you have the right to withdraw consent for processing personal data, to have a free copy of it within one month, to correct errors in it or to ask us to delete it. You can also withdraw consent from communication methods such as telephone, email or text.
We have carried out a Privacy Impact Assessment and you can request a copy from the details below. The details of how we ensure security of personal data is in our Security Risk Assessment and Information Governance Procedures.
How long is the Personal Data stored for?
We will store patient data for as long as we are providing care, treatment or recalling patients for further care. We will
archive (that is, store it without further action) for as long as is required for legal purposes as recommended by the NHS or other trusted experts recommend. This could be a minimum of 10 years and may be longer for complex records.
We must store employment data for six years after an employee has left.
The retention period for other personal data is 2 years after it was last processed. Details of other retention periods are
available in the Record Retention procedure available from the practice.
We must store contractors’ data for seven years after the contract is ended.
What if you are not happy or wish to raise a concern about our data processing?
You can complain in the first instance to us, at the practice for a comment, suggestion or a complaint about your data processing at firstname.lastname@example.org, or 01926 330606 or by writing to or visiting the practice at 7 Crown Way, Lillington, Leamington Spa, CV32 7SF. or to our Data protection Officer, Sarah Lee, who can be contacted on email@example.com.
We will always do our best to resolve the matter.
If you are unhappy with our response or if you need any advice you should contact the Information Commissioner’s Office (ICO). Their telephone number is 0303 123 1113, you can also chat online with an advisor. The ICO can investigate your claim and take action against anyone who’s misused personal data. You can also visit their website for information on how to make a data protection complaint.
Related practice procedures
You can also use these contact details to request copies of the following practice policies or procedures:
Data Protection and Information Security Policy, Consent Policy
Privacy Impact Assessment, Information Governance Procedures
News and Twitter coming soon...