Wedgwood House Dental Practice
Wedgwood House Dental Practice

Privacy Notice

About us

This Privacy Notice describes how we, Wedgwood House Dental Practice (hereafter known as WHDP), process your personal data. This could be collected when you visit our practice in Stowmarket, Suffolk for dental services, contact us to make an enquiry, give compliment, make a complaint, request information, participate in a promotion, or in connection with an actual or potential business or employment relationship with us.

 

We respect your privacy and we are committed to protecting your personal information in order to reflect the value we place on earning and keeping the trust of our employees, customers and suppliers. We are committed to achieving compliance with GDPR and the uplifted UK Data Protection Act in 2018, and guidelines on the Information Commissioner's website as well as our professional guidelines and requirements.

 

This privacy notice describes what personal information we collect and for what reason, how we process it and under what legal basis, who we share it with, how we protect and keep your information safe, up to date and complete.  How we enable you to exercise your Rights under the data protection law.

What is Personal Data and other terminology?

Personal Data

Personal data is any information that allows an individual (the data subject) to be identified.  This includes information where the individual is not named but a cross-reference to other information held by the practice which would allow identification.

Data Subject

Data subject is any identified or identifiable natural (living) person, whose personal data is processed by the controller responsible for the processing.

Processing

Processing is any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Restriction of Processing

Restriction of processing is the marking of stored personal data with the aim of limiting their processing in the future.

Profiling

Profiling means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.

Pseudonymisation

Pseudonymisation is the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.

Unauthorised reversal of pseudonymisation would constitute an Information Governance breach.

Controller or Controller Responsible for The Processing

Controller or controller responsible for the processing is the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.

Processor

Processor is a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

Recipient

Recipient is a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing.

Third Party

Third party is a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.

Consent

Consent of the data subject is any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

What information do we collect?

We process personal information about our employees, customers (patients) and suppliers.

We collect data about patients who use our services that is relevant to their healthcare and that allows WHDP to deliver its services to our patients. 

The types of data we may collect are listed below and we will only use that data in ways relevant to carrying out our lawful purposes and functions and in a way that is not detrimental to the interests of our patients or employees.  At WHDP we will take particular care in the collection and storage of any personal ‘special’ (i.e. healthcare) data.  Everyone working within WHDP has a legal duty to keep information about you confidential.  Similarly, anyone who receives information from us has a legal duty to keep it confidential.

Our dental professionals caring for you keep records about your health and any treatment and care you receive from our practice.  These records help to ensure that you receive the best possible care.  They may be written down in paper records or held on computer.  These records may include:

·    Basic details about you such as name, address, telephone number, email address, date of birth, next of kin, NHS number, etc.

·    Contact we have had with you such as appointments.  Where this involved leaving a voice message on the dental practice’s answer machine, the reception staff list to the message, act on the instructions, and always delete the message afterwards.

·    Notes and reports about your health, treatment and care.

·    Treatment plans and consent to have dental check-ups (NHS) and further treatment (NHS and private)

·    X-rays, clinical photographs, and study models

·    Relevant information from people who care for you and know you well such as health professionals and relatives.

·    Financial information for payment of any treatments

We also collect your feedback and complaints.  Typically, this paper based using the ‘Patient Questionnaire’ that incorporates the NHS Friends and Family Test (FTT).

It is essential that your details are accurate and up to date.  Always check that your personal details are correct when you visit us and please inform us of any changes as soon as possible.  This is usually done each time you visit the dental practice using our ‘Clinipad’ computer tablet.  E.g. contact and NHS exemption details at the reception desk, and medical history information when seeing your dentist or hygienist.

Cookies

When you visit this website our hosting company 1and1.co.uk may send “cookies” to your computer primarily to enhance your on-line experience.  “Cookies” are invisible files which can identify you as a unique viewer and may store your personal preferences as well as technical information.

We only collect technical data about the type of Internet browser and computer operating system that you use when viewing our website (https://wedgwood-house.com).  This information does not identify you as an individual (your identity remains anonymous) and is used only for the tracking of site use to measure its performance (e.g. the interest level) of our publicly available information.

For more information on cookies and how to disable them you can consult the information provided by, for example, the Interactive Advertising Bureau UK at www.allaboutcookies.org, or another refence mentioned at the end of this privacy notice.

How your personal information is used

Your records are used to direct, manage and deliver the care you receive to ensure that:

·    The dental professionals involved in your care have accurate and up to date information to assess your oral health and decide on the most appropriate care for you.

·    Healthcare professionals have the information they need to be able to assess and improve the quality and type of care you receive.

·    Your concerns can be properly investigated if a complaint is raised.

·    Appropriate information is available if you see another dental professional or are referred to a specialist.

·     From time-to-time we may use your contact information to send you details of products and services offered in our practices that directly relate to your oral healthcare.

If we wish to use your information for dental research or dental education, we will discuss this with you and seek your explicit consent.  Depending on the purpose and if possible, we will anonymise your information.  If this is not possible we will inform you and discuss your options.

We do not carry out any automated profiling at WHDP.

Sharing of Personal Data

Your information is normally used only by those working at the practice but there may be instances where we need to share it – for example, with:

·   Your doctor

·   The hospital or community dental services or other health professionals caring for you

·    Dental laboratories

·    NHS payment authorities

·   The Department for Work and Pensions and its agencies, where you are claiming exemption or remission from NHS charges

·    Private dental schemes of which you are a member

·    Debt collection companies

Your information is shared with third parties to deliver the following services to you:

·     Sending SMS text and email reminders for your dental appointments

·     Providing troubleshooting and support services for our various IT systems

WHDP may disclose your personal information to third parties:

·    In the event that we sell or buy any business or assets, in which case we may disclose your personal data to the prospective seller or buyer of such business or assets.

·     If WHDP or substantially all of its assets are acquired by a third party, in which case personal data held by it about its customers will be one of the transferred assets.

·    In certain circumstances or if required by law, we may need to disclose your information to a third party not connected with your health care, including HMRC or other law enforcement or government agencies.

·    We may share your personal data with other companies and organisations for the purposes of fraud prevention and credit risk reduction.

We will only disclose your information on a need-to-know basis and will limit any information that we share to the minimum necessary.

Some of your information may be transferred out of the European Economic Area (EEA), primarily in support of our dental Information System that processes your medical records.  Where information is transferred outside of the European Economic Area (“EEA”), we require that appropriate safeguards are in place and we use contracts that require the recipient to protect your Personal Data to the same standards as it would be within the EEA.

We do not pass your details to any third parties for marketing purposes.

Legal bases for processing your data

Patient data is processed in accordance with the 2005 NHS General Dental Services contract and the relevant UK Data Protection Act (DPA2018) as regulated by the UK Information Commissioner’s Office (ICO).  All personal data associated with NHS treatments, including any private treatments on NHS patients, is shared with NHS England and their NHS partners under the terms of the mentioned GDS contract.  Information related to private patients is processed under similar conditions though not shared with the NHS.  We are legally required to share all information with the Care Quality Commission (CQC) and the General Dental Council (GDC) should they request it.

Processing of staff or patient medical records is done so under DPA2018, and GDPR Articles:

•    6(1)(b), 6(1)(c) and 9(2)(b) to carrying out the obligations related to the NHS GDS contract and GDC standards and guidelines

•    6(1)(f) and 9(2)(f) to exercise or defend legal claims, or whenever courts are acting in their judicial capacity

•    6(1)(e) and 9(2)(h) for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment

•    6(1)(c) the processing is necessary for compliance with any legal obligation to which the controller is subject, and 9(2)(b) processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment.

To understand the performance of the business carrying out medical treatments, both NHS and private, the dental information system is used to general reports, under Article 6(1)(b), 6(1)(f) and 9(2)(d) legitimate interests.  Only authorised staff do this.  Typically, the data is fully anonymised thus requiring no lawful basis, and where not stored on secure computers with restricted access control.

We collect personal data from you in order to action financial payments with the healthcare (consented using the FP17PR form)(consented using ‘treatment plans’) i.e. Articles 6(1)(a), 6(1)(b), 6(1)(c) and 9(2)(a), and for financial institutions as required by UK and international banking and electronic card payment (PCI-DSS) law.

When dental crowns, veneers, dentures and mouthguards are made by dental laboratories, we use pseudonymised codes instead of patient names.  The request form represents a contract for the activity.  Where the ‘code’ is not unique, we would do so under Articles 6(1)(b) and 9(2)(d) and 9(2)h).  Note that some labs would like to use patient consent as a lawful basis, Article 6(1)(a) and 9(2)(a), which would is felt not to be practical in our dental practice environment, but to do so would rely upon the patients medical consent to treatment.

Should we decide to use our dental information system to manage electronic marketing via email or SMS, we will explicit request your consent.  (Not used at this time.)

Your Rights

The GDPR includes many ‘rights’ for the data subject to exercise.  These are listed below.  It should be noted however that not all are applicable under UK law, DPA2018, in the delivery of your dental care.

•    Right to access facts about that being processed (Article 15)

•    Right to rectification to make data complete without delay (Article 16)

•    Right to erasure (be forgotten).  You have a right to request that we delete your personal information, although you should be aware that, for legal reasons, we may be unable to erase certain information, for example, information about your dental treatment. (Article 17)

•    Right to restriction of processing if data inaccurate, taken unlawfully or for different processing purpose, or no longer needed (Article 18).  For example, sending you reminders for appointments or information about our service.

•    Right to data portability requires controllers to support moving data to another controller (dentist) if that data is processed by automated means (Article 20).  Please note that our dental information system supplier has limited functionality to export patient data and would be unable to import the data into another dentist’s system even if it were the same system.

•    Right to object to the processing of personal data … typically when process is consented to, used for marketing, or ‘profiling’ activities used (Article 21).

•    Right not to be subjected to automated individual decision-making (Article 22)

•    Right to lodge a complaint with a supervisory authority (Article 77)

•    Right to an effective judicial remedy against a decision of a supervisory authority and against a controller or processor (Article 78)

•    Right to be represented by organisations and others (Article 80)

•    Right to compensation (Article 82)

•    Right to access facts about that being processed (Article 15)

•    Right to rectification to make data complete without delay (Article 16)

•    Right to erasure (forgotten) without delay, if appropriate (Article 17)

•    Right to restriction of processing if data inaccurate, taken unlawfully or for different processing purpose, or no longer needed (Article 18)

•    Right to data portability requires controllers to support moving data to another controller if that data is processed by automated means (Article 20)

•    Right to object to the processing of personal data … typically when process is consented to, used for marketing, or ‘profiling’ activities used (Article 21)

•    Right not to be subjected to automated individual decision-making (Article 22)

•    Right to lodge a complaint with a supervisory authority (Article 77)

•    Right to an effective judicial remedy against a decision of a supervisory authority and against a controller or processor (Article 78)

•    Right to be represented by organisations and others (Article 80)

•    Right to compensation (Article 82)

DPA2018 Exemptions from the GDPR: Health

DPA2018, Schedule 3 identifies activities outside the powers of the data protection legislation.  For example,

·    Part 1, 1(e) restricts the deletion of patient identifiable data, which effectively overrides the patient’s Right to Erasure.

·    Part 1(1)(g) restricts the moving of records, effectively overriding the patient’s Right to Data Portability.

·    Part 2, 2(1) allows ‘the appropriate health professional’ to restrict the patient’s Right of Access should it be determined by doing so would cause ‘serious harm to the physical or mental health of the data subject or another individual’.

Requests for Personal Information

Data protection legislation allows individuals to request access to their personal information at nil cost.  Those eligible to request access include:

•    A person aged 16 years or older for practices in England.

•    The parents or guardians of a child under the age of 16 years and in connection with the health and welfare needs of the child.

•    A child under the age of 16 years who has the capacity to understand the information held by the practice.  Children aged 11 years and under are deemed too young.

•     A third party, such as a solicitor, who has the written consent of individual concerned.

If a request concerns information about a deceased person, those eligible to request access include:

•    The administrator or executor of the deceased person’s estate

•    A person who has a legal claim arising from the person’s death – the next of kin, for example. The person should explain why the information requested is relevant to their claim.

•    But does not include someone who had Power of Attorney prior to death.

If the information requested includes information about third parties, it can be disclosed if the third party gives consent or is a health professional involved in the care of the patient or is otherwise irreversibly redacted or anonymised.

Subject Access Requests (SAR) may be made in writing and describe the type of information required with dates, if possible, and include sufficient information to ensure correct identification (name, address, date of birth, for example).  We will always check that the person asking for information has the right to do so and, if necessary, ask for proof of identity.

We will aim to provide the requested information within one month of receiving.  Should we need to extend the reply up to an additional two months, we will inform you of the delay and the reasons why.

In accordance with DPA2018, where requests are manifestly unfounded or excessive, we can charge an administrative fee or refuse to respond.

Requests for information about the practice

DPA2018 Part 2, Chapter 2, section 7 defines the meaning of ‘public authority’ to be ‘a public authority as defined by the Freedom of Information Act 2000’.  For this dental practice, this means the activities of the business that are funded by the NHS.

Freedom of information legislation allows anyone to ask for information about the provision of NHS services.  If the requested information is part of a larger document, we will disclose only the relevant part.

A freedom of information request cannot include clinical records or financial records.

The request must be made in writing to Dr Jill M Geaney and should describe the required information with dates if possible.

•    Email jill.geaney@nhs.net, or write to

•    Dr Jill M Geaney (Proprietor), Wedgwood House Dental Practice, 100 Bury Street, Stowmarket, Suffolk, IP14 1HF

Charges for information provided under a freedom of information request are included as follows:

•     Up to £10 (for records held on computer)

•     Up to £50 (for those held manually)

We will aim to provide the information within 20 working days of receiving the request or confirmation of identity or, if applicable, from the receipt of the fee.  Timescale may need to be extended if we need to seek clarification or are taking legal advice on whether an exemption applies.

Please note that we will not respond to:

•    Vexatious requests for information, for example, requests that are designed to cause inconvenience, harassment or expense.

•    Repeated requests for the same or similar information (unless the information changes regularly, for example performance or activity information)

Security of your personal data

GDPR and DPA2018 requires us to treat Data protection by design and default (Article 25).

We will take reasonable technical and organisational precautions to prevent the loss, misuse, alteration, or inappropriate sharing of your personal information.

We employ administrative, electronic and physical security measures to ensure that the information that we collect about you is protected from access by unauthorised persons and protected against unlawful processing, accidental loss, destruction and damage.

This includes:

•      Up to date, certified software

•      Password protection

•      Data encryption

•      Data minimisation

•      Individual user accounts

•      Physical locks

•      Managed alarm systems

•      Anti-virus and malware protection

•      Perimeter and end-point fire walls

•      Secure servers

•      Secure Wi-Fi and dedicated wired networks

•      Secure back-up facilities

•      Proactive and recorded computer update, scan and audit procedures

•      Trained staff

Secure cloud-based storage is used at WHDP though not for employee or patient records.

We will store all the personal information you provide on our secure servers.  All electronic website communications you make to us will be encrypted.

Any non-two-week-wait referral to other healthcare professions for your treatments to hospitals and oral care specialists will use secure NHS email accounts.  Two-week-wait referrals use a secure NHS provided web portal and anonymisation to prevent inappropriate sharing of data.

Of course, data transmission over the internet is inherently insecure, and we cannot guarantee the security of data sent over the internet.  This includes any email communication via non-NHS email accounts.  We therefore request you not to send us sensitive information over email accounts that we use for general enquiries or diary booking, reminder and recall correspondence.

Should we need to email you your sensitive data, we will do so using the [secure] feature of NHS email, or via another means with your consent.

All email accounts ending @wedgwood-house.com (or Wedgwood-house.co.uk) are provided through our website host supplier 1and1.co.uk.  Online storage and email accounts are automatically encrypted and may only be viewed by authorised individuals – maintenance and backup by 1and1 uses encrypted backups where contents cannot be decrypted or viewed by 1and1.

Occasionally we might send your sensitive personal information by post, typically by recorded delivery when multiple individuals.

We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.  Even prior to GDPR, we were mandated to notify the NHS, and the ICO, of data breaches in accordance with our NHS contract.

All information assets are recorded, and their data flows mapped, and risk assessed.  We have carried out a recent Data Privacy Impact Assessment (DPIA) on our dental information system, where identified risks have been mitigated or otherwise functionality disabled.

In accordance with the GDPR and DPA2016, all future changes or proposed new technology or processes will only be implemented after a DPIA has been completed and authorised.

How long will we keep your information?

We keep your dental records for 11 years after the date of your last visit or your 25th year, whichever is the greater.  Other data typically is held in accordance with NHS guidelines for data retention and disposal.  Sometimes the retention period is longer as recommended by the Dental Defence Union (DDU) best practice, for example to support a potential or ongoing dental insurance claim.

We have a retention schedule listing all documents and the timeframes for disposal.  Retention periods may be changed from time to time based on business or legal and regulatory requirements.  Before securely destroying the data in accordance with NHS guidelines (cross-cutting or incineration of paper, or making computer data beyond recovery, etc) we re-audit the material – sometimes ex patients return to us several years later.  Should we use a third party to handle our destruction, then they operate under contract and provide records of their activities.

Due to the large amounts of data in backup files, it is not always possible to guarantee a Request to Erase request can be fulfilled.  WHDP will do its best not to process any applicable data marked for deletion.

Contact

In this practice we take complaints very seriously and try to ensure that all our patients are pleased with their experience of our service.  Our Patient Questionnaire Forms transparently inform our employees and customers of your compliments and complaints – historically the feedback suggests almost everyone has good experiences.

If you have any questions about this privacy policy or our treatment of your personal data, please email us at jill.geaney@nhs.net, or write to us at Dr Jill M Geaney (Proprietor), Wedgwood House Dental Practice, 100 Bury Street, Stowmarket, Suffolk, IP14 1HF.

Concerns

If you have any concerns about how WHDP use your information and you do not feel able to discuss it with your dentist or anyone at the practice, you can contact our Data Protection Officer (DPO), Leanne Stuteley via email at dpo@wedgwood-house.com.  (Whilst Mrs Stuteley is on maternity leave, please contact John Geaney at the same email address, who will liaise with Leanne as needed.)

You have the right to complain to the Information Commissioner’s Office (ICO).  Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF.  Helpline 0303 123 1113 (local rate) or 01625 545 745 (national rate).

Changes to our privacy policy

Any changes we may make to our privacy policy in the future will be posted on this page and, where appropriate, may be notified to you by email.

Other Information

Our website site may, from time to time, contain links to and from the websites that we consider of interest to our customers.  If you follow a link to any of these websites, please note that these websites have their own privacy policies and that we do not accept any responsibility or liability for these policies.  Please check these policies before you submit any personal data to these websites.

Resources & References

Status

This Privacy Notice is effective 25 May 2018.

 

Version 1.0, 24 May 2018.

Any further questions?

Please email computer_support@wedgwood-house.com

Address

Dr J. M. Geaney

Wedgwood House Dental Practice

Bury Street 100, Stowmarket, IP14 1HF

Our new website tells you all about our services. If you want to get in touch with us, phone us on +44 (0)1449 771 700 to make or update an appointment.

In this practice we take complaints very seriously and try to ensure that all our patients are pleased with their experience of our service.  Should you have a complaint, then please FIRST write to Dr J M Geaney the practice Proprietor.

Fill out my online form.
Online contact and registration forms from Wufoo.
Print Print | Sitemap
© Dr J. M. Geaney BDS