Privacy Notice for Patient Data
Arnica Dental Care takes great care to protect the personal data we hold for you in line with the requirements of the EU General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (when enacted).
This privacy notice provides you with information about what personal data we collect, how we use your data, how we ensure your privacy is maintained, and your legal rights relating to your personal data.
Who We Are
We are a data controller for the purposes of protecting your data.
We are Arnica Dental Care Limited, a company registered in England and Wales as number 7532694.
We can be contacted:
- By Telephone – 01242 655 554
- By Email – email@example.com
- By Post – Data Protection Officer, Arnica Dental Care, 73 Leckhampton Road, Leckhampton, Cheltenham, GL53 0BS.
Personal Data We Collect & Process
We will generally collect data directly from you, however we will sometimes receive data from other healthcare professionals. The types of data we collect and process include:
- Contact Details – Name, Address, Telephone Numbers, Email Addresses.
- Personal Details – Date Of Birth, NHS Numbers, National Insurance Numbers, Next Of Kin Details, Occupation & Family Group Details.
- Medical Details – GP Details, Medical History, Dental Care Records, Photographs, Correspondence.
- Financial Details – Bank & Payment Card Details, Financial information, Payment Plan Details.
- CCTV Images – We have CCTV in public areas of our surgery.
How & Why We Use Your Data
Data protection law means that we can only use your data for certain reasons and where we have a legal basis to do so. Here are the reasons for which we process your data:
- Providing Appropriate, Safe & Effective Dental Care – Providing our core dental care, treatment and advice for you. Our legal basis for doing this is contractual obligation and vital interests (see below).
- Business Administration of Your Care – We need to administer the care we have provided; for instance we may need to process insurance or payment plan claims, perform quality and regulatory controls to ensure efficient care. Our legal basis for doing so is contractual obligation.
- Marketing Purposes (with your consent) – We may send you emails and messages (including reminders) about services and products we offer to keep you up to date. Our legal basis for this your consent.
- Security & Safety – We have CCTV in public areas of our surgery to ensure the safety and security of all of our patients, staff and visitors. Our legal basis for this is legitimate interest.
Our Legal Basis
We are required to have a legal basis for processing of your data for the purposes identified above and we’ve identified those. A brief explanation of those is:
- Contractual Obligation – Processing your data is necessary for a contract you have with us, or because we have asked you to take specific steps before entering into that contract.
- Vital Interests – Processing your data is necessary to protect your life and wellbeing.
- Legitimate Interests – Processing your data is necessary for our legitimate interests or the legitimate interests of a third party, provided those interests are not outweighed by your rights and interests.
In each case, these legitimate interests are only valid if they are not outweighed by your rights and interests
These legitimate interests are:
- Ensuring the safety and security of patients, visitors and staff in the practice.
- Consent – You have given clear consent for you to process your personal data for a specific purpose.
You can always withdraw your consent. You can do this by clicking on unsubscribe in any email or SMS we send, or by getting in touch via the contact details above. If you withdraw your consent and we have no other legal basis for processing your data we will stop. If we do have another legal basis we will continue to do so, subject to your legal rights.
We have physical, electronic, and managerial procedures to safeguard and secure the information we collect. We have these measures audited at least annually. For more information on our efforts to ensure your data is held in a secure manner, please ask to see a copy of our Data Security Policy.
Where We Store & Process Your Data
Your personal data is stored and processed at our surgery in Cheltenham, and in any data processing facilities operated by the third parties below.
We will never transfer medical data outside the European Economic Area. Some non-sensitive personal data may be processed outside the EEA (for example our emails may pass through Mailchimp servers in the USA). We only do this where it is unavoidable, and where we do we apply special provisions to ensure your data remains as secure as if it were in the EEA.
How Long We Keep Your Data
We retain dental records and orthodontic study models while you are a patient of our practice and after you cease to be a patient, for at least eleven years, or for children until age 25, whichever is the longer.
Third Parties Who Process Your Data
Like most businesses we rely on third parties to provide some services to us, such as IT, payment, delivery. We only use third parties we believe to be the best in their field, and we impose contractual terms to ensure they respect data like we do.
It is sometimes necessary to share your data with these providers, but we only do so when strictly necessary and always according to the safeguards and good practices detailed here and in our Data Protection Policy. These are known as “Data Processors” in data protection law – they are only allowed to use your data as we instruct them in writing. Our current processors, and the service they provide are:
SoE (Software of Excellence)
ICP (Independent Care Plan)
Dental Specialists (if we refer you to a specialist such as an Orthodontists)
Response Tap (Call recording for quality and training purposes)
We also have regulatory and legal requirements to share your data. Third parties we may share your personal information with may include:
Regulatory authorities such as the General Dental Council or the Care Quality Commission
- NHS Local Authorities
- Dental payment plan administrators
- Insurance companies
- Loss assessors
- Fraud prevention agencies
- In the event of a possible sale of the practice at some time in the future.
We may also share personal information where we consider it to be in a patient’s best interest or if we have reason to believe an individual may be at risk of harm or abuse.
You have a right to be informed about any automated profiling or decision making which produces a legal effect on you. We don’t do any processing like this, but we do using automated systems to provide an efficient service to you – for example we send automated emails and text messages to remind you of your appointments. You will always be able to opt-out of this processing.
Under the General Data Protection Regulation (GDPR) and The Data Protection Act 2018 (DPA) you have a number of rights with regard to your personal data; which this policy and our use of your data has been designed to uphold:
- Right to be informed – you have the right to be informed about our collection and use of your personal data.
- Right of access – you have the right to request a copy of the information that we hold about you. You can do this by contacting us using the above details.
- Right of rectification – you have a right to correct data that we hold about you that is inaccurate or incomplete.
- Right to be forgotten – in certain circumstances you can ask for the data we hold about you to be erased from our records.
- Right to restriction of processing – where certain conditions apply, you have a right to restrict our processing.
- Rights in relation to object to automated processing and profiling – you also have the right not to be subject to legal effects of automated decision making and profiling.
- Withdrawal of consent – where our processing is based on your consent you have the right to withdraw this at any time.
If you have cause for complaint about our use of your data, or you would like to exercise any of your rights, then please contact us using the details provided in Section 1 and we will do our best to solve the problem for you.
If we are unable to help, or you aren’t satisfied with our response, you also have the right to lodge a complaint with the UK’s supervisory authority – The Information Commissioner’s Office (ICO). The ICO can be contacted:
- By post – The Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, SK9 5AF
- By telephone – 0303 123 1113
- Via its website – www.ico.org.uk
Updates to This Notice
This Privacy Notice was reviewed and implemented on: 21/05/2018
It will be reviewed annually and is due for review on: 21/05/2019 or prior to this date in accordance with new guidance or legislative changes.