Orangefield Dental Care, 2 Orangefield Place, Greenock. Tel – (01475) 722341
We are committed to complying with the Data Protection Act 1998, the General Data Protection Regulation (GDPR), GDC, NHS and other standards.
The data controller is the practice owner, who is also the information Governance Lead and the Data Protection Officer.
At Orangefield Dental Care we only keep relevant information about our employees for the purpose of their employment, and the personal data we keep regarding our patients is only to provide them with safe and appropriate dental care.
The personal information we keep regarding our patients includes:- facts (e.g. treatment you have had) and opinions (e.g. any concerns you or your dentist might have about your dental health). To provide the best possible care for you, accurate and comprehensive personal information is required. The following records are kept and updated regularly:
- personal information and contact details, including your name, address and date of birth;
- dental, social and medical histories (e.g. past or current medical conditions, current medication, the name of your GP);
- results of the examination of your mouth and oral health, including x-rays and clinical photographs;
- information about appointments;
- any treatments and their costs;
- any proposed care, including advice we give to you and referrals you might need
- any concerns you or your dental team might have;
- details of your consent for specific procedures;
- correspondence with other healthcare workers that relates to your care.
The legal basis for processing data is:
- Processing which is necessary for the care of our patients
- The healthcare data we process includes special data.
Computerised and hard copies of our records are stored and updated safely & confidentially. We keep patient records for adult patients for a minimum of 11 years and for child patients for either 11 years or until the child is 25 years of age, whichever is longer. Our records will be destroyed safely when we no longer are required to keep this information. Any confidential information is only available to employees who are authorised to access it and all our employees are trained on the relevant policies and procedures to keep personal patient data confidential.
How we process personal information:-
We share personal information to provide our patients with appropriate care, we might need to share personal data with:
- another dentist or health professional who is caring for you; your GP;
- a laboratory;
- NHS payment authorities;
- the Inland Revenue;
- the Benefits Agency, if you are claiming exemption or remission from NHS charges;
- private dental scheme, if you are a member.
In these cases, only the minimum information required will be shared. Rarely, the law requires us to pass on information to prevent serious crime or injury. Where possible, we will inform you of requests to share personal information.
All confidential information is sent via secure methods. Electronic communications and stored data are encrypted. All computerised clinical records are backed up and encrypted copies are kept off site.
No information or comments about patients are posted on social networking sites.
Criminal record check information will be kept securely in a lockable cabinet with strictly controlled access.
The personal information we store regarding our employees, for the purpose of their employment includes:
- Contact Numbers
- HMRC Information
- Bank Details
- Educational & Qualification Records
- Various copies of ID (e.g passport, driving licence etc)
- Immunisation History
- Any necessary Medical Information
- Curriculum Vitae
Any computerised and hard copies of our records are stored and updated safely & confidentially. Our records will be destroyed securely when we no longer are required to keep this information.
At Orangefield Dental Care we have appropriate procedures to ensure personal data breaches are detected, reported and fully investigated. This will include a procedure to assess and then report any breaches to the ICO if the individual is likely to suffer through e.g. identity theft or confidentiality breach.
The practice will report serious data breaches to the ICO within 24hours of finding out the essential facts.
The practice will log all facts about the data breach and what action was taken.
Subject Access Requests (SAR)
Patients and employees can have access to view their records free of charge.
Copies of patients or employees records can be requested to Julie Currie, Practice Manager. The requested copies will be provided without delay and within one month of the receipt of request.
An employee or patient may challenge or disagree with information held on record and following investigation should the information be inaccurate the practice will correct the records and inform the individual by writing.
When information is requested about the personal data of a child, the practice will decide if the child is mature enough to understand their rights. If they do, the practice will consider responding directly to the child rather than the parent. If it is decided the child is not mature enough to understand their rights, and there is doubt about parental responsibility, proof of identity and evidence of parental responsibility will be requested. The practice will update its privacy notice to ensure it gives information in a language that can be understood by a child on any processing of children’s personal data.
When the practice receives a third party request for information (e.g. from a solicitor) evidence of their permission will be requested, this could be a written authority to make a request or a power of attorney.
When the practice receives a request for information for a patient who lacks the mental capacity to manage their affairs the practice will ask to see evidence of a Lasting Power of Attorney or the evidence of appointment by:
- The Sheriff Court in Scotland
This policy should be read with our Data Protection, Confidentiality and Information Security Policy.
Consent for Marketing
When we obtain consent for marketing such as e-mail marketing, this consent is specific, clear and produced in an opt in basis, it is fully documented and easily withdrawn. We have a system used to record consent and have appropriate procedures to ensure an effective audit trail.