We are committed to safeguarding the privacy of our patients either online or in the practice; this policy/notice sets out how we will treat your personal information.
PRIVACY NOTICE FOR PATIENTS
KEEPING YOUR RECORDS SAFELY
This practice aims to comply with the Data Protection Act 2018, The General Data Protection Regulations (GDPR) the guidelines on the Information Commissioner’s website as well as our own professional guidelines and requirements. This means that we will ensure that your information is processed fairly and lawfully.
As part of the services we offer, we are required to process personal data about our staff, our patients and sometimes the relatives of our patients. “Processing” can mean collecting, recording, organising, storing, sharing or destroying data.
We obtain your personal details when you enquire about our care and services, when you join the practice, when you complete a practice record form or medical history form and when another healthcare professional refers you for treatment ( e.g. from your NHS dental practice).
We are committed to being transparent about why we need your personal data and what we do with it. This information is set out in this privacy notice. It also explains your rights when it comes to your data.
WHAT PERSONAL DATA DO WE NEED TO HOLD?
In order to provide you with a high standard of dental care and attention, we need to process personal information about you. It is essential that your details are accurate and up to date. Always check that your personal details are correct when you visit us and please inform us of any changes as soon as possible.
We may also process Sensitive Special Category Data
Categories and why we process the data
Personal Data
Special Category Data
Legal bases for processing your data
Patient data is processed in accordance with the 2005 NHS General Dental Services contract and the relevant UK Data Protection Act (DPA2018) as regulated by the UK Information Commissioner’s Office (ICO). All personal data associated with NHS treatments, including any private treatments on NHS patients, is shared with NHS England and their NHS partners under the terms of the mentioned GDS contract. Information related to private patients is processed under similar conditions though not shared with the NHS. We are legally required to share all information with the Care Quality Commission (CQC) and the General Dental Council (GDC) should they request it.
Processing of staff or patient medical records is done so under DPA2018, and GDPR Articles:
All personal data is stored in the EU either in Digital or Hardcopy format.
For full details of where we store your personal data please ask to see our Information Governance Procedures.
WHY DO WE HOLD INFORMATION ABOUT YOU?
We need to keep comprehensive and accurate personal data about our patients in order to provide them with safe and appropriate orthodontic care. We also need to process personal data about you in order to provide care under NHS arrangements and to ensure the proper management and administration of the NHS.
This means your records are used to direct, manage and deliver the care you receive to ensure that:
If we wish to use your information for dental research or dental education, we will discuss this with you and seek your explicit consent. Depending on the purpose and if possible, we will anonymise your information. If this is not possible we will inform you and discuss your options.
DISCLOSURE/ SHARING OF INFORMATION
In order to provide proper and safe dental care, we may need to disclose personal information about you to:
Disclosure will take place on a “need to know” basis, so that only those individuals/organisations who need to know in order to provide care to you and for the proper administration of government (whose personnel are covered by strict confidentiality rules) will be given the information. Only that information that the recipient needs to know will be disclosed.
Patients over 14 have the option to list which family members/ other person we can share data with e.g. appointments or treatment/medical history.
We never pass your personal details to a third party unless we have a contract for them to process data on our behalf and will otherwise keep it confidential. In very limited circumstances or when required by law or a court order, personal data may have to be disclosed to a third party not connected with your health care. In all other situations, disclosure that is not covered by this Code of Practice will only occur when we have your specific consent for example a referral to a secondary care practitioner or hospital and your permission will be obtained before the referral is made where it will be shared with the NHS.
Where possible, you will be informed of these requests for disclosure.
SECURITY OF YOUR PERSONAL DATA AND INFORMATION
GDPR and DPA2018 require us to treat Data protection by design and default. We will take reasonable technical and organisational precautions to prevent the loss, misuse, alteration, or inappropriate sharing of your personal information.
We employ administrative, electronic and physical security measures to ensure that the information that we collect about you is protected from access by unauthorised persons and protected against unlawful processing, accidental loss, destruction and damage.
Personal data about you is held in the practice’s secure computer system and in a secure manual filing system. The information is not available to the public and the information is only accessible to authorised personnel. Your personal information is carefully protected by the staff at this practice. All access to information is held securely and can only be accessed by regularly changed passwords. All our staff have individual accounts and are trained in safe data usage. Data is encrypted and computer terminals are closed if unattended. Computers containing patient data software are in a closed network with no internet access, our computer system has secure audit trails and we back up information routinely to a secure sever. Our only internet is accessed through the practice Laptop and isn’t connected to the practice computers. It has anti-virus and malware protection and uses a secure wifi connection.
We also use physical locks and managed alarm systems.
Personal information will not be removed from this practice without the patient’s authorised consent. Any lab work sent away only has an ID number and surname to avoid personal identification.
Any non-two-week-wait referral to other healthcare professions for your treatments to hospitals and oral care specialists will use secure NHS email accounts or use a secure NHS provided web portal to prevent inappropriate sharing of data.
Of course, data transmission over the internet is inherently insecure, and we cannot guarantee the security of data sent over the internet. This includes any email communication via non-NHS email accounts. We therefore request you not to send us sensitive information over email accounts that we use for general enquiries or diary booking, reminder and recall correspondence.
Should we need to email you your sensitive data, we will do so using the [secure] feature of NHS email, or via another means with your consent.
We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so. Even prior to GDPR, we were mandated to notify the NHS, and the ICO, of data breaches in accordance with our NHS contract.
All information assets are recorded, and their data flows mapped, and risk assessed. We have carried out a recent Data Privacy Impact Assessment (DPIA) on our dental information system, where identified risks have been mitigated or otherwise functionality disabled.
In accordance with the GDPR and DPA2018, all future changes or proposed new technology or processes will only be implemented after a DPIA has been completed and authorised.
YOUR RIGHTS
The GDPR includes many ‘rights’ for the data subject to exercise. These are listed below. It should be noted however that not all are applicable under UK law, DPA2018, in the delivery of your dental care.
DPA2018 Exemptions from the GDPR
The Data Protection Act 2018 Schedule 3 does contain exemptions from the above GDPR rights when pertaining to health. Please be aware of the following:
Further details of these rights can be found in our Information Governance Procedures or at the Information Commissioner’s Website www.ico.org.uk
REQUESTS FOR PERSONAL INFORMATION
Data protection legislation allows individuals to request access to their personal information at nil cost. Those eligible to request access include:
If a request concerns information about a deceased person, those eligible to request access include:
If the information requested includes information about third parties, it can be disclosed if the third party gives consent or is a health professional involved in the care of the patient or is otherwise irreversibly redacted or anonymised.
Subject Access Requests (SAR) may be made in writing and describe the type of information required with dates, if possible, and include sufficient information to ensure correct identification (name, address, date of birth, for example). We will always check that the person asking for information has the right to do so and, if necessary, ask for proof of identity.
We will aim to provide the requested information within one month of receiving. Should we need to extend the reply up to an additional two months, we will inform you of the delay and the reasons why.
In accordance with DPA2018, where requests are manifestly unfounded or excessive, we can charge an administrative fee or refuse to respond.
REQUESTS FOR INFORMATION ABOUT THE PRACTICE
DPA2018 Part 2, Chapter 2, section 7 defines the meaning of ‘public authority’ to be ‘a public authority as defined by the Freedom of Information Act 2000’. For this dental practice, this means the activities of the business that are funded by the NHS.
Freedom of information legislation allows anyone to ask for information about the provision of NHS services. If the requested information is part of a larger document, we will disclose only the relevant part.
A freedom of information request cannot include clinical records or financial records.
The request must be made in writing to Dr Kornel Csongrady and should describe the required information with dates if possible.
Charges for information provided under a freedom of information request are included as follows:
We will aim to provide the information within 20 working days of receiving the request or confirmation of identity or, if applicable, from the receipt of the fee. Timescale may need to be extended if we need to seek clarification or are taking legal advice on whether an exemption applies.
Please note that we will not respond to:
HOW LONG IS THE PERSONAL DATA STORED FOR?
RETAINING INFORMATION (RECORD KEEPING)
We are required to retain your dental records, X- rays and study models while you are a patient of this practice and after you cease to be a patient. We have to abide by the NHS Records Management Code of Practice which means that at the end of your treatment when you are discharged the following rules apply:
If you are under 17 records are kept until you turn 25 years old
If you are 17 records are kept until you turn 26 years old
If you are 18 or over records are kept for 15 years
We archive all electronic medical records as a patient finishes treatment, we then delete at the appropriate date; at present this is not a permanent 100% delete as the software/ backup system doesn’t allow for this. Other data typically is held in accordance with NHS guidelines for data retention and disposal.
We have a retention schedule listing all documents and the timeframes for disposal. Retention periods may be changed from time to time based on business or legal and regulatory requirements. Before securely destroying the data in accordance with NHS guidelines (cross-cutting or incineration of paper, or making computer data beyond recovery, etc) we re-audit the material – sometimes ex patients return to us several years later. Should we use a third party to handle our destruction, then they operate under contract and provide records of their activities.
Sometimes the retention period is longer as recommended by the Dental Defence Union (DDU) best practice, for example to support a potential or ongoing dental insurance claim. We reserve the right to retain details of bad debtors indefinitely to ensure the financial stability of our business.
What if you are not happy or wish to raise a concern about our data processing?
You can complain in the first instance to our Data Controller -Dr Kornel Csongrady or to our Data Protection Officer/ Governance Lead – June Schofield on 01473 462355 or by email info@orthoactive.co.uk
We will do our best to resolve the matter. If this fails, you can complain to the Information Commissioner at www.ico.org.uk/concerns or by calling 0303 123 1113.
NATIONAL DATA OPT OUT POLICY
How the NHS and care services use your information.
When you use a health and care system such as Accident and Emergency or Community Services, important data is collected about you in a patient record for that service. This information can sometimes be used and or provided to other organisations for purposes beyond your individual care.
This may aid in the following:
Your information can only be shared when there is a clear legal basis to do so; confidential patient information is only used like this when allowed by law. Most of the time anonymised data is used for research and planning in which case your confidential data isn’t needed.
All patients have a choice about whether they want their data used in this way. If you are happy with this use of your information you do not have to do anything.
If you only want your confidential data to be used in your own personal care you have the option to opt out. To find out more or to register your choice to opt out, please visit www.nhs.uk/your-nhs-data-matters. On this web page as well as finding out more about how your personal data will be used, you can access the system to view, set or change your opt out setting. There is also a contact telephone number if you wish to know more or opt out by telephone.
Don’t forget you can change your mind about your choice at any time. All Health and Care organisations have had to put systems and processes in place to be compliant with the National Data opt out and to apply your personal to choice to any confidential information they hold.
Orthoactive only uses your personal health data to provide individualised personal care to you and does not use or disclose your data for any other reason. Therefore the National Data Opt-out does not apply to our data so we are compliant with the National Policy.
Cookies
Liability notice
Despite careful checking, we assume no liability for the content of external links. The content of linked pages is the exclusive responsibility of their operators.
Links
This website contains links to other website or social media sites. By clicking on a link that leads to third-party website you acknowledge that these websites have their own privacy policies. Please check the privacy policies when using these website, as we assume no responsibility or liability whatsoever for third-party website.
Cookies
Our website uses cookies. If you already visited the Orthoactive website, you will have alerted the cookies, which may or may not allow you access.
The vast majority of commercial websites use cookies (tiny text files that download to your computer when you visit a website) for a variety of purposes including functional reasons like storing shopping basket items, personalizing content, counting visitors etc. Most cookies, including the ones used here, are harmless.
A cookie is a file containing an identifier (a string of letters and numbers) that is sent by a web server to a web browser and stored by the browser. The identifier is then sent back to the server each time the browser requests a page from the server.
Cookies can be used by web servers to identity and track users as they navigate different pages on a website, and to identify users returning to a website.
Cookies may be either “persistent” cookies or “session” cookies. A persistent cookie consists of a text file sent by a web server to a web browser, which will be stored by the browser and will remain valid until its set expiry date (unless deleted by the user before the expiry date). A session cookie, on the other hand, will expire at the end of the user session, when the web browser is closed.
Cookies on this website
Google Analytics (by third parties):
This website uses Google Analytics, a web analysis service of Google Inc, (1600 Amphitheatre Parkway Mountain View, CA 94043, USA; “Google”). The use includes the “Universal Analytics” operating mode. This facilitates the assignment of data, sessions and interactions across several devices to a pseudonymous user ID and thus the analysis of a user’s activities across devices.
Google Analytics uses “cookies”, which are text files placed on your computer, to allow the website operator to analyze how users use the site. The information generated by the cookie about your use of this website is usually transferred to a Google server in the USA and stored there. However, if IP anonymisation is activated on this website, Google will reduce your IP address within Member States of the European Union or in other states party to the Agreement on the European Economic Area beforehand. Only in exceptional cases will the full IP address be transmitted to a Google server in the USA and shortened there. The IP address transmitted by your browser in the context of Google Analytics is not merged with other Google data. On behalf of the operator of this website, Google will use this information to evaluate your use of the website, to compile reports on website activity and to provide the website operator with other services related to website and Internet use. Our legitimate interest in data processing also lies in these purposes. The legal basis for the use of Google Analytics is § 15 para. 3 TMG and Art. 6 para. 1 lit. f GDPR. The data sent by us and linked to cookies, user-identifiers (e.g. User-IDs) or advertising-identifiers are automatically deleted after 14 months. Data whose retention period has been reached is automatically deleted once a month. For more information on terms of use and data protection, please visit https://www.google.com/analytics/terms/gb.html or https://policies.google.com/?hl=en.
How we use cookies
Cookies do not contain any information that personally identifies you, but we may use the information we obtain from your use of our cookies for the following purposes:
(1) to recognise your computer when you visit our website;
(2) to improve the website’s usability;
(3) to analyse the use of our website;
(4) in the administration of this website.
Third party cookies
When you use our website, you may also be sent third party cookies. Our service providers may send you cookies. They may use the information they obtain from your use of their cookies.
Blocking / Deleting cookies
Most browsers allow you to refuse to accept cookies. Blocking all cookies will, however, have a negative impact upon the usability of many websites.
Internet Explorer:
Google Chrome:
Mozilla Firefox:
Safari:
Contact us
If you have any questions about our cookies or this Privacy Policy, please contact the practice directly on 01473 462355
We may update this privacy policy from time-to-time by posting a new version on our website. You should check this page occasionally to ensure you are happy with any changes.
Latest News