This Privacy Notice describes how we, Wedgwood House Dental Practice (hereafter known as WHDP), process your personal data. This could be collected when you visit our practice in Stowmarket, Suffolk for dental services, contact us to make an enquiry, give compliment, make a complaint, request information, participate in a promotion, or in connection with an actual or potential business or employment relationship with us.
We respect your privacy and we are committed to protecting your personal information in order to reflect the value we place on earning and keeping the trust of our employees, customers and suppliers. We are committed to achieving compliance with GDPR and the uplifted UK Data Protection Act in 2018, and guidelines on the Information Commissioner's website as well as our professional guidelines and requirements.
This privacy notice describes what personal information we collect and for what reason, how we process it and under what legal basis, who we share it with, how we protect and keep your information safe, up to date and complete. How we enable you to exercise your Rights under the data protection law.
Personal Data is any information that allows an individual (the data subject) to be identified. This includes information where the individual is not named but a cross-reference to other information held by the practice which would allow identification.
Data Subject is any identified or identifiable natural (living) person, whose personal data is processed by the controller responsible for the processing.
Processing is any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Restriction of Processing is the marking of stored personal data with the aim of limiting their processing in the future.
Profiling means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.
Pseudonymisation is the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.
Unauthorised reversal of pseudonymisation would constitute an Information Governance breach.
Controller or Controller Responsible for The Processing is the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.
Processor is a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
Recipient is a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing.
Third Party is a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.
Consent of the data subject is any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
We process personal information about our employees, customers (patients) and suppliers.
We collect data about patients who use our services that is relevant to their healthcare and that allows WHDP to deliver its services to our patients.
The types of data we may collect are listed below and we will only use that data in ways relevant to carrying out our lawful purposes and functions and in a way that is not detrimental to the interests of our patients or employees. At WHDP we will take particular care in the collection and storage of any personal ‘special’ (i.e. healthcare) data. Everyone working within WHDP has a legal duty to keep information about you confidential. Similarly, anyone who receives information from us has a legal duty to keep it confidential.
For online appointments that incorporate a financial deposit using STRIPE, stripe will be a processor of personal data on behalf of WHDP. It will also be a data controller between itself and the payment card industry businesses such as Visa, Mastercard and American Express. Our dental software EXACT application and the SoE support staff are processor of personal data.
Our dental professionals caring for you keep records about your health and any treatment and care you receive from our practice. These records help to ensure that you receive the best possible care. They may be written down in paper records or held on computer. These records may include:
We also collect your feedback and complaints. Typically, this paper based using the ‘Patient Questionnaire’ that incorporates the NHS Friends and Family Test (FTT).
It is essential that your details are accurate and up to date. Always check that your personal details are correct when you visit us and please inform us of any changes as soon as possible. This is usually done each time you visit the dental practice using our ‘Clinipad’ computer tablet. E.g. contact and NHS exemption details at the reception desk, and medical history information when seeing your dentist or hygienist.
We collect CCTV images of movements including persons in the rear car park of WHDP. No facial recognition or artifical intelligence is enabled to identify persons. Storage of these images is strictly controlled and may be shared with another organisation, for example the police, should there be criminal damage or a safeguarding issue.
From 28/10/2022, we use a digital telephone system on our main 01449 771 700 line. This has the option of recording the conversation of both the called and calling party - default off. Should it be enabled (by the receiption team) the message will be securely stored until it is no longer required for training or quality purposes - please note any live calls will not record payment card details. Similar to the PSTN system being replaced. any voice messages that you leave, for example to advise you would like to make a dental appointment, will be stored securely until they have been processed by the reception team - all messages will be deleted typically after 30 days or sooner if storage space limitations demand.
New online appointment bookings are driven by the customer supplying their own personal data. They will enter their sex, first and last name, date of birth, an email address and mobile number. (The information is used within the EXACT dental software to indentify the correct patient record.) For customers of WHDP using Stripe for the online financial transactions, “Personal Data” means any information that relates to an identified or identifiable individual, and can include information about how you engage with our Services (e.g. device information, IP address). Other personal information can include:
Name, email, billing and/or shipping address, payment method information (such as credit or debit card number, bank account information or payment card image), merchant and location, purchase amount, date of purchase, and in some cases, some information about what you have purchased, phone number and tax-related ID. The payment method information that we collect will depend upon the payment method that you choose to use from the list of available payment methods offered by the Business User as part of the “checkout” process for your purchase. We may also receive your transaction history with the Business User. https://stripe.com/gb/privacy-center/legal#data-transfers
When you visit this website our hosting company 1and1.co.uk may send “cookies” to your computer primarily to enhance your on-line experience. “Cookies” are invisible files which can identify you as a unique viewer and may store your personal preferences as well as technical information.
We only collect technical data about the type of Internet browser and computer operating system that you use when viewing our website (https://wedgwood-house.com). This information does not identify you as an individual (your identity remains anonymous) and is used only for the tracking of site use to measure its performance (e.g. the interest level) of our publicly available information.
For more information on cookies and how to disable them you can consult the information provided by, for example, the Interactive Advertising Bureau UK at www.allaboutcookies.org, or another refence mentioned at the end of this privacy notice.
Your records are used to direct, manage and deliver the care you receive to ensure that:
If we wish to use your information for dental research or dental education, we will discuss this with you and seek your explicit consent. Depending on the purpose and if possible, we will anonymise your information. If this is not possible we will inform you and discuss your options, including opting out.
We do not carry out any automated profiling or use artificial intelligence at WHDP.
Your information is normally used only by those working at the practice but there may be instances where we need to share it – for example, with:
Your information is shared with third parties to deliver the following services to you:
WHDP may disclose your personal information to third parties:
We will only disclose your information on a need-to-know basis and will limit any information that we share to the minimum necessary.
Some of your information may be transferred out of the European Economic Area (EEA), primarily in support of our dental Information System that processes your medical records. Where information is transferred outside of the European Economic Area (“EEA”), we require that appropriate safeguards are in place and we use contracts that require the recipient to protect your Personal Data to the same standards as it would be within the EEA.
We do not pass your details to any third parties for marketing purposes.
Patient data is processed in accordance with the 2005 NHS General Dental Services contract and the relevant UK Data Protection Act (DPA2018) as regulated by the UK Information Commissioner’s Office (ICO). All personal data associated with NHS treatments, including any private treatments on NHS patients, is shared with NHS England and their NHS partners under the terms of the mentioned GDS contract. NHS claims forms include treatment details using mandatory SNOMED codes and informaiton about the number of decayed, filled or missing teeth that the NHS uses for planning purposes. Information related to private patients is processed under similar conditions though not shared with the NHS. We are legally required to share all information with the Care Quality Commission (CQC) and the General Dental Council (GDC) should they request it.
Processing of staff or patient medical records is done so under DPA2018, and GDPR Articles:
The lawful basis for processing EXACT online booking appointments is the same as that for verbal booking, i.e. DPA2018, and GDPR Articles: 6(1)(b), 6(1)(c) and 9(2)(b) to carrying out the obligations related to the NHS GDS contract, GDC standards and guidelines.
When a customer of WHDP provides their personal-financial details to action a booking dependent on a deposit they consent themselves to do this by entering then completing the transaction with Stripe. The WHDP customer’s personal information is shared on a legitimate basis as part of a contract with Stripe and WHDP. Stripe provide information about this transaction to the SoE EXACT server fee/booking app under a contract between SoE and Stripe.
To understand the performance of the business carrying out medical treatments, both NHS and private, the dental information system is used to general reports, under Article 6(1)(b), 6(1)(f) and 9(2)(d) legitimate interests. Only authorised staff do this. Typically, the data is fully anonymised thus requiring no lawful basis, and where not stored on secure computers with restricted access control.
We collect personal data from you in order to action financial payments with the healthcare (consented using the FP17PR form)(consented using ‘treatment plans’) i.e. Articles 6(1)(a), 6(1)(b), 6(1)(c) and 9(2)(a), and for financial institutions as required by UK and international banking and electronic card payment (PCI-DSS) law.
We collect CCTV images using Article 6(1)(f) legitimate interests. All images are automatically destroyed after 30 days unless determined for the sharing with third parties to pursue criminal damage or safeguarding claims.
When dental crowns, veneers, dentures and mouthguards are made by dental laboratories, we may use pseudonymised codes instead of patient names, or limited personal details (such as name) when we have a legal data sharing agreement/contract in place, in accordance with GDPR Articles 6(1)(b) and 9(2)(d) and 9(2)(h). Note that some labs would like to use patient consent as a lawful basis, Article 6(1)(a) and 9(2)(a), which is not practical in our dental practice environment, so we rely upon the patients medical consent to treatment and the mentioned data sharing agreement/contract.
Should we decide to use our dental information system to manage electronic marketing via email or SMS, we will explicit request your consent. (Not used at this time).
The GDPR includes many ‘rights’ for the data subject to exercise. These are listed below. It should be noted however that not all are applicable under UK law, DPA2018, in the delivery of your dental care.
• Right to access facts about that being processed (Article 15)
• Right to rectification to make data complete without delay (Article 16)
• Right to erasure (be forgotten). You have a right to request that we delete your personal information, although you should be aware that, for legal reasons, we may be unable to erase certain information, for example, information about your dental treatment. (Article 17)
• Right to restriction of processing if data inaccurate, taken unlawfully or for different processing purpose, or no longer needed (Article 18). For example, sending you reminders for appointments or information about our service.
• Right to data portability requires controllers to support moving data to another controller (dentist) if that data is processed by automated means (Article 20). Please note that our dental information system supplier has limited functionality to export patient data and would be unable to import the data into another dentist’s system even if it were the same system.
• Right to object to the processing of personal data … typically when process is consented to, used for marketing, or ‘profiling’ activities used (Article 21).
• Right not to be subjected to automated individual decision-making (Article 22)
• Right to lodge a complaint with a supervisory authority (Article 77)
• Right to an effective judicial remedy against a decision of a supervisory authority and against a controller or processor (Article 78)
• Right to be represented by organisations and others (Article 80)
• Right to compensation (Article 82)
• Right to access facts about that being processed (Article 15)
• Right to rectification to make data complete without delay (Article 16)
• Right to erasure (forgotten) without delay, if appropriate (Article 17)
• Right to restriction of processing if data inaccurate, taken unlawfully or for different processing purpose, or no longer needed (Article 18)
• Right to data portability requires controllers to support moving data to another controller if that data is processed by automated means (Article 20)
• Right to object to the processing of personal data … typically when process is consented to, used for marketing, or ‘profiling’ activities used (Article 21)
• Right not to be subjected to automated individual decision-making (Article 22)
• Right to lodge a complaint with a supervisory authority (Article 77)
• Right to an effective judicial remedy against a decision of a supervisory authority and against a controller or processor (Article 78)
• Right to be represented by organisations and others (Article 80)
• Right to compensation (Article 82)
DPA2018, Schedule 3 identifies activities outside the powers of the data protection legislation. For example,
Data protection legislation allows individuals to request access to their personal information at nil cost. Those eligible to request access include:
If a request concerns information about a deceased person, those eligible to request access include:
If the information requested includes information about third parties, it can be disclosed if the third party gives consent or is a health professional involved in the care of the patient or is otherwise irreversibly redacted or anonymised.
Subject Access Requests (SAR) may be made in writing and describe the type of information required with dates, if possible, and include sufficient information to ensure correct identification (name, address, date of birth, for example). We will always check that the person asking for information has the right to do so and, if necessary, ask for proof of identity.
We will aim to provide the requested information within one month of receiving. Should we need to extend the reply up to an additional two months, we will inform you of the delay and the reasons why.
In accordance with DPA2018, where requests are manifestly unfounded or excessive, we can charge an administrative fee or refuse to respond.
DPA2018 Part 2, Chapter 2, section 7 defines the meaning of ‘public authority’ to be ‘a public authority as defined by the Freedom of Information Act 2000’. For this dental practice, this means the activities of the business that are funded by the NHS.
Freedom of information legislation allows anyone to ask for information about the provision of NHS services. If the requested information is part of a larger document, we will disclose only the relevant part.
A freedom of information request cannot include clinical records or financial records.
The request must be made in writing to Dr Jill M Geaney and should describe the required information with dates if possible.
Charges for information provided under a freedom of information request are included as follows:
We will aim to provide the information within 20 working days of receiving the request or confirmation of identity or, if applicable, from the receipt of the fee. Timescale may need to be extended if we need to seek clarification or are taking legal advice on whether an exemption applies.
Please note that we will not respond to:
GDPR and DPA2018 requires us to treat Data protection by design and default (Article 25).
We will take reasonable technical and organisational precautions to prevent the loss, misuse, alteration, or inappropriate sharing of your personal information.
We employ administrative, electronic and physical security measures to ensure that the information that we collect about you is protected from access by unauthorised persons and protected against unlawful processing, accidental loss, destruction and damage.
This includes:
We store all personal information you provide (staff and patients) on our local secure computers and/or secure paper storage.
All electronic website medical communications you make to us will be encrypted.
Secure UK-based cloud back-up digital data storage is used at WHDP. All data transfers are logged and encrypted on WHDP computers before transferring to cloud servers – the encryption key is not stored on the cloud servers. Data is protected from crypto ransomware.
Any non-two-week-wait referral to other healthcare professions for your treatments to hospitals and oral care specialists will use secure NHS email accounts. Two-week-wait referrals use a secure NHS provided web portal and anonymisation to prevent inappropriate sharing of data.
Of course, data transmission over the internet is inherently insecure, and we cannot guarantee the security of data sent over the internet. This includes any email communication via non-NHS email accounts. We therefore request you not to send us sensitive information over email accounts that we use for general enquiries or diary booking, reminder and recall correspondence.
Should we need to email you your sensitive data, we will do so using the [secure] feature of NHS email, or via another means with your consent.
All email accounts ending @wedgwood-house.com (or Wedgwood-house.co.uk) are provided through our website host supplier IONOS. Online storage and email accounts are automatically encrypted and may only be viewed by authorised individuals – maintenance and backup by IONOS uses encrypted backups where contents cannot be decrypted or viewed by IONOS.
Occasionally we might send your sensitive personal information by post, typically by recorded delivery when multiple individuals.
Stripe will provide some or all of the Services from systems located within the United States or other countries outside of United Kingdom. As such, it is WHDP’s obligation to disclose to its customers that Payment Data may be transferred, processed and stored outside of United Kingdom and, as set forth in Stripe’s Privacy Policy, may be subject to disclosure as required by applicable Laws, and to obtain from your customers all necessary consents under applicable Laws in relation to the foregoing.
We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so. Even prior to GDPR, we were mandated to notify the NHS, and the ICO, of data breaches in accordance with our NHS contract.
All information assets are recorded, and their data flows mapped, and risk assessed. We have carried out a recent Data Privacy Impact Assessment (DPIA) on our dental information system, where identified risks have been mitigated or otherwise functionality disabled.
In accordance with the GDPR and DPA2018, all future changes or proposed new technology or processes will only be implemented after a DPIA has been completed and authorised.
We keep your paper and X-ray film dental records for 11 years after the date of your last visit or your 26th year, whichever is the greater ... changing [Privacy Notice v7.0] back to 11 years for adult records. Until our computer software allows us to delete electronic medical records, we must keep your medical and associated image files beyond this time until a time (next review August 2024) when it can be completely deleted and without risk to other patient information and during this time it will be clearly marked as 'inactive'. Other data typically is held in accordance with NHS guidelines for data retention and disposal. Sometimes the retention period is longer as recommended by the Dental Defence Union (DDU) best practice, for example to support a potential or ongoing dental insurance claim. We reserve the right to retain details of bad debtors indefinitely to ensure the financial stability of our business.
We have a retention schedule listing all documents and the timeframes for disposal. Retention periods may be changed from time to time based on business or legal and regulatory requirements. Before securely destroying the data in accordance with NHS guidelines (cross-cutting or incineration of paper, or making computer data beyond recovery, etc.) we re-audit the material – sometimes ex patients return to us several years later. Should we use a third party to handle our destruction, then they operate under contract and provide records of their activities.
Due to the large amounts of data in backup files, it is not always possible to guarantee a Request to Erase request can be fulfilled. WHDP will do its best not to process any applicable data marked for deletion.
The use of online booking does not changes to the information retention period for data stored on the EXACT dental server. Financial data collected using the Stripe banking facility keeps Personal Data for as long as Stripe reasonably needs to for the purposes listed here.
When determining the relevant retention periods, [Stripe] will consider various criteria such as your location, the nature of our relationship with you, the types of products or services being offered or provided to you, the nature and sensitivity of your Personal Data, the mandatory retention periods provided by law or statute of limitations and any overriding legitimate grounds for continuing to retain the Personal Data (such as defending our rights in court, enforcing our agreements, detecting fraud or complying with valid legal process requests from courts or competent authorities).
For most jurisdictions, Stripe will generally keep Personal Data related to Business Users for a period of five or more years from the end of the business relationship with you, or the date of the last transaction, whichever is later.
See https://stripe.com/gb/privacy-center/legal#data-transfers
In this practice we take complaints very seriously and try to ensure that all our patients are pleased with their experience of our service. Our Patient Questionnaire Forms transparently inform our employees and customers of your compliments and complaints – historically the feedback suggests almost everyone has good experiences.
If you have any questions about this privacy policy or our treatment of your personal data, please email us at jill.geaney@nhs.net, or write to us at Dr Jill M Geaney (Proprietor), Wedgwood House Dental Practice, 100 Bury Street, Stowmarket, Suffolk, IP14 1HF.
If you have any concerns about how WHDP use your information and you do not feel able to discuss it with your dentist or anyone at the practice, you can contact our Data Protection Officer (DPO), Leanne Stuteley via email at dpo@wedgwood-house.com.
You have the right to complain to the Information Commissioner’s Office (ICO). Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF. Helpline 0303 123 1113 (local rate) or 01625 545 745 (national rate).
Any changes we may make to our privacy policy in the future will be posted on this page and, where appropriate, may be notified to you by email.
Our website site may, from time to time, contain links to and from the websites that we consider of interest to our customers. If you follow a link to any of these websites, please note that these websites have their own privacy policies and that we do not accept any responsibility or liability for these policies. Please check these policies before you submit any personal data to these websites.
Cookies and the cookie law
https://www.1and1.com/digitalguide/websites/digital-law/what-do-eu-cookie-laws-mean-for-you/
http://www.aboutcookies.org.uk/managing-cookies
GDPR
DPA2018
http://www.legislation.gov.uk/ukpga/2018/12/pdfs/ukpga_20180012_en.pdf
Secure web browsing
This Privacy Notice is effective 20th May 2024.
Version 7.0, 20/05/2024. Revised retention period of adult records to 11 years inline with most recent NHS guidelines. Extended target date for review of EXACT to-be-deleted electrtonic records from April 2024 to end August 2024. Added recording patient consent to email EXACT images and treatment estimates/plans.
Verson 6.0, 19/06/2023. Included NHS opt-out. Updated data record retention period following DPIA#19. Company 1&1 renamed to IONOS. Minor typos corrected.
Version 5.0, 27/10/2022. Introduction of BT Cloud Phone on 01449 771 700 line.
Version 4.0, 11/7/2022. Inclusion of online booking (via SoE EXACT dental software) and online payments (via Stripe).
Version 3.0, 14/5/2021 : Retention of electronic patient records beyond 11yrs / 25th birthday becasue of a dental computer software limitation. Additionally, WHDP will indefinitely retain details on bad debtors.
Version 2.2, 6/3/2021 : CCTV in rear car park.
Version 2.1, 18 September 2020 : Inclusion of 'NHS Test & Trace' for sharing staff and customer contact and whereabout details in relation to a potential Covid19 incident.
Version 2.0, 4 Mar 2020 : Secure cloud storage used following DPIA agreement 28 Feb 2020.
Version 1.2, 1 Aug 2019 : Clarified section 'Legal bases for processing your data' paragraph 'use of data sharing agreement/contract with dental laboratories'.
Version 1.1, 8 Jan 2019 : Removed maternity arrangements for DPO.
Version 1.0, 24 May 2018.
Copyright © 2024 Wedgwood House Dental Practice (WHDP) | Site last updated: 20 November 2024
This site is protected by reCAPTCHA Enterprise and the Google Privacy Policy and Terms of Service apply.
This is in addition to WHDP's Privacy Notice. Login
We need your consent to load the translations
We use a third-party service to translate the website content that may collect data about your activity. Please review the details in the privacy policy and accept the service to view the translations.