Confidentiality Policy

Purpose of Document

The purpose of this document is to ensure all staff members at the practice are aware of their legal duty to maintain confidentiality, to inform them of the processes in place to protect personal information, and to provide guidance on disclosure obligations.

Introduction

Everyone working for the practice or elsewhere within the business is under a legal duty to keep patients’ personal information confidential. Patients who believe their confidence has been breached may make a complaint to the practice, and they could take legal action or report it to the ICO. In the case of a registered dental professional, the patient could also make a complaint to the General Dental Council, which, in worst-case scenarios, may end in erasure from the GDC register.

This policy is concerned with protecting personal information about patients, although its content would apply equally to staff personal information or business-sensitive information.

Personal information is data in any form (paper, electronic, tape, verbal, etc.) from which a living individual could be identified including:

Name, age, address, and personal circumstances, as well as sensitive personal information like race, health, sexuality, etc.

Information regarding appointments Information regarding medical histories

Information regarding finances, including any bad debts.

Although the Data Protection Act 2018 is only relevant to the personal information of living individuals, this code also covers information about deceased patients. This policy applies to all staff, including permanent, temporary, and locum staff members.

Confidentiality

Under the Data Protection Act 2018 and UK GDPR, dental practices have a duty to keep personal data about their patients safe and secure and to ensure it is only accessed by persons who need to see it for the purposes of providing safe, effective care.

Registered dental professionals have an ethical and legal duty to keep all patient information confidential.

Dental practices are also required to ensure that they do not ‘advertise’ to other patients or the public that a certain person is a patient of the practice or that they have had appointments or have appointments due. This means that day lists, appointment cards that identify the patient and record cards must not be seen by other patients in the practice. It is also important that confidential telephone calls that name a particular patient are not held in earshot of other patients. Messages should not be left with a 3rd party confirming or cancelling appointments.

Caldicott Principles

The Caldicott Principles are the guidelines for ensuring people’s information is kept confidential and used or shared appropriately within a healthcare setting.

All NHS organisations must have an appointed Caldicott Guardian. This won’t apply to most dental practices, although there should be someone within the practice who is responsible for ensuring patient information is kept confidential and shared appropriately when required.

The Caldicott Principles

Principle 1: Justify the purpose for using the confidential information. Principle 2: Use confidential information only when it is necessary Principle 3: Use the minimum necessary confidential information

Principle 4: Access to confidential information should be on a strict need-to-know basis Principle 5: Everyone with access to confidential information should be aware of their responsibilities

Principle 6: Comply with the law

Principle 7: The duty to share information for individual care is as important as the duty to protect patient confidentiality

Principle 8: Inform patients and service users about how their confidential information is used.

Disclosing Patient Information

Personal information relating to a patient should only be shared with third parties where the patient has given consent or in exceptional circumstances (GDC Standards 4.3).

Examples of where information may be shared without consent include:

In safeguarding concerns where it is not possible to gain consent and a referral needs to be made to the local authority or to the police.

Where information has been ordered by a court or by a coroner, where a court order has requested information, only the minimum amount of information should be disclosed.

Before disclosing information to third parties where consent has not been obtained, you are advised to contact your indemnity provider.

The Importance of Confidentiality

The relationship between clinician and patient is based on the understanding that any information revealed by the patient to the clinician will not be divulged without the patient’s consent. Patients have the right to privacy and it is vital that they give clinicians full information on their state of health to ensure that treatment is carried out safely and effectively. The intensely personal nature of health information means that many patients would be reluctant to provide the clinician with information if they felt the information would be passed on.

Care must be taken to ensure that confidentiality is never breached, even to the most minor degree, in the use of social media or websites (GDC Standards 4.2.3).

Recognise Your Obligations

A duty of confidence arises out of the common law duty of confidence, employment contracts and for registered dental professionals, it is part of your professional obligations. Breaches of confidence and inappropriate use of records or computer systems are serious matters which could result in disciplinary proceedings, dismissal and possibly legal prosecution.

So, make sure you do not:

Put personal information at risk of unauthorised access.

Knowingly misuse any personal information or allow others to do so.

Access records or information that you have no legitimate reason to look at. This includes records and information about your family, friends, neighbours and acquaintances.

GDC standards guidance

Dental care professionals have an ethical and legal duty to ensure they are familiar with and comply with the GDC’s standards and guidance. All practice team members must also follow this guidance and ensure that they maintain patient confidentiality. Copies of this publication in full are available as PDF downloads from the GDC’s website at www.gdc-uk.org

  1. Protect the confidentiality of patients’ information and only use it for the purpose for which it was given.
    1. Confidentiality is central to the relationship and trust between you and your patients. You must keep patient information confidential. This applies to all the information about patients that you have learnt in your professional role including personal details, medical history, what treatment they are having and how much it costs.

4.2.3 You must not post any information or comments about patients on social networking or blogging sites. If you use professional social media to discuss anonymised cases for the purpose of discussing best practice you must be careful that the patient or patients cannot be identified.

Document Control


Title:
Confidentiality Policy

Author/s:
DCME Team

Owner:
DCME Team

Approver:
DCME Team

Date Approved:
25.3.23

Review Date:
01.05.2024

Next Review Date:
May 2025

Change History

Version
Status
Date
Author/ Editor
Details of Change(Brief detailed summary of all updates/changes)

0.1
Final
25.3.23
PG
Complete re-write of policy, updated guidance.

0.2
Final
21.03.24
HD
Minor amendments. Addition of information regarding the Caldicott Principles and disclosing information to third parties.

0.2
Final
10.05.24
HD/PG
Policy approved to go live. Launched on the portal.

The latest approved version of this document supersedes all other versions, upon receipt of the latest approved version all other versions should be destroyed, unless specifically stated that previous version(s) are to remain extant. If in any doubt, please contact the document Author.

Approved By: Dr Jasmin Thoria, Dr Kuldipsinh Gohil, Sukhdeep Kaeda Date Published: 28/06/2024

Data Protection Policy

This Policy is specifically for Dental Practices in England and Wales and is a mutual agreement between the Practice entity and the staff (comprising of both employees and non-employed staff members)

Please be aware that this Policy and Annexures are generic and do not negate the necessity for specific advice and a thorough review of the document to precisely reflect your circumstances. This is strongly recommended:

to use the GDPR Risk assessment link to assess the suitability of your Policy and carry out a Data Protection Impact Assessment (DPIA) as set out in clause 19 before implementing this Policy:

and, in particular, if you are an NHS Dental Practice or mixed dental practice, please follow the link to assess dsptoolkit.nhs.uk/News/release-notes

Contents

  1.  Interpretation
  2.  Introduction
  3.  Scope of Policy and when to seek advice on data protection compliance
  4.  Personal data protection principles
  5.  Lawfulness, fairness, and transparency
  6.  Consent
  7.  Transparency (notifying Data Subjects)
  8.  Purpose limitation
  9.  Data minimisation
  10.  Accuracy
  11.  Storage limitation
  12.  Security integrity and confidentiality
  13.  Reporting a Personal Data Breach
  14.  Transfer limitation
  15.  Data Subject’s rights and requests
  16.  Accountability
  17. Record keeping
  18.  Training and audit
  19.  Privacy by Design and Data Protection Impact Assessment (DPIA)
  20.  Processing (including profiling) and Automated Decision-Making
  21.  Direct marketing
  22.  Sharing Personal Data
  23.  Caldicott Principles
  24.  Changes to this Data Protection Policy
  1. Interpretation
    1. Definitions:

Automated Decision-Making (ADM): when a decision is made based solely on Automated Processing (including profiling), which produces legal effects or significantly affects an individual. The UK GDPR prohibits Automated Decision-Making (unless certain conditions are met) but not Automated Processing.

Automated Processing: any form of automated processing of Personal Data consisting of the use of Personal Data to evaluate certain personal aspects relating to an individual, in particular, to analyse or predict aspects concerning that individual’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location, or movements. Profiling is an example of automated processing, as are many uses of artificial intelligence (AI), which involves the processing of personal data.

Caldicott Principles: 8 Principles used to ensure people’s information is kept confidential and used appropriately.

Company name: [Practice Name or TRADING NAME AND GROUP COMPANIES’ DETAILS IF NECESSARY].

Company Personnel: all employees, associates, hygienists, and, without limitation, other self- employed staff, workers, contractors, agency workers, consultants, directors, members, and others.

Consent: agreement which must be freely given, specific, informed and be an unambiguous indication of the Data Subject’s wishes by which they, by a statement or by a clear positive action, signify agreement to the Processing of Personal Data relating to them.

Controller: the person or organisation that determines when, why and how to process Personal Data. It is responsible for establishing practices and policies in line with the UK GDPR. We are the Controller of all Personal Data relating to our Company Personnel and Personal Data used in our business for our own commercial purposes.

Criminal Convictions Data: personal data relating to criminal convictions and offences, including personal data relating to criminal allegations and proceedings.

Data Subject: a living, identified or identifiable individual about whom we hold Personal Data. Data Subjects may be nationals or residents of any country and may have legal rights regarding their Personal Data.

Data Privacy Impact Assessment (DPIA): tools and assessments used to identify and reduce risks of a data processing activity. A DPIA can be carried out as part of Privacy by Design and should be conducted for all major system or business setups, as well as on adopting this Policy and any change programmes involving the Processing of Personal Data.

Data Protection Officer (DPO): either of the following:

  1. (Where an NHS practice in part or whole) the person required to be appointed in specific circumstances under the UK GDPR; or
  2. where wholly a private practice and a mandatory DPO has not been appointed, a Data Protection Lead is recommended to take responsibility for data protection compliance.

Explicit Consent: consent which requires a very clear and specific statement (that is, not just action).

UK GDPR: the retained EU law version of the General Data Protection Regulation ((EU) 2016/679) as defined in the Data Protection Act 2018. Personal Data is subject to the legal safeguards specified in the UK GDPR.

Personal Data: any information identifying a Data Subject or information relating to a Data Subject that we can identify (directly or indirectly) from that data alone or in combination with other identifiers we possess or can reasonably access. Personal Data includes Special Categories of Personal Data and Pseudonymised Personal Data but excludes anonymous data or data that has had the identity of an individual permanently removed. Personal data can be factual (for example, a name, email address, location, or date of birth) or an opinion about that person’s actions or behaviour. Personal Data specifically includes but is not limited to, medical records.

Personal Data Breach: any act or omission that compromises the security, confidentiality, integrity, or availability of Personal Data or the physical, technical, administrative or organisational safeguards that we or our third-party service providers put in place to protect it. The loss or unauthorised access, disclosure, or acquisition of Personal Data is a Personal Data Breach.

Privacy by Design: implementing appropriate technical and organisational measures in an effective manner to ensure compliance with the UK GDPR.

Privacy Guidelines: The company privacy and UK GDPR-related guidelines and policies provided to assist in interpreting and implementing this Data Protection Policy and Related Policies are available on the DCME compliance portal or on display at the practice.

Privacy Notices (also referred to as Fair Processing Notices) or Privacy Policies: separate notices setting out information that may be provided to Data Subjects when the Company collects information about them. These notices may take the form of:

  1. general privacy statements applicable to a specific group of individuals (for example, employee privacy notices or the website privacy policy) or
  2. stand-alone, one-time privacy statements covering Processing related to a specific purpose.

Processing or Process: any activity that involves the use of Personal Data. It includes obtaining, recording, or holding the data or carrying out any operation or set of operations on the data, including organising, amending, retrieving, using, disclosing, erasing or destroying it. Processing also includes transmitting or transferring Personal Data to third parties.

Pseudonymisation or Pseudonymised: replacing information that directly or indirectly identifies an individual with one or more artificial identifiers or pseudonyms so that the person to whom the data relates cannot be identified without the use of additional information which is meant to be kept separately and secure.

Related Policies: the Company’s policies, operating procedures or processes related to this Data Protection Policy and designed to protect Personal Data and

available from your line manager or the DPO.

Special Categories of Personal Data: information revealing racial or ethnic origin, political opinions, religious or similar beliefs, trade union membership, physical or mental health conditions, sexual life, sexual orientation, biometric or genetic data. [The Company will treat the following types of data as if they are Special Categories of Personal Data: >>please insert DETAILS OF OTHER TYPES OF DATA THE COMPANY CONSIDERS SENSITIVE<<

  1. Introduction
    1. This Data Protection Policy sets out how (“we”, “our”, “us”, and “the Company”) handle the Personal Data of our patients, their parents or carers, customers, prospective patients, suppliers, employees, workers, business contacts and other third parties.
    2. This Data Protection Policy applies to all Personal Data we Process regardless of the media on which that data is stored or whether it relates to past or present employees, workers, customers, clients or supplier contacts, shareholders, website users, or any other Data Subject.
    3. This Data Protection Policy applies to all Company Personnel (“you”, “your”). You must read, understand, and comply with this Data Protection Policy when Processing Personal Data on our behalf and attend training on its requirements. Data protection is the responsibility of everyone within the Company, and this Data Protection Policy sets out what we expect from you when handling Personal Data to enable the Company to comply with applicable law. Your compliance with this Data Protection Policy is mandatory. Related Policies and Privacy Guidelines are available to help you interpret and act in accordance with this Data Protection Policy. You must also comply with all those Related Policies and Privacy Guidelines. Any breach of this Data Protection Policy may result in disciplinary action.
    4. Where you have a specific responsibility in connection with Processing, such as capturing Consent, reporting a Personal Data Breach or conducting a DPIA as referenced in this Data

Protection Policy or otherwise, then you must comply with the Related Policies and Privacy Guidelines.

  1. This Data Protection Policy (together with Related Policies and Privacy Guidelines) is an internal document and cannot be shared with third parties, clients, or regulators without prior authorisation from the DPO unless legally required to do so.
  1. Scope of Policy and when to seek advice on data protection compliance.
    1. We recognise that the correct and lawful treatment of Personal Data will maintain trust and confidence in the organisation and will provide for successful business operations. Protecting the confidentiality and integrity of Personal Data is a critical responsibility we take seriously. The Company is exposed to potential fines of up to £17.5 million or 4% of total worldwide annual turnover, whichever is higher and depending on the breach, for failure to comply with the UK GDPR.
    2. All line managers and other responsible parties are responsible for ensuring all Company Personnel comply with this Data Protection Policy and must implement appropriate practices, processes, controls, and training to ensure compliance.
    3. The DPO oversees this Data Protection Policy and, as applicable, develops Related Policies and Privacy Guidelines. That post is held by Dr Jasmin Thoria, and they can be reached at [INSERT TELEPHONE NUMBER] and [EMAIL ADDRESS].
    4. Please contact the DPO with any questions about the operation of this Data Protection Policy or the UK GDPR or if you have any concerns that this Data Protection Policy is not being or has not been followed. In particular, you must always contact the DPO in the following circumstances:
  1. if you are unsure of the lawful basis on which you are relying to process Personal Data (including the legitimate interests used by the Company) (see paragraph 5.1).
  2. if you need to rely on Consent or need to capture Explicit Consent (see paragraph 6).
  3. if you need to draft Privacy Notices (see paragraph 7).
  4. if you are unsure about the retention period for the Personal Data being Processed (see paragraph 11).
  5. if you are unsure what security or other measures you need to implement to protect Personal Data (see paragraph 12.1).
  6. if there has been a Personal Data Breach (paragraph 13).
  7. if you are unsure on what basis to transfer Personal Data outside the UK (see paragraph 14).
  8. if you need any assistance dealing with any rights invoked by a Data Subject (see paragraph 15).
  9. Whenever you are engaging in a significant new or change in Processing activity which is likely to require a DPIA (see paragraph 19) or plan to use Personal Data for purposes other than for which it was collected (see paragraph 8).
  10. if you plan to undertake any activities involving Automated Processing, including profiling or Automated Decision-Making (see paragraph 20).
  11. if you need help complying with applicable law when carrying out direct marketing activities (see paragraph 21); or
  12. if you need help with any contracts or other areas in relation to sharing Personal Data with third parties (including our vendors) (see paragraph 22).
  1. Personal data protection principles
    1. We adhere to the principles relating to the Processing of Personal Data set out in the UK GDPR, which require Personal Data to be:
  1. Processed lawfully, fairly and in a transparent manner (lawfulness, fairness, and transparency).
  2. Collected only for specified, explicit and legitimate purposes (purpose limitation).
  3. Adequate, relevant, and limited to what is necessary in relation to the purposes for which it is Processed (data minimisation).
  4. Accurate and, where necessary, kept up to date (accuracy).
  5. Not kept in a form which permits the identification of Data Subjects for longer than is necessary for the purposes for which the data is Processed (storage limitation).
  6. Processed in a manner that ensures its security using appropriate technical and organisational measures to protect against unauthorised or unlawful Processing and against accidental loss, destruction, or damage (security, integrity, and confidentiality).
  7. Not transferred to another country without appropriate safeguards in place (transfer limitation); and
  8. Made available to Data Subjects and allow Data Subjects to exercise certain rights in relation to their Personal Data (data subject’s rights and requests).
  9. We are responsible for and must be able to demonstrate compliance with the data protection principles listed above (accountability).
  1. Lawfulness, fairness, and transparency
    1. Personal data must be processed lawfully, fairly, and transparently in relation to the Data Subject.
    2. You may only collect, Process, and share Personal Data fairly, lawfully, and for specified purposes. The UK GDPR restricts our actions regarding Personal Data to specified lawful purposes. These restrictions are not intended to prevent processing but to ensure that we process personal data fairly and without adversely affecting the data subject.
    3. The UK GDPR allows Processing for specific purposes, some of which are set out below:
  1. the Data Subject has given their Consent.
  2. the Processing is necessary for the performance of a contract with the Data Subject.
  3. to meet our legal compliance obligations.
  4. to protect the Data Subject’s vital interests.
  5. to pursue our legitimate interests (or those of a third party) for purposes where they are not overridden because the Processing prejudices the interests or fundamental rights and freedoms of Data Subjects. The purposes for which we process Personal Data for legitimate interests need to be set out in applicable Privacy Notices or
  6. [OTHER UK GDPR PROCESSING GROUNDS].
  7. You must identify and document the legal ground being relied on for each Processing activity [in accordance with the Company’s guidelines on the Lawful Basis for Processing Personal Data, available or from the DPO.
  1. Consent
    1. A Controller must only process Personal Data on one or more of the lawful bases set out in the UK GDPR, which include Consent.
    2. A Data Subject consents to the Processing of their Personal Data if they clearly indicate agreement to the Processing. Consent requires affirmative action, so silence, pre-ticked boxes or inactivity will not be sufficient to indicate consent. If consent is given in a document that deals with other matters, then consent must be kept separate from other matters.
    3. A Data Subject must be easily able to withdraw Consent to Processing at any time, and withdrawal must be promptly honoured. Consent may need to be refreshed if you intend to process personal data for a different and incompatible purpose that was not disclosed when the Data Subject first consented.
    4. When processing Special Category Data or Criminal Convictions Data, we will usually rely on a legal basis for processing other than Explicit Consent or Consent if possible. Where Explicit Consent is relied on, you must issue a Privacy Notice to the Data Subject to capture Explicit Consent.
    5. You will need to evidence Consent captured and keep records of all Consent in accordance with Related Policies and Privacy Guidelines so that the Company can demonstrate compliance with Consent requirements.
  1. Transparency (notifying Data Subjects)
    1. The UK GDPR requires a Controller to provide detailed, specific information to a Data Subject depending on whether the information was collected directly from the Data Subject or from

elsewhere. The information must be provided through an appropriate Privacy Notice, which must be concise, transparent, intelligible, easily accessible, and in clear and plain language so that a Data Subject can easily understand them.

  1. Whenever we collect Personal Data directly from a Data Subject, including for HR or employment purposes, we must provide the Data Subject with all the information required by the UK GDPR, including the identity of the Controller and DPO and how and why we will use, Process, disclose, protect and retain that Personal Data through a Privacy Notice which must be presented when the Data Subject first provides the Personal Data.
  2. When Personal Data is collected indirectly (for example, from a third party or publicly available source), we must provide the Data Subject with all the information required by the UK GDPR as soon as possible after collecting or receiving the data. We must also check that the third party collected the Personal Data in accordance with the UK GDPR and on a basis that considers our proposed Processing of that Personal Data.
  3. If you are collecting Personal Data from a Data Subject, directly or indirectly, then you must provide the Data Subject with a Privacy Notice in accordance with our Related Policies and Privacy Guidelines.
  1. Purpose limitation
    1. Personal Data must be collected only for specified, explicit and legitimate purposes. It must not be further Processed in any manner incompatible with those purposes.
    2. You cannot use Personal Data for new, different, or incompatible purposes from that disclosed when it was first obtained unless you have informed the Data Subject of the new purposes and they have Consented where necessary.
    3. If you want to use Personal Data for a new or different purpose from that for which it was obtained, you must first contact the DPO for advice on how to do this in compliance with both the law and this Data Protection Policy.
  1. Data minimisation
    1. Personal Data must be adequate, relevant, and limited to what is necessary in relation to the purposes for which it is processed.
    2. You may only process personal data when performing your job duties which require it. You cannot Process Personal Data for any reason unrelated to your job duties.
    3. You may only collect Personal Data that you require for your job duties; do not collect excessive data. Ensure any Personal Data collected is adequate and relevant for the intended purposes.
    4. You must ensure that when Personal Data is no longer needed for specified purposes, it is deleted or anonymised in accordance with the Company’s data retention guidelines.
  2. Accuracy
    1. Personal Data must be accurate and, where necessary, kept up to date. It must be corrected or deleted without delay when inaccurate.
    2. You must ensure that the Personal Data we use and hold is accurate, complete, kept up to date and relevant to the purpose for which we collected it. You must check the accuracy of any Personal Data at the point of collection and at regular intervals afterwards. You must take all reasonable steps to destroy or amend inaccurate or out-of-date Personal Data.
  1. Storage limitation
    1. Personal Data must not be kept in an identifiable form for longer than is necessary for the purposes for which the data is processed.
    2. The Company will maintain retention policies and procedures to ensure Personal Data is deleted after an appropriate time unless a law requires that data be kept for a minimum time. [You must comply with the Company’s Data Retention Policy.]
    3. You must not keep Personal Data in a form which permits the identification of the Data Subject for longer than needed for the legitimate business purpose or purposes for which we originally collected it, including for the purpose of satisfying any legal, accounting or reporting requirements.
    4. You will take all reasonable steps to destroy or erase from our systems all Personal Data that we no longer require in accordance with all the Company’s applicable records retention schedules and policies. This includes requiring third parties to delete that data where relevant.
    5. You will provide Data Subjects with information about the period for which data is stored and how that period is determined in any applicable Privacy Notice.
  1. Security integrity and confidentiality
    1. Personal Data must be secured by appropriate technical and organisational measures against unauthorised or unlawful Processing and against accidental loss, destruction, or damage.
    2. We will develop, implement and maintain safeguards appropriate to our size, scope and business, our available resources, the amount of Personal Data that we own or maintain on behalf of others, and identified risks (including use of encryption and Pseudonymisation where applicable). We will regularly evaluate and test the effectiveness of those safeguards to ensure the security of our Processing of Personal Data. You are responsible for protecting the Personal Data we hold. You must implement reasonable and appropriate security measures against unlawful or unauthorised Processing of Personal Data and against the accidental loss of, or damage to, Personal Data. You must exercise particular care in protecting Special Categories of Personal Data and Criminal Convictions Data from loss and unauthorised access, use or disclosure.
    3. You must follow all procedures and technologies we put in place to maintain the security of all Personal Data from the point of collection to the point of destruction. You may only transfer

Personal Data to third-party service providers who agree to comply with the required policies and procedures and who agree to put adequate measures in place, as requested.

  1. You must maintain data security by protecting the confidentiality, integrity and availability of the Personal Data, defined as follows:
  1. Confidentiality: only people who have a need to know and are authorised to use the Personal Data can access it;
  2. Integrity: Personal Data is accurate and suitable for the purpose for which it is processed and
  3. Availability: Authorised users are able to access their personal data when they need it for authorised purposes.
  4. You must comply with and not attempt to circumvent the administrative, physical and technical safeguards we implement and maintain in accordance with the UK GDPR and relevant standards to protect Personal Data.
  1. Reporting a Personal Data Breach
    1. The UK GDPR requires Controllers to notify any Personal Data Breach to the Information Commissioner and, in certain instances, the Data Subject.
    2. We have put in place procedures to deal with any suspected Personal Data Breach and will notify the Data Subject or any applicable regulator where we are legally required to do so.
    3. If you know or suspect that a Personal Data Breach has occurred, do not attempt to investigate the matter yourself. Immediately contact the person or team designated as the key point of contact for Personal Data Breaches or the DPO) You should preserve all evidence relating to the potential Personal Data Breach.
  1. Transfer limitation
    1. The UK GDPR restricts data transfers to countries outside the UK to ensure that the level of data protection afforded to individuals by the UK GDPR is not undermined. You transfer Personal Data originating in one country across borders when you transmit, send, view or access that data in or to a different country.
    2. You must comply with the Company’s guidelines on cross-border data transfers.
    3. You may only transfer Personal Data outside the UK if one of the following conditions applies:
  1. the UK has issued regulations confirming that the country to which we transfer the Personal Data ensures an adequate level of protection for the Data Subject’s rights and freedoms;
  2. appropriate safeguards are in place, such as binding corporate rules, standard contractual clauses approved for use in the UK, an approved code of conduct or a certification

mechanism, a copy of which can be obtained from the DPO;

  1. the Data Subject has provided Explicit Consent to the proposed transfer after being informed of any potential risks or
  2. the transfer is necessary for one of the other reasons set out in the UK GDPR, including:
    1. the performance of a contract between us and the Data Subject;
    2. reasons of public interest;
    3. to establish, exercise or defend legal claims;
    4. to protect the vital interests of the Data Subject where the Data Subject is physically or legally incapable of giving Consent; and
    5. in some limited cases, for our legitimate interest.
  1. Data Subject’s rights and requests
    1. A Data Subject has rights regarding how we handle their Personal Data. These include rights to:
  1. withdraw Consent to Processing at any time;
  2. receive certain information about the Controller’s Processing activities;
  3. request access to their Personal Data that we hold (including receiving a copy of their Personal Data);
  4. prevent our use of their Personal Data for direct marketing purposes;
  5. ask us to erase Personal Data if it is no longer necessary in relation to the purposes for which it was collected or Processed, to rectify inaccurate data, or to complete incomplete data;
  6. restrict Processing in specific circumstances;
  7. object to Processing which has been justified on the basis of our legitimate interests or in the public interest;
  8. request a copy of an agreement under which Personal Data is transferred outside of the UK;
  9. object to decisions based solely on Automated Processing, including profiling (ADM);
  10. prevent Processing that is likely to cause damage or distress to the Data Subject or anyone else;
  11. be notified of a Personal Data Breach which is likely to result in high risk to their rights and freedoms;
  12. make a complaint to the supervisory authority;
  13. in limited circumstances, receive or ask for their Personal Data to be transferred to a third party in a structured, commonly used and machine-readable format; and
  14. [ANY OTHER RIGHTS YOU MAY BE REQUIRED TO PROVIDE UNDER COMPANY POLICIES].
  1. You must verify the identity of an individual requesting data under any of the rights listed above (do not allow third-parties to persuade you into disclosing Personal Data without proper authorisation).
  2. You must immediately forward any Data Subject request you receive to the DPO, and they must comply with the Company’s Response procedures for data subject requests.
  1. Accountability
    1. The Controller must implement appropriate technical and organisational measures effectively to ensure compliance with data protection principles. The Controller is responsible for and must be able to demonstrate compliance with the data protection principles.
    2. The Company must have adequate resources and controls in place to ensure and document UK GDPR compliance, including:
  1. appointing a suitably qualified DPO (where necessary) and an executive accountable for data privacy;
  2. implementing Privacy by Design when Processing Personal Data and completing DPIAs where Processing presents a high risk to the rights and freedoms of Data Subjects;
  3. integrating data protection into internal documents, including this Data Protection Policy, Related Policies, Privacy Guidelines or Privacy Notices;
  4. regularly training Company Personnel on the UK GDPR, this Data Protection Policy, Related Policies and Privacy Guidelines, and data protection matters including, for example, a Data Subject’s rights, Consent, legal basis, DPIA and Personal Data Breaches. The Company must maintain a record of training attendance by Company Personnel and
  5. Regularly test the privacy measures implemented and conduct periodic reviews and audits to assess compliance, including using the results of testing to demonstrate compliance improvement efforts.
  1. Record keeping
    1. The UK GDPR requires us to keep full and accurate records of all our data Processing activities.
    2. You must keep and maintain accurate corporate records reflecting our Processing, including records of Data Subjects’ Consents and procedures for obtaining Consents in accordance with the Company’s record-keeping guidelines.
    3. These records should include, at a minimum:
  1. the name and contact details of the Controller and the DPO, and
  2. clear descriptions of:
    1. the Personal Data types;
    2. the Data Subject types;
    3. the Processing activities;
    4. the Processing purposes;
    5. the third-party recipients of the Personal Data;
    6. the Personal Data storage locations;
    7. the Personal Data transfers;
    8. the Personal Data’s retention period; and
    9. the security measures in place.
  3. To create the records, data maps should be created, which should include the details set out above together with appropriate data flows.
  1. Training and audit
    1. We are required to ensure all Company Personnel have undergone adequate training to enable them to comply with data privacy laws. We must also regularly test our systems and processes to assess compliance.
    2. You must undergo all mandatory data privacy-related training and ensure your team undergo similar training [per the Company’s mandatory training guidelines].
    3. You must regularly review all the systems and processes under your control to ensure they comply with this Data Protection Policy and check that adequate governance controls and resources are in place to ensure proper use and protection of Personal Data.
  1. Privacy by Design and Data Protection Impact Assessment (DPIA)
    1. We are required to implement Privacy by Design measures when Processing Personal Data by implementing appropriate technical and organisational measures (like Pseudonymisation) effectively to ensure compliance with data privacy principles.
    2. You must assess what Privacy by Design measures can be implemented on all programmes, systems or processes that Process Personal Data by taking into account the following:
  1. The state of the art.
  2. The cost of implementation.
  3. The nature, scope, context and purposes of Processing.
  4. The risks of varying likelihood and severity for rights and freedoms of the Data Subject posed by the Processing.
  1. The Controller must also regularly and not less than annually conduct a DPIA with respect to high-risk Processing.
  2. You should conduct a DPIA (and discuss your findings with the DPO) annually and when implementing a practice set-up and before implementing this Policy and any major system or business change programs involving the Processing of Personal Data, including:
  1. Use of new technologies (programs, systems, or processes, including the use of AI) or changing technologies (programs, systems or processes).
  2. Automated Processing, including profiling and ADM.
  3. Large-scale Processing of Special Categories of Personal Data or Criminal Convictions Data.
  4. Large-scale, systematic monitoring of a publicly accessible area.
  5. A DPIA must include:
  1. A description of the Processing, its purposes and the Controller’s legitimate interests if appropriate.
  2. An assessment of the necessity and proportionality of the Processing in relation to its purpose.
  3. An assessment of the risk to individuals.
  4. The risk mitigation measures are in place, and compliance is demonstrated.
  5. You must comply with the Company’s guidelines on DPIA and Privacy by Design.
  1. Processing (including profiling) and Automated Decision-Making

[This section can be removed if no automated decision-making is used]

  1. Generally, ADM is prohibited when a decision has a legal or similar significant effect on an individual unless:
  1. a Data Subject has Explicitly Consented.
  2. the Processing is authorised by law; or
  3. the Processing is necessary for the performance of or entering a contract.
  1. If certain types of Special Categories of Personal Data or Criminal Convictions Data are being processed, then grounds (b) or (c) will not be allowed. However, the Special Categories of Personal Data and Criminal Convictions Data can be processed where necessary (unless less intrusive means can be used) for substantial public interest, like fraud prevention.
  2. If a decision is to be based solely on Automated Processing (including profiling), then the Data Subject must be informed when you first communicate with them of their right to object. This right must be explicitly brought to their attention and presented clearly and separately from other information. Further, suitable measures must be implemented to safeguard the Data Subject’s rights, freedoms, and legitimate interests.
  3. We must also inform the Data Subject of the logic involved in the decision-making or profiling, the significance, and the envisaged consequences, and give the Data Subject the right to request human intervention, express their point of view or challenge the decision.
  4. A DPIA must be carried out before any Automated Processing (including profiling) or ADM activities are undertaken.
  5. Where you are involved in any data Processing activity that involves profiling or ADM, you must consult with your DPO.
  1. Direct marketing
    1. We are subject to certain rules and privacy laws when engaging in direct marketing to our customers and prospective customers (for example, when sending marketing emails or making telephone sales calls).
    2. For example, in a business-to-consumer context, a Data Subject’s prior consent is generally required for direct electronic marketing (for example, by email, text, or automated calls). The limited exception for existing customers, known as “soft opt-in”, allows an organisation to send marketing texts or emails without consent if it:
  1. Has obtained contact details during a sale to that person.
  2. Is marketing similar products or services.
  3. Gave the person an opportunity to opt out of marketing when first collecting the details and in every subsequent marketing message.
  1. The right to object to direct marketing must be explicitly offered to the Data Subject in an intelligible manner so that it is clearly distinguishable from other information.
  2. A Data Subject’s objection to direct marketing must always be promptly honoured. If customers or patients opt out of marketing at any time, their details should be suppressed as soon as possible. Suppression involves retaining just enough information to ensure that marketing preferences are respected in the future.
  3. You must comply with the Company’s guidelines on direct marketing to customers and patients, and you should consult your DPO if you are unsure of how to comply with either the Company’s guidelines or the law.
  4. Sharing Personal Data
    1. Generally, we are not allowed to share Personal Data with third parties unless certain safeguards and contractual arrangements have been put in place.
    2. You must comply with the Company’s data-sharing guidelines with third parties.
    3. If the Practice is carrying out NHS dentistry, then please note the Guidelines at NHS England
    4. Then the Company shall review the Data Protection requirements (and compatibility with this Policy) set out at www.digital.nhs.uk, which will change from time to time and is under our control, and a risk assessment shall be carried out regularly by the Company by the DPO at the following web site (subject to change) https://www.dsptoolkit.nhs.uk. The Company shall conduct an online self-assessment against the National Data Guardian’s 10 data security standards. Any failures in reaching those standards shall be immediately actioned by the Company and DPO
    5. You may only share the Personal Data we hold with another employee, agent or representative of our group (which includes our subsidiaries and our ultimate holding company along with its subsidiaries) if the recipient has a job-related need to know the information and the transfer complies with any applicable cross-border transfer restrictions.
    6. You may only share the Personal Data we hold with third parties, such as our service providers, if:
  1. they have a need to know the information for the purposes of providing the contracted services.
  2. sharing the Personal Data complies with the Privacy Notice provided to the Data Subject and, if required, the Data Subject’s Consent has been obtained.
  3. the third party has agreed to comply with the required data security standards, policies and procedures and put adequate security measures in place.
  4. the transfer complies with any applicable cross-border transfer restrictions and
  5. a fully executed written contract that contains UK GDPR-approved third-party clauses has been obtained.
  1. Caldicott Principles
    1. We and You follow the eight Caldicott principles for handling patient-identifiable information.
  1. Justify the purpose(s) of everyproposed use or transfer
  2. Don’t use it unless it is necessary, and
  3. Use the minimum necessary
  4. Access to it is on a strict need-to-know basis
  5. Everyone with access to it is aware of their responsibilities and
  6. Understand and complywith the law
  7. The Duty to share information can be as important as the duty to protect patient confidentiality
  8. Inform patients and service users about how their confidential information is used
  1. Changes to this Data Protection Policy

We keep this Data Protection Policy under regular review.

Document Control


Title:
Data Protection Policy

Author/s:
Hugo Barton – Healthcare Law

Owner:
DCME Team

Approver:
DCME Team

Date Approved:
02/05/24

Next Review Date:
May 2025

Change History


Version

Status

Date

Author / Editor
Details of Change(Brief detailed summary of all updates/changes)

0.1
Final
02/05/24
Hugo Barton – Healthcare Law / HD & PG
Brand new policy developed by Healthcare Law
0.1Final10/5/24Hugo Barton – Healthcare Law / HD & PGPolicy approved and live on portal

The latest approved version of this document supersedes all other versions, upon receipt of the latest approved version all other versions should be destroyed, unless specifically stated that previous version(s) are to remain extant. If in any doubt, please contact the document Author.

Approved By: Dr Jasmin Thoria, Dr Kuldipsinh Gohil, Sukhdeep Kaeda Date Published: 28/06/2024

Social Media Policy

Contents

  1.  About this policy
  2.  Who does this policy apply to?
  3.  Who is responsible for this policy
  4.  Compliance with related policies and agreements
  5.  Personal use of social media
  6.  Prohibited use
  7.  Business use of social media
  8.  Guidelines for responsible use of social media
  9.  Monitoring
  10.  Recruitment
  11.  Breach of this policy
  1. About this policy
    1. this policy aims to minimise the risks to our business through social media. This policy applies to the use of all forms of social media, including all social networking sites, internet postings and blogs. It applies to using social media for business and personal purposes that may affect our business in any way.
    2. This policy does not form part of any employment or other contract to provide services, and we may amend it at any time.
  1. To Whom does this policy apply?
    1. This policy applies to all employees, self-employed team members, contractors, casual workers, agency workers, volunteers and interns.
  1. Who is responsible for this policy?
    1. The Company or Practice has delegated responsibility for overseeing its implementation to Sukhdeep Kaeda (PM). Questions about the content of this policy or suggestions for change should be reported to the PM.
    2. You should ask the PM any questions you may have about the day-to-day application of this policy (including reporting the misuse of social media).
    3. This policy is reviewed annually by the PM.
  1. Compliance with related policies and agreements
    1. You should never use social media in a way that breaches any of our other policies. If an internet post breaches our policies in another forum, it would also breach them online. For example, you are prohibited from using social media to:
      1. Breach our IT and Communications Systems Policy;
      2. breach any obligations we may have with respect to the rules of relevant regulatory bodies;
      3. breach any obligations contained in those policies relating to confidentiality;
      4. breach our disciplinary procedures;
      5. harass or bully other staff in any way OR breach our bullying and harassment policy within the Employee Handbook.
      6. unlawfully discriminate against other staff or third parties OR breach our Equality, Diversity & Human Rights policy within the Employee Handbook;
      7. breach our Data Protection Policy (for example, you should never disclose personal information about a colleague online), or
      8. breach any other laws or regulatory requirements.
    2. You should never provide references for other individuals on social or professional networking sites. These positive and negative references can be attributed to the organisation and create legal liability for both the author of the reference and the organisation.
    3. If you breach any of the above policies, you will be subject to disciplinary action up to and including termination of employment.
  1. Personal use of social media

Personal use of social media is never permitted during working hours or by means of our computers, networks, and other IT resources and communications systems.

  1. Prohibited use
    1. You must avoid making social media communications that could indirectly damage our business interests or reputation.
    2. You must not use social media to:
      1. defame or disparage us, our staff or any third party;
      2. harass, bully or unlawfully discriminate against staff or third parties;
      3. make false or misleading statements, or
      4. impersonate colleagues or third parties.
    3. You must not express opinions on our behalf via social media unless expressly authorised to do so by your manager. You may be required to undergo training to obtain this authorisation.
    4. You must not post comments about sensitive business-related topics, such as our performance, or do anything to jeopardise our trade secrets, confidential information and intellectual property. You must not include our logos or other trademarks in any social media posting or your profile on any social media.
    5. You are not permitted to add patients of the practice you meet during employment to personal social networking accounts.
  1. Business use of social media
    1. If your duties require you to speak on behalf of the organisation in a social media environment, you must still seek approval for that communication from the PM.
    2. Likewise, if you are contacted for comments about the organisation for publication anywhere, including in any social media outlet, direct the enquiry to the PM and do not respond without written approval.
    3. The use of social media for business purposes is subject to the remainder of this policy.
  1. Guidelines for responsible use of social media
    1. You should clearly state in social media postings or your personal profile that you are speaking on your behalf. Write in the first person and use a personal email address.
    2. Be respectful to others when making any statement on social media and be aware that you are personally responsible for all communications published online for anyone to see.
    3. If you disclose your affiliation with us on your profile or in any social media postings, you must state that your views do not represent those of your employer (unless you are authorised to speak on our behalf as set out in paragraph 6.3). You should also ensure that your profile and any content you post are consistent with the professional image you present to clients and colleagues.
    4. If you are uncertain or concerned about the appropriateness of any statement or posting, refrain from posting until you have discussed it with your line manager.
    5. If you see social media content that disparages or reflects poorly on us, you should contact the PM
  1. Monitoring
    1. We reserve the right to monitor, intercept and review, without further notice, your activities using our IT resources and communications systems, including but not limited to social media postings and activities, for legitimate business purposes, which include:
      1. ascertaining and demonstrating that in using the systems, you are meeting expected standards and
      2. the detection and investigation of unauthorised use of the systems (including where this is necessary to prevent or detect crime).
    2. For further information, see our IT and Communications Systems Policy on our compliance portal.
  1. Recruitment

We may use internet searches to perform due diligence on candidates during recruitment. Where we do this, we will act in accordance with our data protection and equal opportunities obligations.

  1. Breach of this policy
    1. Breach of this policy may result in disciplinary action up to and including dismissal. If we suspect you have committed a breach of this policy, you are required to cooperate with our investigation.
    2. You may be required to remove any social media content that we consider a breach of this policy. Failure to comply with that request may result in disciplinary action.

Document Control


Title:
Social Media Policy

Author/s:
Hugo Barton – Healthcare Law

Owner:
DCME Team

Approver:
DCME Team

Date Approved:
02/05/24

Next Review Date:
May 2025

History


Version

Status

Date

Author / Editor
Details of Change(Brief detailed summary of all updates/changes)

0.1
Final
02/05/24
Hugo Barton – Healthcare Law / HD & PG
New policy developed by Healthcare Law


0.1

Final

10/05/2024

Hugo Barton – Healthcare Law/ HD & PG

New Policy launched on Portal

The latest approved version of this document supersedes all other versions, upon receipt of the latest approved version all other versions should be destroyed, unless specifically stated that previous version(s) are to remain extant. If in any doubt, please contact the document Author.

Approved By: Dr Jasmin Thoria, Dr Kuldipsinh Gohil, Sukhdeep Kaeda Date Published: 28/06/2024