Data Protection Policy 

Scope: Dental Practices in England and Wales. Mutual agreement between the Practice entity and staff (employees and non-employed staff).

Note: This Policy and Annexures are generic and do not replace specific legal advice. You should review and adapt the Policy to your circumstances.

Recommendations before implementation:

  • Complete the GDPR Risk Assessment and Data Protection Impact Assessment (DPIA) as outlined in Clause 19.

  • NHS or mixed dental practices should consult DSP Toolkit for guidance.

Contents

  1. Interpretation

  2. Introduction

  3. Scope of Policy and Seeking Advice

  4. Personal Data Protection Principles

  5. Lawfulness, Fairness, and Transparency

  6. Consent

  7. Transparency (Notifying Data Subjects)

  8. Purpose Limitation

  9. Data Minimisation

  10. Accuracy

  11. Storage Limitation

  12. Security, Integrity, and Confidentiality

  13. Reporting a Personal Data Breach

  14. Transfer Limitation

  15. Data Subject Rights and Requests

  16. Accountability

  17. Record Keeping

  18. Training and Audit

  19. Privacy by Design and DPIA

  20. Processing, Profiling, and Automated Decision-Making

  21. Direct Marketing

  22. Sharing Personal Data

  23. Caldicott Principles

  24. Changes to this Data Protection Policy

1. Interpretation

Key Definitions:

  • Automated Decision-Making (ADM): Decisions made solely on automated processing affecting individuals legally or significantly. UK GDPR prohibits ADM unless certain conditions are met.

  • Automated Processing: Any automated use of personal data to analyse or predict aspects of an individual. Includes profiling and AI applications.

  • Caldicott Principles: Eight principles ensuring confidentiality and appropriate use of personal information.

  • Company Personnel: Employees, associates, hygienists, self-employed staff, contractors, agency workers, consultants, directors, and members.

  • Consent: Freely given, specific, informed, and unambiguous agreement to process personal data.

  • Controller: Entity determining how and why personal data is processed.

  • Criminal Convictions Data: Personal data relating to criminal convictions or allegations.

  • Data Subject: Individual whose personal data we process.

  • DPIA: Assessment to identify and mitigate data processing risks.

  • DPO: Data Protection Officer or, in private practice, a recommended Data Protection Lead.

  • Explicit Consent: Clear and specific consent.

  • UK GDPR: UK version of the EU GDPR (2016/679) under the Data Protection Act 2018.

  • Personal Data: Any information identifying a Data Subject, including special categories and pseudonymised data.

  • Privacy by Design: Implementing appropriate technical and organisational measures to ensure compliance.

  • Processing: Any operation on personal data, including collection, storage, transfer, or destruction.

  • Special Categories of Personal Data: Data revealing racial/ethnic origin, political/religious beliefs, trade union membership, health, sexual orientation, or biometric/genetic data.

2. Introduction

  • This Policy governs how we handle Personal Data of patients, employees, suppliers, and other third parties.

  • Applies to all Company Personnel. Compliance is mandatory; breaches may result in disciplinary action.

  • Specific responsibilities (e.g., capturing Consent, reporting a breach, conducting a DPIA) must follow Related Policies and Privacy Guidelines.

  • Internal document: cannot be shared externally without DPO approval unless legally required.

3. Scope of Policy & Seeking Advice

  • Ensures lawful, correct treatment of personal data to maintain trust and confidence.

  • Non-compliance risks fines up to £17.5 million or 4% of global turnover.

  • DPO (Zelda Wiese, 01954 251696, cottenhamdental@gmail.com) oversees compliance.

  • Contact DPO if:

    • Unsure of legal basis for processing

    • Need to capture Consent

    • Drafting Privacy Notices

    • Retention periods unclear

    • Security measures uncertain

    • Suspected data breaches

    • Data transfer outside UK

    • Rights requests from Data Subjects

    • Implementing significant new processing, including automated processing or ADM

4. Personal Data Protection Principles

Personal data must be:

  1. Processed lawfully, fairly, transparently

  2. Collected for specified, legitimate purposes

  3. Adequate, relevant, and limited

  4. Accurate and up to date

  5. Not kept longer than necessary

  6. Secured (integrity and confidentiality)

  7. Transferred only with appropriate safeguards

  8. Accessible to allow Data Subjects to exercise their rights

The Company must demonstrate compliance (accountability).

5. Lawfulness, Fairness, and Transparency

  • Must process personal data legally, fairly, and transparently.

  • Lawful grounds include Consent, contractual necessity, legal obligations, vital interests, and legitimate interests.

  • Legal grounds must be documented for each processing activity.

6. Consent

  • Consent requires affirmative action; silence or pre-ticked boxes are insufficient.

  • Withdrawal of consent must be respected and promptly implemented.

  • Special category or criminal conviction data may require explicit consent with a Privacy Notice.

  • Records of consent must be maintained.

7. Transparency (Notifying Data Subjects)

  • Provide clear, concise, and accessible Privacy Notices to Data Subjects when collecting data.

  • Ensure indirect collection also informs Data Subjects promptly.

8. Purpose Limitation

  • Use personal data only for disclosed purposes.

  • New or incompatible purposes require DPO approval and, where necessary, consent.

9. Data Minimisation

  • Collect only data necessary for your job duties.

  • Delete or anonymise data when no longer needed.

10. Accuracy

  • Keep personal data accurate, complete, and up to date.

  • Correct or delete inaccurate data promptly.

11. Storage Limitation

  • Do not retain identifiable personal data longer than necessary.

  • Comply with retention policies and ensure secure deletion.

12. Security, Integrity, and Confidentiality

  • Implement appropriate technical and organisational safeguards.

  • Protect confidentiality, integrity, and availability of data.

  • Follow all internal procedures and security measures.

13. Reporting a Personal Data Breach

  • Notify the DPO immediately; do not investigate independently.

  • Preserve evidence of potential breaches.

14. Transfer Limitation

  • Comply with cross-border transfer rules and safeguards.

  • Obtain explicit consent for transfers if required.

15. Data Subject Rights

  • Rights include access, rectification, erasure, restriction, objection, portability, automated decision-making objections, and complaint submission.

  • Verify identity before processing requests.

  • Forward all requests to the DPO immediately.

16. Accountability

  • Implement technical and organisational measures to ensure compliance.

  • Maintain records of compliance, training, DPIAs, and audits.

17. Record Keeping

  • Keep full and accurate records of processing activities, including consent, types of personal data, storage, and security measures.

18. Training and Audit

  • Mandatory training for all personnel.

  • Regular system and process audits.

19. Privacy by Design and DPIA

  • Implement measures to ensure compliance during system/process development.

  • Conduct DPIAs for high-risk processing, new technologies, automated processing, and large-scale monitoring.

20. Processing, Profiling, and ADM

  • ADM is prohibited unless explicit consent, legal authorization, or contractual necessity exists.

  • Inform Data Subjects of rights to object and provide transparency on logic and consequences.

  • Conduct DPIAs prior to ADM activities.

21. Direct Marketing

  • Must comply with laws and obtain consent for electronic marketing.

  • Respect opt-out requests immediately.

22. Sharing Personal Data

  • Share only when necessary and with contractual and security safeguards in place.

  • NHS practices follow NHS Digital guidelines.

23. Caldicott Principles

  1. Justify purposes

  2. Use only if necessary

  3. Minimum necessary

  4. Access on need-to-know

  5. Responsible use

  6. Comply with law

  7. Balance sharing with confidentiality

  8. Inform patients about use of their data

24. Changes to this Data Protection Policy

  • Policy is regularly reviewed and updated as required.

Document Control:

  • Author: Hugo Barton – Healthcare Law

  • Owner: DCME Team

  • Approver: DCME Team

  • Date Approved: 02/05/2024

  • Date Published: 09/09/2025

  • Next Review Date: May 2025

  • Change History:

    • 0.1 Final 02/05/24 – New policy developed

    • 0.1 Final 10/05/24 – Policy approved and live

Note: The latest version supersedes all previous versions. Destroy previous versions unless otherwise instructed. Contact the author if in doubt.

Approved By: Zelda Wiese