Dentures Direct holds personal data in the form of names, addresses and contact details and medical history. We are required to ensure compliance with the EU General Data Protection Regulations (GDPR), which are designed to ensure more robust security and more transparency in the use of personal data.The GDPR places specific legal obligations on us. We will have legal liability if we are responsible for a breach of confidential data. Patients have a right to request sight of the data we hold on them, how it is used and, if necessary, to request that data is removed from our systems.
Dentures Direct policy is to hold the minimum amount of data necessary to carry out the required treatments you have agreed to. Data is held for the duration stipulated by the General Dental Council I.e 11 years.
For the most part, Dentures Direct operates a paper based system,lockable security containers provide physical security. Electronic data is held at a remote site using industry standard security procedures. Dentures Direct will promptly inform anyone affected should any breach occur.
We will not circulate any personal information to third parties without prior consent.
WHAT WE HOLD
Name, address, date of birth, medical history, treatment details and final invoice details only.
Names, addresses and contact details are held on a paper and an electronic system for invoicing only.
Your personal information is not shared with anyone outside of Dentures Direct without your express consent.
It is noted too that every staff member and contractor holds personal information which comes under the jurisdiction of the GDPR, in the form transactional records. All staff and contractors are required to read and sign a security brief annually. All e-mails contain a standard confidentiality notice.
The GDPR requires that public authorities and large-scale data processing organisations designate a Data Protection Officer to take responsibility for data protection compliance. The size and structure of Dentures Direct does not justify a dedicated post. However, data security has been identified as a risk for the company, we review this risk and the procedures for protecting against it regularly.
The GDPR includes the following rights for individuals: The right to be informed; the right of access; the right to rectification; the right to erasure; the right to restrict processing; the right to data portability; the right to object; and the right not to be subject to automated decision-making including profiling.
We are confident that current procedures fulfil the GDPR and we do not operate any data profiling processes. We will regularly review our procedures to ensure they cover areas such as the deletion of personal data and will provide individuals with the data we hold on them, if requested, in electronic and paper format.
SUBJECT ACCESS REQUESTS
We acknowledge that individuals have a right to seek access to information held with us or if they think there is a problem with the way we are handling their data. We will comply with any such request within the new statutory one month period. However, we can refuse or charge for requests that are manifestly unfounded or excessive.
Individuals will have the right to have their personal data deleted when they believe it is being held without a practical or lawful basis. If we refuse a request, we must tell the individual why and that they have the right to complain to the ICO and to seek a judicial remedy. We must do this, at the latest, within one month.
There is a requirement to obtain parental or guardian consent for any data processing activity. This is unlikely to affect Dentures Direct.
DATA PRIVACY IMPACT ASSESSMENT (DPIA)
Dentures Direct ‘Data Protection Impact Assessments will be carried out if a new technology is being deployed; or if there
is any change of data held. While this is unlikely to directly affect Dentures Direct, we will work with whoever necessary to ensure that awareness of this is included in any future development programmes.
BREACHES OF DATA
Should we become aware of any personal data breach, we will notify those patients as rapidly as possible, notifying the ICO if a breach is likely to result in discrimination, damage to reputation, financial loss, loss of confidentiality or any other significant economic or social disadvantage to those concerned.