Ash Smile Design Limited T/A Smile Design By Ash aims to meet the requirements of the Data Protection Act 2018, the General Data Protection Regulation (GDPR), the guidelines on the Information Commissioner’s website as well as our professional guidelines and requirements.
The data controller is Ashish B Parmar, who is also the Information Governance Lead.
You will be asked to provide personal information when joining our dental practice. The purpose of us processing this data is to provide optimum health care to you.
Our lawful basis for processing data
The lawful basis for processing special category data such as patients’ and employees’ health data is:
“9(2)(h) - Processing is necessary for the purposes of preventative or occupational medicine, for assessing the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or management of health or social care systems and services on the basis of Union or Member State law or a contract with a health professional”
The lawful basis of processing personal data such as name, address, email or phone number is:
▪ Consent of the data subject
▪ Processing being necessary for the performance of a contract with the data subject or to take steps to enter into a contract
The categories of data we process are:
▪ Personal data from patients of Smile Design By Ash, for the purposes of communicating with you via telephone, email, text and a monthly e-newsletter (case studies, practice news and updates, special offers, added value information and tips on prevention of dental problems, and occasionally recommending another business to our valued patients, thereby giving them added special offers and connections)
▪ Special category data including health records for the purposes of the delivery of health care
▪ Personal data for the purposes of staff and self-employed team member management
▪ Special category data including health records and details of criminal record checks for managing employees and contracted team members
We never pass your personal details to a third party unless we have a contract for them to process data on our behalf and will otherwise keep it confidential. If we intend to refer a patient to another practitioner or to secondary care such as a hospital we will gain the individual’s permission before the referral is made and the personal data is shared. Examples of when we share personal data include: -
▪ Referral to an oral surgeon such as Nayeem Ali, referral to a periodontist such as Rana Alfalaki, referral to an orthodontist such as Mahesh Patel, referral to another dental practice, referral to the oral medicine department at Guys Hospital, etc. We will need to provide you’re the full name, date of birth, address, contact details such as telephone and email, medical history details, clinical observations and the reason(s) for the referral, additional data such as X-rays, photographs, gum measurements, CT Scan data, and 3D digital scan data (taken with our 3 Shape Scanner)
▪ Communication with a dental laboratory – we may need to provide the patient’s name, age, copy of clinical notes, X-rays, CT Scans, photographs, video (e.g. recorded on an iPAD), pictures taken on a mobile phone and “What’s Apped” to the technician, impressions and other records of the teeth/mouth, and digital 3D scans (taken with our 3Shape Scanner) as STL files, bite information taken with our T Scan computer software. We also send images and patient videos securely via Dropbox to the dental technicians we use.
You have the following personal data rights:
• The right to be informed
• The right of access
• The right to rectification
• The right to erasure (clinical records must be retained for a certain time period)
• The right to restrict processing
• The right to data portability
• The right to object
Further details of these rights can be seen in our Information Governance Procedures (M 217C) or at the Information Commissioner’s website. Here are some practical examples of your rights:
• If you are a patient of the practice you have the right to withdraw consent for important notifications, newsletters, surveys or marketing. You can inform us to correct errors in your personal details or withdraw consent from communication methods such as telephone, email or text. You have the right to obtain a free copy of your patient records within one month.
• If you are not a patient of the practice you have the right to withdraw consent for processing personal data, to have a free copy of it within one month, to correct errors in it or to ask us to delete it. You can also withdraw consent from communication methods such as telephone, email or text.
We have carried out a Privacy Impact Assessment (M 217S) and you can request a copy from the details below. The details of how we ensure security of personal data is in our Security Risk Assessment (M 217M) and Information Governance Procedures (M 217C).
Where our data is stored
Personal data is obtained when a patient joins the practice, when a patient is referred to the practice and when a patient subscribes to an email list.
Personal data is stored at Smile Design By Ash in digital and hard copy formats. We have a policy of recording information on paper initially, and then transferring the information on to our specialist computer software. We also securely store patient photographs, videos (analyzing the smile), X-rays, digital bite records (T Scan), and CT Scans securely on our networked computers. We use a leading company in the dental industry to manage our IT and secure backups. We also hold data securely on a CRM/email system. We ensure that secure passwords are required to access our computers and software systems, and that the cupboard where clinical records are kept is locked when there are no staff members or dentists on the premises.
Retention of personal data
The retention period for special data in patient records is a minimum of 10 years and may be longer for complex records in order to meet our legal requirements. The retention period for staff records is 6 years. The retention periods for other personal data is 2 years after it was last processed. Details of other retention periods are available in the Record Retention (M 215) procedure available from the practice.
Comments, suggestions and complaints
Please contact Ashish B Parmar at the practice for a comment, suggestion or a complaint about your data processing at firstname.lastname@example.org, or via telephone on 0208 500 0544, or by writing to or visiting the practice at Smile Design By Ash, 6 Chigwell Rise, Chigwell, Essex, IG7 6AB. We take complaints very seriously.
If you are unhappy with our response or if you need any advice you should contact the Information Commissioner’s Office (ICO). Their telephone number is 0303 123 1113, you can also chat online with an advisor. The ICO can investigate your claim and take action against anyone who’s misused personal data. You can also visit their website for information on how to make a data protection complaint.
Related practice procedures
You can also use the practice contact details to request copies of the following practice policies or procedures:
▪ Data Protection and Information Security Policy (M 233-DPT), Consent Policy (M 233-CNS)
▪ Privacy Impact Assessment (M 217S), Information Governance Procedures (M 217C)