Data protection code of practice for patients

From May 25th 2018 data protection rules will undergo their biggest changes in two decades. Since these rules were created in the 1990s, the amount of digital information we create, capture and store has vastly increased. The Data Protection Act 1998 therefore is no longer fit for purpose and the European General Data Protection Regulation (GDPR) will come into force.

GDPR means that every organisation in Europe including Writtle Dental Practice will be more accountable for how they handle people’s personal information.

This practice complies with the General Data Protection Regulation (GDPR) 2018. This policy describes our procedures for ensuring that personal information about patients is processed fairly and lawfully.

Personal data that we hold

We must keep comprehensive and accurate personal data about you to provide you with a high standard of appropriate dental care. We also need to process personal data about you to provide care under NHS arrangements and to ensure the proper management and administration of the NHS.

The personal data that we hold includes:

  • Personal details such as your date of birth, National Insurance number/NHS number, address, telephone number and your general medical practitioner
  • Your past and current medical and dental health
  • Radiographs, clinical photographs and study models
  • Information about the treatment that we have provided or propose to provide and its cost
  • Notes of conversations about your care
  • Records of consent to treatment
  • Correspondence with other health care professionals relating to you, for example in the hospital or community services

Processing data

Why do we Process Personal Data ? What is the lawful basis for doing so?

We hold and process data because it is in our Legitimate Interests to do so. Without holding the data we cannot work effectively. Also we must hold data on NHS care and treatment as it is a Public Task required by law.

We will process this personal data in the following way:

Retaining information

We will retain your dental records while you are a practice patient and after you cease to be a patient, we will need to retain your records for at least ten full years or, for children, until the age of 25, whichever is the longer. There may be some circumstances where we need to retain your records for longer periods of time up to a maximum of 30 years. This will be decided on a case by case basis.

Security of information

Personal data about you is held in the practice computer system and/or in a manual filing system. The information is not accessible to the public; only authorised members of staff have access to it. Staff are trained in their legal responsibilities under the Data Protection Act and practical procedures for maintaining confidentiality.

We take precautions to keep the practice premises, filing systems and computers physically secure. Our computer system has secure audit trails and we back-up information routinely. Our computer system is password protected.

Disclosure of information

To provide proper and safe dental care, we may need to disclose personal information about you to:

  • Your general medical practitioner
  • The hospital or community dental services
  • Other health professionals caring for you
  • NHS payment authorities
  • HM Revenue and Customs
  • The Department for Work and Pensions and its agencies, where you are claiming exemption or remission from NHS charges
  • Private dental schemes of which you are a member.

Where possible, you will be informed of these requests for disclosure.

Disclosure will take place on a ‘need-to-know’ basis. We will only provide information to individuals or organisations who need it to provide care to you or to ensure the proper administration of government (whose personnel are covered by strict confidentiality rules). We will only disclose information that the recipient needs to have.

In limited circumstances or if required by law or a court order, personal data may be disclosed to a third party not connected with your health care.

In all other situations, disclosure that is not covered by this Code of Practice will only occur when we have your specific consent.


You can access to the data that we hold about you and to receive a copy by submitting a written request. We do not charge a fee for this request but can take up to 20 working days to process.

If you do not agree

If you do not wish personal data that we hold about you to be disclosed or used in the way that is described in this Code, you should discuss the matter with your dentist. You should be aware, however, that objecting to how we process your information may affect our ability to provide you with dental care.

For further information please see our Privacy Notice for Patients, Our Records Management policy and our Access to Information document all available in our Patient Information Folder – please ask at reception for details.

This policy has been approved by the Data Protection Lead Samira Ahmed

Date: 10/05/2018

Review date: 10/05/19

book_an_appointmentBook An Appointment