Last Revised: 11 August 2018
This practice complies with the Data Protection Act 1998 and General Data Protection Regulation (GDPR) 2018. This means that we will ensure that your information is processed fairly and lawfully.
This policy (together with our Cookies Policy) sets out the basis on which any personal data we collect, or that you provide to us, will be processed by us. It does not include data where the identity has been removed (i.e. anonymous data). Please read the following carefully to understand our views and practices regarding your personal data and how we will treat it.
You will be asked to provide personal information when joining the practice. The purpose of us processing this data is to provide optimum health care to you by, for example, recommending the most relevant treatment and ensuring your safety by taking your medical history.
What personal information do we need to hold
- Contact data (such as name, address, email address, telephone number) for the purposes of corresponding with you, for example, regarding your appointments and treatment.
- Contact data (such as name, address, email address, telephone number) for the purposes of direct mail, email and text marketing.
- Special category data concerning health (your past and current medical & dental records, medical history, medication, your doctor’s name and address, warning cards or bracelets, alcohol and drug use and correspondence relating to you with other health care professionals, i.e. in the hospital or community services) for the purposes of the delivery of safe and appropriate dental care.
- Treatment data (such as radiographs, clinical photographs and study models) for the purposes of providing you with the best treatment.
- Information about the treatment that we have provided or propose and its cost
- Notes of conversations or incidents that might occur for which a record needs to be kept
- Records of consent to treatment
- Financial data (such as credit card details, bank account information, credit history, employment status) for the purposes of processing your payment for treatment(s)
- Usage data (such as information about how you use our website, products and services) for the purposes of improving the way we provide our treatment and services
The ways we collect information about you
We may collect and process the following data about you in operating the website and performing any of our services and treatment(s).
- Information you give us (including information you give to Clinical Directors, Specialists, Dentists, Orthodontists, Hygienists and Therapists who are contracted to work for us). You may give us information about you by filling in forms on our website www.westhousedental.com or any website wholly owned by West House Dental, or by corresponding with us by phone, email, in person or otherwise.
- Personal data is obtained when a patient joins the practice, when a patient is referred to the practice and when a patient subscribes to an email list.
With regard to each of your visits to our website we may automatically collect the following information:
- Technical information, including the Internet Protocol (IP) address used to connect your computer to the internet, browser type and version, time zone setting, browser plugin types and versions, operating system and platform.
- Information about your visit, including the Uniform Resource Locator (URL) clickstream to, through and from our site (including date and time); products you viewed or searched for; page response times, download errors, length of visits to certain pages, page interaction information (such as scrolling, clicks and mouseovers), and methods used to browse away from the page and any phone number used to call our customer service number.
From third parties
- Our Specialists, Dentists, Orthodontists, Hygienists and Therapists are third parties working for us as contractors, however, they are contractually bound to us with regard to obligations of confidentiality in the same way as our employees and by professional obligations of confidentiality.
- You may have been referred to us for treatment from Invisalign and we will therefore receive contact data, special category data concerning health, treatment data and/or financial data from them.
- Information we receive from other sources. We may receive information about you if you use any of the other websites we operate or the other services we provide.
- We are also working closely with third parties (including, for example, business partners, subcontractors in technical, payment and delivery services, advertising networks, analytics providers, search information providers and credit reference agencies) and may receive information about you from them.
How we share data with third parties
We may share your Contact data, special category of data relating to health, Financial data, Treatment data and/or Usage data with selected third parties including:
- Our Specialists, Dentists, Orthodontists, Hygienists and Therapists
- Private health insurance companies (at your request if you are using private health insurance)
- Credit reference agencies
- Equipment providers and laboratories such as Fusion Dental Laboratory
- Accountants, lawyers and other professional advisors such as Ascot Sinclair Associates
- Data storage and transfer platforms such as Microsoft O365 and OneDrive
- Our payment platform Stripe
- Our telephone system provider BT Cloud Phone
- Our website host SiteGround
- Our practice management and CRM software providers, Software of Excellence
- Our email marketing provider MailChimp
- Our helpdesk provider Freshdesk
- Our review software provider Reputation.com
- Advertisers and advertising networks that require the data to select and serve relevant adverts to you and others such as Facebook
- Analytics and search engine providers that assist us in the improvement and optimisation of our site such as Google
This is a list of the main third parties with whom we share your personal data. If you would like a full list of third parties who process your data, and their contact details, please contact us using the details set out above.
We never pass your personal details to a third party unless we have a contract for them to process data on our behalf and will otherwise keep it confidential.
If we intend to refer a patient to another practitioner or to secondary care such as a hospital we will gain your consent before the referral is made and the personal data is shared.
Disclosure will take place on a ‘need-to-know’ basis, so that only those individuals/organisations who need to know in order to provide care to you and for the proper administration of Government (whose personnel are covered by strict confidentiality rules) will be given the information. Only information that the recipient needs to know will be disclosed.
In very limited circumstances or when required by law or a court order, personal data may have to be disclosed to a third party not connected with your health care. In all other situations, disclosure that is not covered by this Code of Practice will only occur when we have your specific consent. Where possible you will be informed of these requests for disclosure.
The website may include links to third party websites, plugins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third party websites and are not responsible for their privacy statements. When you leave our website, we encourate you to read the privacy notice of every website you visit.
Data transferred outside of the EU
- Personal data is stored in the EU whether in digital or hard copy format.
- Personal data is stored in the US in digital format when the data storage company is certified with the EU-US Privacy Shield.
Lawful basis for processing personal data
The lawful bases for processing personal data (including providing your personal data to third parties) are:
- Consent of the data subject for data relating to treatment, care, our services, processing payment, credit checks, marketing and reviews, improving our services and improving our website (including using data analytics). This will also apply to the storage of personal data for these purposes
- Processing is necessary for the performance of a contract with the data subject or to take steps to enter into a contract such as the provision of the services by us.
- Processing is necessary to comply with a legal obligation such as financial, tax and contractual laws.
- The processing is necessary for the purposes of preventative or occupational medicine, for assessing the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or management of health or social care systems and services on the basis of Union or Member State law or a contract with a health professional; and
- Data is processed by or under the responsibility of a professional subject to the obligation of professional secrecy under Union or Member State law or rules established by national competent bodies or by another person also subject to an obligation of secrecy under Union or Member State law or rules established by national competent bodies.
Purposes for processing personal data
We (and the third parties listed above) process your personal data for the following purposes:
- To provide you with our services
- To discuss relevant treatments
- To provide a safe working environment for staff, contractors and patients
- To check your employment and financial status for payment plans
- To process payments
- To keep you informed of our latest offers, other services we provide and general marketing activities
- To obtain reviews and feedback on your experience of our services
We are required to retain your dental records, X- rays and study models while you are a patient of this practice and after you cease to be a patient, for at least eleven years or until age 25, whichever is the longer.
You will receive marketing emails until you unsubscribe, either by contacting us or by clicking on the unsubscribe link at the bottom of the email.
Your personal data rights
Data subjects (people whose personal data is being held by your Practice) have certain rights:
- Right to be informed
- Right of access;
- Right to rectification i.e. the right to require the rectification of any inaccuracies of personal data.
- Right to erasure i.e. the data subject has the right to require the erasure of personal data concerning them. However, this is qualified by the lawful basis as a healthcare provider to retain personal data in connection with the patients care and treatment.
- Right to restriction of processing i.e. subject to certain exemptions a data subject has the right to restrict processing of their personal data. (e.g. where the information accuracy is contested, the processing is unlawful, or data is no longer required by the Data Controller)
- Right to data portability i.e. the data subject has the right to receive their personal data which is held by you in a structured, commonly used format.
- Right to object i.e. the data subject has the right to object on grounds relating to the processing of their personal data. (e.g. personal profiling carried out that is not in connection with the public interest).
You have the right to withdraw consent at any time. If you request us to do so, we will no longer process your data. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we will not be able to provide you with the services. You have the right to obtain a free copy of your patient records within one month of submitting a request.
If you are not a patient of the practice you have the right to withdraw consent for processing personal data, to have a free copy of it within one month of submitting a request, to correct errors in it or to ask us to delete it. You can also withdraw consent from communication methods such as telephone, email or text.
If you wish to exercise any of the rights set out above, in the first instance, please contact us using the details set out above.
You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances.
We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.
Further details of these rights can be obtained on the Information Commissioner’s website.
We have put in place appropriate security measures to prevent your personal data from being lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.
We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.
Unfortunately, the transmission of information via the internet is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of your data transmitted through our website; any transmission is at your own risk. Once we have received your information, we will use strict procedures and security features to try to prevent unauthorised access.
We offer individuals real choice and control. Our consent procedures put individuals in charge to build customer trust and engagement.
Our consent for marketing requires a positive opt-in, we don’t use pre-ticked boxes or any other method of default consent. We make it easy for people to withdraw consent, tell you how to and keep contemporaneous evidence of consent. Consent to marketing is never a precondition of a service.
You will receive marketing communications from us if you have requested information from us or if you have signed up via our contact form on the website and, in each case, you have not opted out of receiving that marketing.
We do not share your data with third parties for marketing purposes.
Change of purpose
We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If you wish to get an explanation as to how the processing for the new purpose is compatible with the original purpose, please contact us using the details set out above.
If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.
Please note that we may process your personal data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.
Changes to our policy
Changes to your data
It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us by using the details set out above.
Comments, suggestions and complaints
Please contact the practice for a comment, suggestion or a complaint about your data processing at firstname.lastname@example.org, or 020 8866 3025 or by writing to or visiting the practice. We take complaints very seriously.
If you are unhappy with our response or if you need any advice you should contact the Information Commissioner’s Office (ICO).