Full Privacy Statement
Registered Name: West House Partnership Ltd
Data Controller: West House Dental
Data Protection Officer: Shabnam Zai
This document provides a comprehensive technical breakdown of the personal data we collect, our purposes for processing, and the legal bases we rely upon under the UK GDPR and Data Protection Act 2018.
1. Contact Details
- Address: 2nd Floor, West House, 50 West End Lane, Pinner, Middx, HA5 1AE, GB
- Telephone: 020 8866 3025
- Email: hello@westhousedental.com
2. Data Processing Activities
A. Patient Care & Services
Purpose: To provide patient care, dental services, pharmaceutical products, and other goods.
- Data Collected: Name, contact details, gender, pronouns, DOB, NHS/HSC/CHI number, Hospital number, Next of Kin, emergency contacts, photographs, health info (medical history, allergies), care needs, test results (scans, X-rays, bloods), insurance details, and records of decisions.
- Lawful Bases:
- Consent: Explicit permission for specific treatments.
- Contract: Necessary to provide requested services.
- Legal Obligation: Compliance with healthcare regulations.
- Legitimate Interest: Ensuring safe, effective, and compliant dental care.
- Public Task: Carrying out tasks laid down in law for healthcare.
B. Crime Prevention & Detection
Purpose: Prevention, detection, investigation, or prosecution of crimes (including fraud).
- Data Collected: Name, contact details, witness statements, previous investigation info, financial info, and health info.
- Lawful Bases:
- Legal Obligation (Art 6(1)(c)): Cooperation with law enforcement.
- Substantial Public Interest (Art 9(2)(g)): Processing health data for crime prevention.
- Legitimate Interests (Art 6(1)(f)): Use of CCTV for safety/theft prevention.
C. Safeguarding & Public Protection
Purpose: Protecting children or vulnerable adults at risk of harm.
- Data Collected: Contact details, NHS number, emergency contacts, photographs, health info, care needs, test results, and meeting records.
- Lawful Bases:
- Legal Obligation: Reporting duties under the Children Act 1989/Care Act 2014.
- Vital Interests: Protecting life in emergencies.
- Public Task: Working with social services.
- Substantial Public Interest: Safeguarding individuals at risk.
D. Patient App & Portal Functionality
Purpose: Providing secure digital access to appointments and records.
- Data Collected: Names, addresses, contact details, DOB, medical history, account registration, security logs, and marketing preferences.
- Lawful Bases:
- Contract: Delivering the requested digital service functionality.
- Consent: Optional features like health reminders.
- Legitimate Interests: Maintaining system security and usability.
E. Recruitment
Purpose: Assessing suitability for roles within the practice.
- Data Collected: Contact details, DOB, NI number, ID copies (Passport), employment/education history, Right to Work info, DBS checks, and health info.
- Lawful Bases:
- Legitimate Interests: Managing recruitment efficiently.
- Pre-contractual Steps: Arranging interviews and terms.
- Legal Obligation: Verifying right to work and DBS status.
F. Marketing & Research
Purpose: Providing updates, promotional information, or conducting market research.
- Data Collected: Names, contact details, marketing preferences, website/app user journey, and health info.
- Lawful Bases:
- Consent: Active opt-in for marketing communications.
- Legitimate Interests: Keeping patients informed about relevant new services.
- Contract: Communications related to ongoing treatments (e.g., reminders).
G. Medical Research & Archiving
Purpose: Retaining records for long-term health trends or historical archiving.
- Data Collected: Names, contact details, X-rays, scans, photographs, and consent records.
- Lawful Bases:
- Legal Obligation: Mandatory retention periods for clinical records.
- Public Interest (Public Health): Advancing medical knowledge.
- Scientific/Historical Research: Ethical research with appropriate safeguards.
H. Queries, Complaints & Claims
Purpose: Resolving patient concerns and managing legal claims.
- Data Collected: Contact details, service history, witness statements, financial transactions, correspondence, and health info.
- Lawful Bases:
- Contract: Managing queries related to services received.
- Legal Obligation: Responding to regulatory investigations (GDC/CQC).
- Legitimate Interests: Resolving disputes and ensuring high standards.
3. Sources of Information: Where we get your data
We collect personal information from several sources to ensure we have a complete and accurate clinical picture:
A. Directly from You
Most of the information we hold is provided by you when you:
- Complete registration or medical history forms.
- Speak with our clinicians or reception team.
- Contact us via our website, app, or email.
B. Parents and Legal Guardians
For patients under the age of 16 (or those without legal capacity), we receive information primarily from parents or guardians. This includes medical history, contact details, and consent for treatment.
- Note: Older children (e.g., 16+) may provide information directly where they are deemed competent to do so.
C. Other Healthcare Providers
To coordinate your care, we may receive records from:
- Your GP or previous dental practice.
- Hospitals and specialist consultants.
- Referral services (e.g., NHS orthodontic triaging).
D. Regulatory & Education Authorities
In specific circumstances, we may receive information from:
- The NHS: For patient eligibility and treatment history.
- Schools/Universities: Only where specific safeguarding or community dental programs are in place.
- Regulatory Bodies: Such as the GDC or CQC in relation to specific investigations or audits.
E. Professional Services
- Insurance Providers: Regarding your coverage and claim eligibility.
- Debt Recovery Services: In the event of unpaid fees.
4. Data Retention: How long we keep your information
We only keep your personal data for as long as is necessary to fulfill the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.
| Record Type | Retention Period | Reason for Retention |
|---|---|---|
| Patient Medical Records | 11 years after last treatment (or until age 25 for children) | GDC/NHS guidelines & legal defense. |
| Consent Forms | 11 years after last treatment | Evidence of informed consent for treatment. |
| X-rays & Images | 11 years | Diagnostic continuity and legal claims. |
| Financial Records | 7 years | HMRC tax and accounting compliance. |
| Staff Records | 6 years after employment ends | UK Employment law and pension claims. |
| Emergency Records | 6 years after last entry | Healthcare continuity and legal reference. |
| Appointment Records | 3 years after last appointment | Scheduling management and GDPR minimization. |
| Insurance Claims | 6 years after claim is settled | Insurance regulatory requirements. |
| Complaints & Claims | 6 years from resolution | Evidence of resolution or legal dispute. |
| Audit & Access Logs | 1–2 years | Security monitoring and data access audits. |
| Registration Forms | 11 years after last treatment | Accurate demographics for ongoing care. |
| Dental Lab Reports | 11 years after completion | Continuity of care for prosthetics/appliances. |
| Prescription Records | 11 years after date (or age 25) | Medication management standards. |
Note: Where a patient has died, records are typically kept for a minimum of 10 years after the date of death.
5. Third Parties We May Share Data With
We share information only on a “need-to-know” basis, ensuring that third parties receive the minimum amount of data necessary.
-
Healthcare Partners:
- Dental Laboratories: For the custom manufacture of crowns, bridges, and appliances.
- Referral Specialists: Other dentists or medical doctors involved in your multidisciplinary care.
- Your GP: When dental health correlates with your general medical wellbeing.
- Hospitals or Community Services: In the event of a referral for surgery or specialized scans.
-
Regulatory & Legal Bodies:
- The NHS: For patients receiving NHS treatment to ensure correct billing and administration.
- Care Quality Commission (CQC): During inspections to ensure we are meeting safety and quality standards.
- General Dental Council (GDC): In relation to professional standards or fitness to practise investigations.
- Information Commissioner’s Office (ICO): In response to data protection audits or queries.
- Law Enforcement: Only where required by a court order or for the prevention/detection of a crime.
-
Financial & Professional Service Providers:
- Dental Plan/Insurance Providers: To process your claims (e.g., Denplan, Practice Plan).
- Payment Processors: To securely handle credit/debit card transactions.
- Debt Collection Agencies: Only as a last resort in the event of unpaid fees.
- Professional Advisers: Including our lawyers, accountants, and insurers for legal defense or business audits.
-
IT & Software Providers:
- Practice Management Software: (e.g., Dentally, Software of Excellence) which hosts our secure database.
- Communication Tools: Secure platforms used for SMS/email appointment reminders.
- Cloud Storage Providers: Ensuring your data is backed up and encrypted within the UK/EEA.
All third-party providers are subject to strict Data Processing Agreements (DPAs) to ensure your data remains protected under UK GDPR standards.
7. Advertising & Analytics Partners
We use digital marketing tools to improve our service reach and website experience.
- Social Media Platforms: We may share non-sensitive data (such as hashed email addresses for matching) with platforms like Meta (Facebook/Instagram) to show you relevant ads. This is only done where you have provided explicit consent.
- Website Analytics: We use Google Analytics to understand how visitors use our site. This data is anonymised and does not identify you as a dental patient.
- Your Control: You can opt-out of this tracking at any time via our Cookie Settings or by using the ‘Unsubscribe’ link in any marketing email.
7. Your Data Protection Rights
Under UK law, you have the following rights:
- Right of Access: Request copies of your personal information.
- Right to Rectification: Correct inaccurate or incomplete data.
- Right to Erasure: Request deletion (subject to medical record retention laws).
- Right to Restriction: Limit how we use your data.
- Right to Object: Object to processing (e.g., for marketing).
- Right to Data Portability: Transfer your data to another provider.
- Right to Withdraw Consent: Revoke permission at any time.
To exercise these rights, please contact hello@westhousedental.com. You also have the right to complain to the Information Commissioner’s Office (ICO) if you are unhappy with how we use your data.
Last updated: 26 April 2026