‘Us, we, our’ means: Swift Dental Group Limited and all of our group companies.
There is a total of 26 definitions listed within the GDPR and it is not appropriate to reproduce them all. However, the most fundamental definitions with respect to this policy are as follows:
Personal data is defined as:
Any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
‘processing’ means: (Swift Dental Group is a processor)
any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
‘controller’ means: (Dental Practice)
the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
INFORMATION WE COLLECT
The data we collect at Swift Dental Group is solely for the purpose of providing a second to none service. That said we may use your information to contact the practice and offer additional offers and services. This is solely aimed at improving our services, however, due to new GDPR, you will need to opt-in for any such marketing offers. The use of information to provide our service as you require will continue.
The information we collect, and its uses are listed below:
- To arrange deliveries and collection of goods
- To post monthly statements and invoices
- To create a practice on our Laboratory system, allowing the creation and traceability of orders
- Information will be passed on to courier companies and Royal Mail in order to deliver work. All third-party companies are GDPR compliant
- In order to generate an invoice for specific work we need the dentists’ name
- We add the dentist name to the delivery note
- We cross-reference names with the GDC register
Dentists G.D.C. No.
- We need this by law to complete any restorative work or medical device that will be implemented into a patient’s mouth
- In order to contact you about a case that we need clarity on, or the laboratory prescription ticket has not been fully completed
- A telephone is also used in the case of booking in Educational Visits and informing practices of any issues with delivery dates
- We use call recording for training and monitoring purposes
- We may use your email address to send photos of any cases that require additional consultation
- We send statements and invoices via email
- We may occasionally send out offers and promotions via email
- All card details collected are destroyed immediately after payment
We store patient name against an order. Orders can be linked back to the dentist, but we don’t store the patient in a way you can confirm two mentions of the same name are the same person. Their name is only stored as a string, not in a patient table. We don’t store any personal information against a patient such as contact details, age, address etc. Where applicable patient names will be shortened, e.g. John Smith will become J Smith. However, if a dentist writes the whole name on the laboratory ticket the name will be stored for at least five years. Patient info is not transferred to any third-party companies. We take their privacy very seriously.
Due to new GDPR you now have the following rights:
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object
- Rights in relation to automated decision making and profiling.
Each of these rights must be supported by appropriate procedures of the controller (yourself), however, Swift Dental Group needs to be aware of the legal requirements and liaise with the controller. With the intention that this will allow the required action to be taken within the timescales stated in the GDPR.
These timescales are shown in Table 1.
|Data Subject Request
|The right to be informed
||Within one month
|The right of access
|The right to rectification
|The right to erasure
||Without undue delay
|The right to restrict processing
||Without undue delay
|The right to data portability
|The right to object
||On receipt of objection
|Rights in relation to automated decision making and profiling
The following general points apply to all of the requests described in this document and are based on Article 12 of the GDPR:
- Information shall be provided to the data subject in a concise, transparent, intelligible and easily accessible form, using clear and plain language, in particular for any information addressed specifically to a child
- Information may be provided in writing, electronically or by other means
- The data subject may request the information orally (e.g. over the telephone or face to face), as long as the identity of the data subject has been established
- We must act on a request from a data subject unless we are unable to establish their identity
- We must provide information without undue delay and within a maximum of one month from the receipt of the request
- The response timescale may be extended by up to two further months for complex or a high volume of requests – the data subject must be informed of this within one month of the request, and the reasons for the delay given
- If a request is made via electronic form, the response should be via electronic means where possible, unless the data subject requests otherwise
- If it is decided that we will not comply with a request, we must inform the data subject without delay and at the latest within a month, stating the reason(s) and informing the data subject of their right to complain to the supervisory authority
- Generally, responses to requests will be made free of charge, unless they are “manifestly unfounded or excessive” (GDPR Article 12), in which case we will either charge 0a reasonable fee or refuse to action the request
- If there is doubt about a data subject’s identity, we may request further information to establish it
Please refer to the exact text of the GDPR if clarification of any of the above is required.
THE RIGHT TO BE INFORMED
At the point where personal data are collected from the data subject or obtained from another source, there is a requirement to inform the data subject about our use of that data and their rights over it. Compliance with this right is addressed in a separate document, Privacy Notice Procedure, which describes the information that must be provided and sets out how and when this must be achieved.
THE RIGHT OF ACCESS
A data subject has the right to ask Swift Dental Group whether we process data about them, to have access to that data and in addition the following information:
- The purposes of the processing
- The categories of the personal data concerned
- The recipients, or categories of recipients, of the data, if any, in particular, any third countries or international organisations
- The length of time that the personal data be stored for (or the criteria used to determine that period)
- The data subject’s rights to rectification or erasure of their personal data and restriction of, or objection to, its processing
- The data subject’s right to lodge a complaint with a supervisory authority
- Information about the source of the data, if not directly from the data subject
- Whether the personal data will be subject to automated processing, including profiling and, if so, the logic and potential consequences involved
- Where the data are transferred to a third country or international organisation, information about the safeguards that apply
In most cases, the decision-making process for such requests will be straightforward unless it is judged that the request is manifestly unfounded or excessive. The compilation of the information is likely to require the input of the data owner.
THE RIGHT TO RECTIFICATION
Where personal data is inaccurate, the data subject has the right to request that it be corrected, and incomplete personal data completed based on information they may provide.
Where necessary, Swift Dental Group will take steps to validate the information provided by the data subject to ensure that it is accurate before amending it.
THE RIGHT TO ERASURE
Also known as “the right to be forgotten”, the data subject has the right to require Swift Dental Group to erase personal data about them without undue delay where one of the following applies:
- The personal data are no longer necessary for the purpose for which they were collected
- The data subject withdraws consent and there is no other legal ground for processing
- The data subject objects to the processing of the personal data
- The personal data have been unlawfully processed
- For compliance reasons, i.e. to meet the legal obligations of Swift Dental Group
- Where the personal data was relevant to the data subject as a child
Reasonable efforts must be made to ensure erasure where the personal data has been made public.
Swift Dental Group will need to make a decision on each case of such requests as to whether the request can or should be declined for one of the following reasons:
- Right of freedom of expression and information
- Compliance with a legal obligation
- Public interest in the area of public health
- To protect archiving purposes in the public interest
- The personal data is relevant to a legal claim
It is likely that such decisions will require the involvement of the Swift Dental Group Data Protection Officer and in some cases senior management.
THE RIGHT TO RESTRICT PROCESSING
The data subject can exercise the right to a restriction of processing of their personal data in one of the following circumstances:
- Where the data subject contests the accuracy of the data, until we have been able to verify its accuracy
- As an alternative to erasure in the circumstances that the processing is unlawful
- Where the data subject needs the data for legal claims, but it is no longer required by us
- Whilst a decision on an objection to processing is pending
Swift Dental Group will need to make a decision on each case of such requests as to whether the request should be allowed. It is likely that such decisions will require the involvement of the Swift Dental Group Data Protection Officer and in some cases senior management.
Where a restriction of processing is in place, the data may be stored but not processed without the data subject’s consent, unless for legal reasons (in which case the data subject must be informed). Other organisations who may process the data on our behalf must also be informed of the restriction.
THE RIGHT TO DATA PORTABILITY
The data subject has the right to request that their personal data be provided to them in a “structured, commonly used and machine-readable format” (GDPR Article 20) and to transfer that data to another party e.g. service provider. This applies to personal data for which processing is based on the data subject’s consent and the processing carried out by automated means.
Where feasible, the data subject can also request that the personal data be transferred directly from our systems to those of another provider.
For services that come under this category, little decision-making is required for each case and it is highly desirable that this process is automated in its execution.
THE RIGHT TO OBJECT
The data subject has the right to object to processing that is based on the following legal justifications:
- For the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
- For the purposes of the legitimate interests of the controller
Once an objection has been made, Swift Dental Group must justify the grounds on which the processing is based and suspend processing until this is done. Where the personal data is used for direct marketing, we have no choice but to no longer process the data.
RIGHTS IN RELATION TO AUTOMATED DECISION MAKING AND PROFILING
The data subject has the right to not be the subject of automated decision-making where the decision has a significant effect on them and can insist on human intervention where appropriate. The data subject also has the right to express their point of view and contest decisions.
There are exceptions to this right, which are if the decision:
- Is necessary for a contract
- Is authorised by law
- Is based on the data subject’s explicit consent
In assessing these types of request, a judgement needs to be made about whether the above exceptions apply in the particular case in question.
INFORMATION WE NEED TO KEEP
If any information that you wish to be altered or erased that contradicts and legal legislation shall remain unaltered until the date of which it expires. For example, a laboratory ticket with a dentist name printed on it will not be destroyed until 5 years after the work is completed (or ten years after 2020).
Swift Dental Group is committed to providing a confidential service to its users. No information given to us will be shared with any other organisation or individual without the user’s expressed permission.
For the purpose of this policy, confidentiality relates to the transmission of personal, sensitive or identifiable information about individuals or organisations (confidential information), which comes into the possession of us through our work.
We hold personal data about our staff, users, members etc. which will only be used for the purposes for which it was gathered and will not be disclosed to anyone outside of the organisation without prior permission.
All personal data will be dealt with sensitively and in the strictest confidence internally and externally.
The purpose of the Confidentiality Policy is to ensure that all staff, members, volunteers and users understand the Organisations requirements in relation to the disclosure of personal data and confidential information.
All paper records are kept in locked filing cabinets. All information relating to service users will be left in locked drawers. This includes notebooks, copies of correspondence and any other sources of information.
WHERE IS INFORMATION STORED?
We have our own bespoke laboratory software. All individual users are connected by username and password. Usernames are six-digit numbers rather than names to increase security. The cloud-based server is secure and encrypted. All data on the server is not accessed outside of the company by any technicians. Certain high-level staff, as well as Business Development Managers who work from home, have access to parts of the system remotely. However, it is under a confidentiality agreement that they will not share or store any of this information.
In the unlikely event of a security breach, any breaches in security are aimed to be resolved within 72 hours and you will be informed as an utmost priority.