UK Smile, 81 Buckingham Gate, London SW1E 6PE
Telephone: +44 02072332323 Emergency: +44 02077888495
GDPR
Data protection policy
UK Smile Clinic
Purpose
1.1 The purpose of this policy is to introduce the General Data Protection
Regulation 2016 ("GDPR") and to ensure that UK Smile Dental Practice
understands the key principles of GDPR.
1.2 This policy sets out the steps that need to be taken by UK Smile Dental
Practice to ensure that UK Smile Dental Practice handles uses and
processes personal data in a way that meets the requirements of GDPR. It
should be read alongside the additional GDPR policies and procedures and
the guidance that will be produced between now and May 2018.
1.3 This policy applies to all staff at UK Smile Dental Practice who process
personal data about other staff, Patients and any other living individuals as
part of their role.
1.4 To support UK Smile Dental Practice in meeting the following
Key Lines of Enquiry:
Key Question Key Line of Enquiry (KLOE)
WELL-LED
HWI: Is there the leadership capacity and capability to deliver high-quality,
sustainable care?
WELL-LED
HW4: ARE there clear responsibilities, roles and systems of
accountability to support good governance and management?
1.5 To meet the legal requirements of the regulated activities that UK Smile
Dental Practice is registered to provide
• The Data Protection Bill 2017
• The General Data Protection Regulation 2016 (EU) 2016/679
2. Scope
2.1 The following roles may be affected by this policy:
• All staff
2.2 The following people may be affected by this policy:
. Patients
2.3 The following stakeholders may be affected by this policy:
• Commissioners
3. Objectives
3.1 The objective of this policy is to introduce the principles and
requirements of GDPR.
UK Smile Limited 81 Buckingham Gate London SW1E 6PE
T: 020 7233 2323 www.uksmile.com info@uksmile.com
3.2 When reviewed alongside future policies and procedures and guidance,
UK Smile Dental Practice and staff should understand the key principles of
GDPR and the steps that need to be taken to UK Smile Dental Practice
complies with GDPR when handling and using personal data provided by
both staff and Patients.
3.3 This policy will assist with defining accountability and establishing ways
of working in terms of the use, storage, retention and security of personal
data.
3.4 This policy will assist with understanding the obligations of UK
Smile Dental Practice in respect of the rights of the staff and Patients
who have provided personal data and the steps UK Smile Dental
Practice should take if it breaches GDPR.
4. Policy
4.1 GDPR Background
GDPR will come into force on 25 May 2018 and will replace the Data
Protection Act 1998. GDPR will be implemented regardless of Brexit. GDPR
will provide greater protection to individuals and place greater obligations
on organisations, but it can be dealt with in bite-size chunks to ensure that
any impact on the provision of care and services is reduced.
4.2 All staff will need to understand whether the ways in which they handle
personal data already meet the requirements of GDPR and, if not, the steps
that need to be taken to achieve compliance.
4.3 UK Smile Dental Practice Approach to GDPR
UK Smile Dental Practice is required to take a proportionate and
the appropriate approach to GDPR compliance. UK Smile Dental Practice
understands that not all organisations will need to take the same steps —
it will depend on the volume and types of personal data processed by a
the particular organisation, as well as the processes already in place to protect
personal data. We understand that if we process significant volumes of
personal data, including special categories of data, or have unusual or
complicated processes in place in terms of the way we handle personal
data, we will consider obtaining legal advice specific to the processing we
conduct and the steps we may need to take.
UK Smile Limited 81 Buckingham Gate London SW1E 6PE
T: 020 7233 2323 www.uksmile.com info@uksmile.com
4.4 GDPR does not apply to any personal data held about someone who has
died. Both the Access to Medical Reports Act 1988 and the Access to Health
Records 1990 will continue to apply.
4.5 UK Smile Dental Practice Process for Promoting Compliance
To ensure that UK Smile Dental Practice understands and is able to
comply with GDPR, all staff should review the following documents
that will be produced over the next few months:
Initial Privacy Impact Assessment Policy & Procedure
• GDPR Key Terms Guidance
• GDPR - Key Principles Guidance
• GDPR - Processing Personal Data Guidance
• Appointing a Data Protection Officer Guidance
• Data Security and Retention Policy & Procedure
• Website Privacy Policy & Procedure
Subject Access Requests Policy & Procedure • Subject Access Requests
Process Map Policy & Procedure Subject Access Requests - Request Letter
Policy & Procedure
• Rights of a Data Subject Guidance
• Breach Notification Policy & Procedure
Breach Notification Process Map Policy & Procedure
• Fair Processing Notice Policy & Procedure • Consent Form
• GDPR - Transfer of Data Guidance
• Privacy Impact Assessment Policy & Procedure
4.6 Overview of Key Principles and Documents
The key principles and themes of each of the documents listed above
are summarised below:
Initial Audit and Privacy Impact Assessment
UK Smile Dental Practice understands that we should conduct an audit of
the personal data we currently process. This can be carried out internally
by UK Smile Dental Practice with the assistance of key staff members. The
the audit will reveal whether the ways in which UK Smile Dental Practice
processes personal data to meet the requirements of GDPR and will also
indicate whether UK Smile Dental Practice should delete some of the
personal data it currently holds. An initial Privacy Impact Assessment
the template will be provided as part of the GDPR documentation.
UK Smile Limited 81 Buckingham Gate London SW1E 6PE
T: 020 7233 2323 www.uksmile.com info@uksmile.com
Data Protection Officers
UK Smile Dental Practice understands that some organisations will
need to appoint a formal Data Protection
Officer under GDPR (a "DPO"). The DPO benefits from enhanced
employment rights and must meet certain
criteria, so we recognise that it is important to know whether UK Smile
Dental Practice a DPO. This requirement will be outlined in the policy and
procedure on Data Protection Officers. Whether or not UK Smile Dental
Practice needs to appoint a formal Data Protection Officer, UK Smile Dental
Practice will appoint a single person to have overall responsibility for the
management of personal data and compliance with GDPR.
Data Security and Retention
Two of the key principles of GDPR are data retention and data
security.
• Data retention refers to the period for which UK Smile Dental
Practice keeps the personal data that has been provided by a
Data Subject. At a high level, UK Smile Dental Practice must
only keep personal data for as long as it needs the personal
data
• Data security requires UK Smile Dental Practice to put in place
appropriate measures to keep data secure
These requirements will be described in more detail in the policy &
procedure entitled Data Security and Retention, which will be
drafted with a view to being circulated amongst staff at UK Smile
Dental Practice
Website Privacy Policy & Procedure
Where UK Smile Dental Practice collects personal data via a website,
we understand that we will need a GDPR compliant website privacy
policy. The privacy policy will explain how and why personal data is
collected, the purposes for which it is used and how long the
personal data is kept. A template website policy will be provided.
Subject Access Requests
One of the key rights of a Data Subject is to request access to and
copies of the personal data held about them by an organisation.
Where UK Smile Dental Practice receives a Subject Access Request,
we understand that we will need to respond to the Subject of Access
Request in accordance with the requirements of GDPR. To help staff
at the UK Smile Dental Practice understand what a Subject Access
The request is and how they should deal with a Subject Access Request, a
Subject Access Request Policy & Procedure will be made available to
UK Smile Limited 81 Buckingham Gate London SW1E 6PE
T: 020 7233 2323 www.uksmile.com info@uksmile.com
staff. A UK Smile Dental Practice process map to follow when
responding to a Subject Access Request, as well as a Subject Access
A request letter template will also be included.
The Rights of a Data Subject
In addition to the right to place a Subject Access Request, Data
Subjects benefit from several other rights, including the right to be
forgotten, the right to object to certain types of processing and the
right to request that their personal data be corrected by UK Smile
Dental Practice. All rights of the Data Subject will be covered in detail
in the corresponding guidance.
Breach Notification Under GDPR
We understand, that in certain circumstances if UK Smile Dental
Practice breaches GDPR, we must notify the ICO and potentially any
affected Data Subjects. There are strict timescales in place for
making such notifications. A policy and procedure for breach
notification that can be circulated to all staff, together with a process
map for UK Smile Dental Practice to follow if a breach of GDPR takes
place will be published.
We understand that this requirement is likely to have less impact on NHS
organisations that are already used to reporting using the NHS reporting
tool.
Fair Processing Notice and Consent Form
Organisations are required to provide Data Subjects with certain
information about the ways in which their personal data is being processed.
The easiest way to provide that information is in a Fair Processing Notice.
Key Terms
GDPR places obligations on all organisations that process personal
data about a Data Subject. A brief description of those three key
terms is included in the Definitions section of this document and will
be expanded upon in the Key Terms Guidance.
The requirements that UK Smile Dental Practice will need to meet
will vary depending on whether UK Smile
Dental Practice is a Data Controller or a Data Processor. We recognise
that in most scenarios, UK Smile Dental Practice will be a Data
Controller. The meaning of Data Controller and Data Processor,
together With the roles they play under GDPRy will be explained in
the Key Terms Guidance.
Special categories of data attract a greater level of protection and the
consequences for breaching GDPR in relation to special categories of
data may be more severe than breaches relating to other types of
UK Smile Limited 81 Buckingham Gate London SW1E 6PE
T: 020 7233 2323 www.uksmile.com info@uksmile.com
personal data. This will also be covered in more detail in the Key
Terms Guidance.
Key Principles
There are 6 key principles of GDPR which UK Smile Dental Practice
must comply with. These 6 principles are very similar to the key
principles set out in the Data Protection Act 1998. They are:
• Lawful, fair and transparent use of personal data
• Using personal data for the purpose for which it was collected
• Ensuring the personal data is adequate and relevant
• Ensuring the personal data is accurate
• Ensuring the personal data is only retained for as long as it is
needed
• Ensuring the personal data is kept safe and secure
These key principles will be explained in more detail in the guidance
entitled 'GDPR — Key Principles'
UK Smile Dental Practice recognises that in addition to complying
with the key principles, UK Smile Dental Practice must be able to
provide documentation to the Information Commissioner's Office
(ICO) on request, as evidence of compliance. We understand that we
must also adopt 'privacy by design'. This means that data protection
issues should be considered at the very start of a project, or
engagement with a new Patient. Data protection should not be an
afterthought. These ideas will also be covered in more detail in the
Key Principles Guidance.
Processing Personal Data
The position has been improved under GDPR in terms of the ability of
care sector organisations to process special categories of data. The
provision of health or social care or treatment or the management of
health or social care systems and services is now expressly referred to
as a reason for which an organisation is entitled to process special
categories of data.
In terms of other types of personal data, UK Smile Dental Practice
must only process personal data if it is able to rely on one of a
number of grounds set out in GDPR. The grounds which are most
commonly relied on are:
• The Data Subject has given his or her consent to the
organisation using and processing their personal
data
• The organisation is required to process the personal data to
perform a contract; and
UK Smile Limited 81 Buckingham Gate London SW1E 6PE
T: 020 7233 2323 www.uksmile.com info@uksmile.com
• The processing is carried out in the legitimate interests of the
organisation processing the data — note that this ground does
not apply to public authorities
The other grounds which may apply are:
• The processing is necessary to comply with a legal obligation
• The processing is necessary to protect the vital interests of the
Data Subject or another living person
• The processing is necessary to perform a task carried out in the
public interest
The grounds set out above and the impact of the changes made in
respect of special categories of data will be explained in more detail
in the guidance entitled 'GDPR — Processing Personal Data'
Fair Processing Notice template will be produced for UK Smile
Dental Practice to use and adapt on a case-by-case basis.
The Fair Processing Notice will sit alongside a consent form which
can be used to ensure that UK Smile Dental Practice obtains
appropriate consent, particularly from the Patient, to the various
ways in which UK Smile Dental Practice uses personal data. The
The Consent Form will contain advice and additional steps to take if the
Patient is a child or lacks capacity.
Transfer of Data
If UK Smile Dental Practice wishes to transfer personal data to a third
party, we understand that we should put in place an agreement to set
out how the third party will use the personal data. The transfer would
include, for example, using a data centre in a non-EU country. If that
third party is based outside the European Economic Area, we
recognise that further protection will need to be put in place and
other aspects considered before the transfer takes place. Guidance
will be produced to explain the implications of transferring personal
data in more detail.
Privacy Impact Assessments
In addition to carrying out an Initial Impact Assessment (referred to above),
UK Smile Dental Practice will carry out further assessments each time it
processes personal data in a way that presents a "high risk" for the Data
Subject. Examples of when a Privacy Impact Assessment should be
conducted will be provided in the relevant policy & procedure. Given the
volume of special categories of data that are frequently processed by
UK Smile Limited 81 Buckingham Gate London SW1E 6PE
T: 020 7233 2323 www.uksmile.com info@uksmile.com
organisations in the health and care sector, there are likely to be a
number of scenarios which require a Privacy Impact Assessment to be
completed.
The Privacy Impact Assessment template may also be used to record
any data protection incidents, such as breaches or 'near misses'.
4.7 Compliance with GDPR
UK Smile Dental Practice understands that there are two primary
reasons to ensure that compliance with GDPR is achieved:
• It will promote high standards of practice and Care, and provide
significant benefits for staff and, in particular, Patients
• Compliance with GDPR is overseen in the UK by the ICO. Under
the Data Protection Act 1998, the ICO has the power to levy fines
of up to E500,000 for the most serious breach. Under GDPR, the
ICO has the ability to issue a fine of up to 20 million Euros
(approximately El 7,000,000) or 4% of the worldwide turnover
of an organisation, whichever is higher. The potential
consequences are therefore significant.
UK Smile Dental Practice appreciates that it is important to
remember, however, that the intention of the ICO is to educate and
advise, not to punish. The ICO wants organisations to achieve
compliance. A one-off, minor breach may not attract the attention of
the ICO but if UK Smile Dental Practice persistently breaches GDPR
or commits significant one-off breaches (such as the loss of a large
volume of personal data, or the loss of special categories of data), it
may be subject to ICO enforcement action. In addition to imposing
fines, the ICO also has the power to conduct audits of UK Smile
Dental Practice and our data protection policies and processes UK
Smile Dental Practice realises that the ICO may also require UK
Smile Dental Practice to stop providing services, or to notify Data
Subjects of the breach, delete certain personal data we hold or
prohibit certain types of processing.
5. Procedure
5.1 All staff should review the GDPR policies and procedures and
guidance that will be produced over the next few months.
5.2 UK Smile Dental Practice will nominate a person or team to be
responsible for data protection and GDPR compliance (if a formal
Data Protection Officer is not required, somebody with an
understanding of the requirements of who can act as a day-to-day
point of contact will be chosen).
5.3 UK Smile Dental Practice should ensure all staff understand the
policies and procedures provided, including how to deal with a
UK Smile Limited 81 Buckingham Gate London SW1E 6PE
T: 020 7233 2323 www.uksmile.com info@uksmile.com
Subject Access Request and what to do if a member of staff breaches
GDPR.
5.4 UK Smile Dental Practice will consider providing training
internally about GDPR (in particular, the Key Principles of GDPR) to
all staff members.
5.5 UK Smile Dental Practice will conduct an audit of the personal
data currently held by UK Smile Dental Practice (the initial Privacy
Impact Assessment template provided will be used for this
purpose).
5.6 UK Smile Dental Practice will delete any personal data that UK Smile
Dental Practice no longer needs, based on the results of the audit
conducted, taking into account any relevant guidance, such as the Records
Management Code of Practice for Health and Social Care 2016.
5.7 UK Smile Dental Practice will, if necessary, put in place new
measures or processes to ensure that personal data continues to be
processed in line with GDPR.
5.8 UK Smile Dental Practice will, if necessary, finalise and circulate
a Fair Processing Notice to Patients.
5.9 UK Smile Dental Practice will ensure proper consent is obtained
from each Patient in line with
GDPR regulations (the Consent Form provided can be used for this
purpose). UK Smile Dental Practice will review the additional steps
that UK Smile Dental Practice should be taken to ensure that UK
Smile Dental Practice obtains consent from parents, guardians,
carers or other representatives who work with children or those
who lack capacity.
5.10 UK Smile Dental Practice will ensure that processes and
procedures are in place to respond to requests made by Data
Subjects (including Subject Access Requests) and to deal
appropriately with any breaches or potential breaches of GDPR.
5.11 UK Smile Dental: Practice will maintain a log of decisions
taken and incidents that occur in respect of the personal data
processed by UK Smile Dental Practice using the UK Smile
Dental Practice Privacy Impact Assessment template
UK Smile Limited 81 Buckingham Gate London SW1E 6PE
T: 020 7233 2323 www.uksmile.com info@uksmile.com
6. Definitions
6.1 Data Subject
• The individual about whom UK Smile Dental Practice has
collected personal data
6.2 Data Protection Act 1998
• The law that relates to data protection. It will remain in force
until and including 24 May 2018. It will be replaced by GDPR on
25 May 2018
6.3 GDPR
• The General Data Protection Regulation 2016. It will replace the
Data Protection Act 1998 from 25 May
2018 as the law that governs data protection in the UK. It will
come into force in the UK via the Data Protection Bill
6.4 Personal Data
• Any information about a living person including but not
limited to names, email addresses, postal addresses, job roles,
photographs, CCTV and special categories of data defined
below
6.5 Process or Processing
• Doing anything with personal data, including but not limited to
collecting, storing, holding, using, amending or transferring it.
You do not need to be doing anything actively with the personal
data — at the point you collect it, you are processing it
6.6 Special Categories of Data
• Has an equivalent meaning to "Sensitive Personal Data" under
the Data Protection Act 1998. Special Categories of Data
include but are not limited to medical and health records
(including information collected as a result of providing health
care services) and information about a person's religious
beliefs, ethnic origin and race, sexual orientation and political
views.
UK Smile Limited 81 Buckingham Gate London SW1E 6PE
T: 020 7233 2323 www.uksmile.com info@uksmile.com
Professionals providing this service should be aware of the following:
• GPDR provides greater protection for staff and Patients in respect of
their personal data
• Compliance is mandatory, not optional
• UK Smile Dental Practice will adopt an appropriate and
proportionate approach to what is right and necessary for UK Smile
Dental Practice may not be right for another organisation
• Achieving compliance with GDPR will not only reduce the risk of ICO
enforcement or fines but will also promote a better-quality service
for Patients and an improved working environment for staff
Key Facts - People Affected by The Service
People affected by this service should be aware of the following:
• Your personal data will be protected
• You have a right to see what information we hold about you
• You will be asked for your consent before we obtain your personal
data in line with GDPR requirements
• In addition to the new GDPR regulations, our staff will continue to
follow confidentiality policies in relation to all aspects of your care.