This practice is committed to complying with the Data Protection Act 2018, the United Kingdom General Data Protection Regulation (UK GDPR), GDC, NHS, and other data protection requirements relating to our work.
We only keep relevant information about employees for employment purposes and about patients to provide them with safe and appropriate health care.
This policy forms part of our Information Governance document suite. All data protection and information security policies, procedures, and risk assessments are reviewed annually in iComply.
The person responsible for data protection and information security is the Information Governance Lead, Gemma Funnell.
Our lawful bases and conditions for processing personal data are specified in our Privacy Notice (M 217T).
Consent
The practice offers individuals real choice and control. Our consent procedures put individuals in charge to build trust and engagement.
- Marketing consent requires a positive opt-in (we don’t use pre-ticked boxes or implied consent).
- We make it easy for people to withdraw consent, provide clear instructions on how, and keep records of consent.
- Consent to marketing is never a precondition of service.
Data Protection Officer (DPO)
We do not have a Data Protection Officer, as we do not process large volumes of data.
Pseudonymisation
Pseudonymisation means transforming personal data so that it cannot be attributed to an individual unless additional information is provided.
- Pseudonymisation: data can be tracked back to the original subject.
- Anonymisation: data cannot be tracked back to the original subject.
Examples we use include:
- We never identify patients in research, reports, or publicly available information.
- When storing or transmitting electronic data, it is encrypted and the encryption key is kept separately.
Data Breaches
We report certain types of personal data breaches to the relevant supervisory authority within 72 hours of becoming aware of them, where feasible.
If a breach results in a high risk of adversely affecting individuals’ rights and freedoms, we also inform those individuals without undue delay.
We keep contemporaneous records of any data breaches, whether or not notification is required.
For our detailed data breach procedures, see Information Governance Procedures (M 217C).
Right to Be Informed
We provide fair processing information through our Privacy Notice (M 217T) and our Privacy Notice for Children (M 217TC), which are available from the practice and on our website.
Your Data Rights
Right of Access
Individuals have the right to access their personal data and supplementary information to verify the lawfulness of processing.
Upon request, we provide:
- Confirmation that data is being processed
- Access to personal data
- Supplementary information as found in our Privacy Notices
Right to Erasure
Individuals have the right to request deletion of personal data where there is no compelling reason for continued processing.
For current or former patients, clinical records are retained according to our Record Retention (M 215) policy and deleted upon expiry of that period.
Right of Rectification
Individuals can request corrections to inaccurate or incomplete personal data.
Right to Restriction
Individuals may request that processing be restricted. We will store, but not process, their data and retain enough information to ensure the restriction is respected in future.
Right to Object
Individuals have the right to object to direct marketing and processing for scientific research or statistical purposes.
Data Portability
Individuals can request that their data be transferred electronically or in another format.
Privacy by Design
We implement technical and organisational measures to integrate data protection into all processing activities.
Our systems follow Privacy by Design principles to promote compliance and safeguard personal data.
Records
We maintain detailed records of processing activities for future reference.
Privacy Impact Assessment
We review our Privacy Impact Assessment (M 217Q) annually in iComply, using the Sensitive Information Map, PIA and Risk Assessment to ensure compliance and uphold individuals’ privacy expectations.
Information Security
The Information Governance Procedures (M 217C) include:
- A Staff Confidentiality Code of Conduct, outlining the legal duty to protect and disclose data appropriately
- Procedures for managing and reporting data breaches
- A comprehensive set of procedures and risk assessments to prevent accidental or deliberate data compromise
- Guidance on using personal equipment (e.g. laptops, phones, tablets) for practice business
Regular Review
This policy and related procedures are reviewed annually within iComply.
Related Policies and Procedures
- M 215 – Record Retention
- M 216 – Data Protection Overview
- M 216A – GDPR and Data Protection Action Plan
- M 217A – Guide for Completing the Data Security and Protection Toolkit
- M 217C – Information Governance Procedures
- M 217M – Physical Security Risk Assessment
- M 217N – Business Impact Analysis
- M 217Q – Sensitive Information Map, PIA and Risk Assessment
- M 217S – Legitimate Interests Assessment
- M 217T – Privacy Notice
- M 233-CON – Confidentiality Policy
- M 233-REM – Record Management Policy
- M 255 – Disaster Planning and Emergency Procedures Arrangements
Further Information
For more information, visit:
Last modified: 16 June 2025
Goldsworth Road Dental
96 Goldsworth Road, Woking, Surrey, GU21 6LN