Data Protection Policy

Data Protection Policy


The Practice’s Data Protection Code of Practice provides the required procedures to ensure that we comply with the 1998 Data Protection Act.  It is a condition of employment that everyone at the practice complies with this Code of Practice.

We need to keep comprehensive and accurate personal date about our patients in order to provide them with safe and appropriate care.

There are eight data protection principles with which all data users (such as dentists) must comply. Personal data must be:

  • Processed fairly and lawfully.
  • Processed only for specified purposes and in an appropriate way.
  • Relevant and sufficient for the purpose.
  • Accurate and up to date.
  • Kept only for as long as necessary.
  • Processed in accordance with individuals’ rights.
  • Kept secure.
  • Transferred to countries outside Europe only if the receiving country has equivalent controls.

Information Covered by Data Protection rules

Computer data which relates to individuals.

Paper files (e.g. clinical notes) which are organised by identifiers such as name, address etc.


Recorded telephone calls, answering machine tapes.

CCTV footage, if you have security cameras.

Notepads, such as telephone jotters which can be used to identify people.

Retention of Records

Dental records will be retained while you are patient at this practice and for at least eleven years after you to cease to be a patient, or for children until they reach twenty five years, which ever is the longer.  Your personal data is held on the practice’s computer system and in our files, it is not available to anyone other than authorised members of staff who have been trained in maintaining confidentiality and who know their responsibilities under the Data Protection Act.

Access to Health Records Act 1971

This Act relates principally to the rights of a patient to access their own health records. This right is generally upheld legally, and only in exceptional circumstances (e.g. where such access could be shown to have a potentially serious effect on the patient’s mental or physical health, or where the records include references to third parties whose confidentiality might be infringed) should such a legitimate request be denied.

The fact that patients have the right of access to their records makes it essential that information is properly recorded.  Records must be

  • contemporaneous and dated
  • accurate and comprehensive
  • neat, legible (if handwritten)
  • strictly necessary for the purpose
  • be such that disclosure to the patient would be unproblematic.

Requests for Information

A request from a patient to see records or for a copy must be referred to Dr. Gogna before providing any information. The patient should be given the opportunity to discuss the records either by phone or directly with Dr Gogna and once he has authorized the request the patient will be given a photocopy.  It is vital that care is taken to ensure that the individual seeking access is the patient in question and where necessary the practice will seek information from the patient to confirm identity.

We will provide a copy of the records within 40 days of receipt of the request, fee and receipt of proof of identity should this be necessary. The 40 day turnaround is a legal requirement of the act.

A fee for access of £10 is charged for records held on computer.

For records held manually or for computer-held records with non-computer radiographs a fee of £50 will be charged.

Definition of Terms used in Data Protection

Data: information which is stored in a computer or a structured (e.g. alphabetical) paper file.

Personal data: essentially factual or biographical data about a living individual from which they can be identified (Note: individuals, not firms or companies; living, not deceased). It can be factual (name address, phone number, email address) or an opinion (e.g. diagnosis).

Processing: any action involving obtaining, storing, sorting, updating or deleting data.

Data Controller: People or organisations which store or use data (e.g. dentists).

They decide what data is needed and how it is used. They have the legal responsibility for registering and having policies.

Data processor: Organisations who process data for data controllers (e.g. Denplan, Dental Practice Board). They do not own the data nor decide how it is processed. They also have to follow the Act and ensure data is handled properly.

Data subjects: people the information is about. They have rights in relation to their data.

Sensitive data: is personal data falling into specific categories such as health, race, ethnicity, politics, religion, sexual life, criminal convictions. Processing this data requires the subject’s consent. A dental patient is considered to have consented by agreeing to be examined or treated.

Data Protection Policy