Types of information held within a dental practice include patient details, employee details and associate details. A practice may hold personal identifiable information for several data processing purposes.
Document what personal data you hold, where it came from and who you share it with (see GDPR Information Audit May 2018 template (Word)).
- Consider undertaking an information audit which details:
- What personal information you hold
- The reasons you are holding the information
- The way that the information was gathered
- The reason the information was originally gathered
- The lawful basis for holding the information for each data processing purpose (see Lawful Basis)
- How long you will retain the information
- How the information is kept secure (in terms of encryption and accessibility)
- The basis for sharing the information with third parties
- Check that the information you hold is correct and up to date.
If you discover that you have shared incorrect information with another organisation, inform them that the information was incorrect and the changes required to rectify this.
Put in place a procedure to periodically check that the information you hold is correct and up-to-date.
- For patients this may already be undertaken when checking contact details and medical histories at each appointment, but consider an annual check of employee and associate information.
This interim advice is based on resources from the Information Commissioner’s Office (ICO) website. Although every effort has been made to ensure the accuracy of this advice, SDCEP takes no responsibility for inaccuracies or omissions and does not accept responsibility for any loss, damage or expense resulting from the use of this information. Further advice on complying with GDPR can be found on the ICO website and via the EU GDPR learning resource. Your indemnity organisation may also provide information and resources to help you comply and be able to advise you regarding particular issues that may arise from GDPR implementation.