Skip to main content Skip to footer

The Data Protection Act 2018 (DPA 2018) [1] and the UK General Data Protection Regulations (UK GDPR) [2] include the following rights for individuals, most of which are similar to those included in the previous legislation:

  • The right to be informed
  • The right of access
  • The right to rectification
  • The right to erasure
  • The right to restrict processing
  • The right to data portability (UK GDPR)
  • The right to object (UK GDPR)
  • The right not to be subject to automated decision making, including profiling

You should ensure that the processes you have in place for data processing are consistent with the DPA 2018 [1] and UK GDPR [2]. Be aware that you may need to put new processes in place to comply with rights introduced by the updated legislation e.g. the right to data portability.

Ensure that all personal information that you hold is easy to retrieve and amend or delete, if required.

Ensure that the processes you have in place for data processing are consistent with an individual’s rights under the DPA 2018 [1] and UK GDPR [2] 

  • Provide clear and transparent information to the people whose data you hold in the form of a privacy notice (see Privacy Notice).
  • Where individuals ask to view the information that you hold, provide this free of charge and in an electronic and commonly used format (see Subject Access Requests).
  • Where individuals ask you to rectify their personal data because they believe it is incorrect, check the information and if there are inaccuracies, amend them within one month of receiving the request.
    • In dental practice, there are some situations where simply amending the information is inappropriate. For example, in the event of a misdiagnosis, the initial diagnosis can be retained in the patient’s record, as this is an accurate record of the patient’s treatment at the time. To comply with the individual’s right to rectification, a note that a mistake was made should be added to the record, along with the correct diagnosis. 
  • Where individuals ask you to erase or restrict the processing of their personal data, you must comply without undue delay (except where the information concerned is exempt, see below) and at the latest within one month of receipt of the request.   
    • You are not required to delete dental records or essential employee information as you are obliged to retain these to meet legal and professional obligations; you may need to justify to a patient or a former employee your reasons for not deleting some of their data and this should be done within one month of receiving the request.
  • Where a patient asks for their electronic dental records to be sent to another dental practice, provide this information in a format that is structured, commonly-used and machine readable (e.g. as a pdf file).
    • Ensure that it this is done in a confidential and secure manner.
    • Retain copies of the information to comply with your retention periods.
    • You also have a responsibility to comply with data protection requirements when accepting information provided to you, for example where a new patient asks for their previous dentist to supply you with a copy of their electronic dental record.

Sources of information

  1. Data Protection Act 2018
  2. The UK GDPR. Information Commissioner's Office

© 2025 NHS Education for Scotland