The practice aims to meet the requirements of the Data Protection Act 2018, the General Data Protection Regulation (GDPR], the guidelines on the Information Commissioner’s website as well as our professional guidelines and requirements.
You will be asked to provide personal information when joining the practice. The purpose of us processing this data is to provide optimum health care to you.
The categories of data we process are:
- Personal data for the purposes of staff and self-employed team member management
- Personal data for the purposes of direct mail/email/text/other marketing
- Special category data including health records for the purposes of the delivery of health care
- Special category data including health records and details of criminal record checks for managing employees and contracted team members
We never pass your personal details to a third party unless we have a contract for them to process data on our behalf and will otherwise keep it confidential. If we intend to refer a patient to another practitioner or to secondary care such as a hospital we will gain the individual’s permission before the referral is made and the personal data is shared.
- Personal data is stored in the EU whether in digital or hard copy format
- Personal data is stored in the US in digital format when the data storage company is certified with the EU-US Privacy Shield
- Personal data is obtained when a patient joins the practice, when a patient is referred to the practice and when a patient subscribes to an email list
The lawful basis for processing special category data such as patients’ and employees’ health data is:
- Processing is necessary for the purposes of preventative or occupational medicine, for assessing the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or management of health or social care systems and services on the basis of Union or Member State law or a contract with a health professional
The lawful basis of processing personal data such as name, address, email or phone number is:
- Consent of the data subject
- Processing is necessary for the performance of a contract with the data subject or to take steps to enter into a contract
The retention period for special data in patient records is a minimum of 10 years and may be longer for complex records in order to meet our legal requirements. The retention period for staff records is 6 years. The retention periods for other personal data is 2 years after it was last processed. Details of other retention periods are available in the Record Retention procedure available from the practice.
You have the following personal data rights:
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure (clinical records must be retained for a certain time period)
- The right to restrict processing
- The right to data portability
- The right to object
Further details of these rights can be seen in our Information Governance Procedures or at the Information Commissioner’s website. Here are some practical examples of your rights:
- If you are a patient of the practice you have the right to withdraw consent for important notifications, newsletters, surveys or marketing. You can inform us to correct errors in your personal details or withdraw consent from communication methods such as telephone, email or text. You have the right to obtain a free copy of your patient records within one month.
- If you are not a patient of the practice you have the right to withdraw consent for processing personal data, to have a free copy of it within one month, to correct errors in it or to ask us to delete it. You can also withdraw consent from communication methods such as telephone, email or text.
We have carried out a Privacy Impact Assessment and you can request a copy. The details of how we ensure security of personal data is in our Security Risk Assessment and Information Governance Procedures.
Personal information this website collects
We respect your privacy and we promise to do the following:
- Use your personal information only to provide you with the information you have requested or have agreed to receive.
- Keep your data safe and secure and process it in a manner that follows your wishes.
- Assist you to change your mind at any time about the communications you have signed up to receive.
Without limitation, any of the following Data may be collected:
- Name and title
- Contact information including email address and telephone number
- IP address (automatically collected)
- Web browser type and version (automatically collected)
- Operating system (automatically collected)
We are the sole owners of the information collected on this site. We only have access to the information you voluntarily give us. We will use your information to respond to you, regarding the reason you contacted us. We will not sell or rent this information to anyone. If we do not hear otherwise from you, we will assume that the information you provide to us is accurate and up-to-date and we will continue to use the information to send you any communications you have requested.
Where your data is held
Your data is held on secure servers operated by Namesco Limited and will be stored under robust security measures.
You have the right to:
- have access to the personal information we hold about you;
- have rectified any incomplete, inaccurate out-of-date personal information that we hold about you;
- have personal information we hold about you erased from our systems;
- have the processing of your personal information restricted; and
- receive the personal information we hold about you transmitted to another party.
Please note that these rights may only apply in certain circumstances. If you contact us to exercise any of these rights we may ask you to verify your identity and to provide other details to help us to respond to your request. We will only use this information in order to verify your identity.
You have the right to access the personal information we hold about you at any time. You also have the right to ask us to update or correct any incomplete, inaccurate or out-of-date personal information that we hold about you free of charge.
Before we are able to provide you with, or to correct, any personal information we hold about you, we may ask you to verify your identity and to provide other details to help us to respond to your request. We will only use this information in order to verify your identity.
If you wish to exercise any of your rights please contact our Data Protection Coordinator.
If you believe that our processing of your personal information is contrary to applicable law please contact our Data Protection Coordinator as the address detailed below, however you are also entitled to lodge a complaint with the UK’s Information Commissioner’s Office.
Storage and security of your personal information
We comply with the standard procedures and requirements as laid down by applicable law to ensure that your personal information is kept secure and we use the latest in Secure Server Technology (SSL – 128bit encryption) to ensure that all of your personal information is protected to the highest standards.
The transmission of information via the internet is not completely secure. Any emails we send or receive may not be protected in transit. Although we will do our best to protect your personal information, we cannot guarantee the security of your information transmitted to our website; any transmission is at your own risk.
Any passwords that you use must be kept securely. Once we have received your information, we will use strict procedures and security features to try to prevent unauthorised access. We will also monitor any emails sent to us, including file attachments, for viruses or malicious software. Please be aware that you have a responsibility to ensure that any email you send is within the bounds of the law.
Additionally, the information that we collect from you may be transferred to, and stored at, a destination outside the UK and the European Economic Area ("EEA"). It may also be processed by our third party suppliers outside of the UK and EEA.
This site uses Google Analytics to track user interaction. We use this data to determine the number of people using our site, to better understand how they find and use our web pages and to see their journey through the website.
Google Analytics records data such as your geographical location, device, internet browser and operating system, none of this information personally identifies you. Google Analytics also records your computer’s IP address which could be used to personally identify you but Google do not grant us access to this.
Disabling cookies on your internet browser will stop Google Analytics from tracking any part of your visit to pages within this website.
Read Google's overview of privacy and safeguarding data
Email newsletters – MailChimp
We use a third party provider, MailChimp, to deliver our e-newsletters using the email address that you submit to us. We gather statistics around email opening and clicks.
Your email address will remain within MailChimp’s database for as long as we continue to use MailChimp’s services for email marketing or until you specifically request removal from the list. You can do this by unsubscribing using the unsubscribe links contained in any email newsletters.
We consider MailChimp to be a third party data processor.
For more information, please see MailChimp privacy notice
People who contact us via social media
If you send us a private or direct message via social media the message will be stored by Hootsuite software.
For more information, please see Hootsuite privacy notice
Cookies are small text files that are placed on your computer by websites that you visit. They are widely used in order to make websites work, or work more efficiently, as well as to provide information to the owners of the site. We may also use trusted third-party services that track this information on our behalf.
Most web browsers allow some control of most cookies through the browser settings. Every browser is different, look at your browser's Help Menu to learn the correct way to modify your cookies. If you turn cookies off, some features may be disabled.
Links to other websites
Our website may contain links to other websites of interest. However, once you have used these links to leave our site, you should note that we do not have any control over that other website. Therefore, we cannot be responsible for the protection and privacy of any information, which you provide whilst visiting such sites and such sites are not governed by this privacy statement.
We will report any unlawful data breach of this website’s database or the database(s) of any of our third party data processors to any and all relevant persons and authorities within 72 hours of the breach if it is apparent that personal data stored in an identifiable manner has been stolen.
The Data Controller
The data controller of this website is:
Heaton Mersey Orthodontic Centre Limited , 458 Didsbury Road, Heaton Mersey, Stockport, SK4 3BS
The company registration number is 07199431
Our registration number for the UK Data Protection Act 1998 is Z495089X
Data Protection Officer
Tel: 0161 947 9900
Changes to this privacy notice
We keep our privacy notice under regular review. This privacy notice was last updated on 25 April 2018.
Contains public sector information licensed under the Open Government Licence v3.0.
Comments, suggestions and complaints
Please contact the practice for a comment, suggestion or a complaint about your data processing at firstname.lastname@example.org or on 0161 947 9900 or by writing to or visiting the practice at Heaton Mersey Orthodontic Centre, 458 Didsbury Road, Heaton Mersey, Stockport, SK4 3BS. We take complaints very seriously.
If you are unhappy with our response or if you need any advice you should contact the Information Commissioner’s Office (ICO). Their telephone number is 0303 123 1113, you can also chat online with an advisor. The ICO can investigate your claim and take action against anyone who’s misused personal data. You can also visit their website for information on how to make a data protection complaint.
Related practice procedures
You can request copies of the following practice policies or procedures:
- Data Protection and Information Security Policy
- Consent Policy
- Privacy Impact Assessment
- Information Governance Procedures