- Locum Staff
- Book Staff
- Meet the Team
- Contact us
- Free CPD
This act came into effect 25th May 2018, it is a piece of European Legislation and replaces the Data Protection Act 1998. Once the law has come into effect everyone must be compliant. There are large fines in place for companies that breach these new regulations.
The Act ensures that the person whose data you are storing understands how their data will be processed and used.
You will need to familiarise yourself with policies and procedures relating to data protection.
The Data Subject is the individual whose information you have stored.
Ensure all Personal Identifiable Information (PII) is correctly stored or not stored at all.
The Data Controller decides how and why the data is processed, they must be registered with the ICO.
The Data Controller will need to ensure that the measures are in place to respect the privacy and freedom of the Data Subject.
If the appropriate measures are not in place then the ICO can force changes, impose fines, and prosecute individuals.
The Data Processor receives data from a Data Controller.
Is any living individual
The Natural person has rights associated with:
There must be somebody taking responsibility for ensuring that your organisation is compliant.
This individual must take proper responsibility for data protection compliance and have the knowledge, support and authority to do so.
If you are a public authority, an organisation that carries out regular and systemic monitoring of individuals on a large scale or an organisation that carries out the large-scale processing of special categories of data e.g. health records or criminal convictions, then you must appoint a Data Protection Officer.
Every ‘Natural Person’ has personal data. The amount of personal data we hold has increased over the years and will continue to do so as the world develops.
It is important to gain explicit consent for keeping sensitive data about an individual. Examples of sensitive data:
The Data Subject has given consent
It is necessary to fulfil the obligations of the Data Controller and Data Subject
It is necessary to protect the interests of the Data Subject
If the information being processed is carried out by a foundation or not for profit organisation
The personal data has already been made public by the Data Subject The information is in the public interest
Make sure that you are aware of the Data Protection changes and ensure you are up to date on all changes that are being made.
Everybody will need to work together to ensure there is minimal chance of a breach happening.
All privacy notices within your practice/organisation must be reviewed and they must be sufficient and relevant.
When you collect information from the Data Subject you need to give them your identity and inform them:
When storing information on a person you must document how you will store the information, how it will be deleted and ensure that it covers all their rights:
Processing will only be lawful if one of the following conditions are met:
You need to have consent from the individuals that you keep information on and make sure that it meets the GDPR requirements. For example it must be:
Consent must be documented, and a record should be kept on what data they have agreed to share. The patient can tick a box or sign a form to acknowledge they understand why you want/need to process their data – this is known as Explicit Consent.
Please also keep in mind that consent can be withdrawn at any time.
If you are keeping information on children, then you need to be able to verify their ages and how you have obtained parental/guardian consent for data processing.
The GDPR has set the age when a child can give their own consent to 16.
There will be special protection for young persons data on social media.
All personal data must be protected.
You should consider who has access to the data and is it necessary for them to have access?
Is everything stored securely in lockable filing cabinets?
Are computers all password protected?
These are just a few examples of things you may want to consider.
You should document how you will detect, report, and investigate any breaches.
The GDPR introduces a duty on all organisation to report certain types of data breaches to the ICO and sometimes to the individuals themselves.
If there is a data breach you have 72 hours to report it to the ICO.
Failure to report a breach could result in a fine of 4% of your organisations Global Annual Turnover
Mandatory in certain circumstances
All your patients (past and present) should be asked to give their explicit consent to receive marketing emails from the organisation.
You must keep a record of consent and be sure to advise people how to opt out or alter their contact preferences.
Always ensure the details up to date and only the people that have given consent are on the mailing list.
Don’t forget that even if you are a small practice/organisation these changes apply to everyone.
Well done for completing the verifiable CPD! Your certificate will automatically be emailed to you upon successful completion. Please take care when entering your details to ensure the certificate delivers and includes the correct information.
We will notify you of our next free verifiable CPD session.
"Always able to help us at short notice. Very nice and professional nurses."
Shelley, Nelson Road Dental
If you need a dental DBS check (previously known as a CRB check) then Cavity can help you! One of our Cavity representatives can visit your practice at a suitable time to complete all the relevant paperwork.
The CQC state that all clinical staff working within a dental practice will need to obtain an enhanced Disclosure Barring Service (DBS) check. Cavity are now a DBS umbrella company and are able to carry out DBS checks for individuals, groups and practices.
One of Cavitys’ Managers will visit your practice at a time convenient to you, to finalise the relevant documents. Once this has been done, the completed form will be sent off and you will then receive your DBS certificate directly to you in the post. We can carry out a DBS for the whole of your clinical team or individual staff members.