Privacy Policy

This Privacy Policy explains how Glasgow Dental Centre collects, uses, stores, shares and protects personal information. It applies to patients, prospective patients, website visitors, staff, contractors, suppliers and other individuals who interact with the Practice.

This notice is designed to comply with the UK General Data Protection Regulation, the Data Protection Act 2018, relevant Information Commissioner’s Office guidance, NHS requirements where applicable, and other legal and regulatory obligations relevant to UK dental practices.

1. Who we are

Glasgow Dental Centre is the Data Controller for the personal information described in this Privacy Policy. This means we are responsible for deciding how and why your personal information is used.

Detail	Information
Practice name	Glasgow Dental Centre
Address	1403 Gallowgate, Glasgow G31 4EU
Telephone	0141 554 6187
Email	info@glasgowdentalcentre.co.uk
ICO registration number	ZB906375
Data Protection Lead	Asad Iqbal, Practice Owner

If you have any questions about this Privacy Policy or how we use your personal information, please contact us using the details above.

The Practice complies with applicable healthcare regulatory and professional requirements, including requirements set by the relevant UK healthcare regulator and the General Dental Council.

2. Personal information we collect

We may collect and process the following types of personal information:

Patient and prospective patient information

• Name, address, date of birth, gender and contact details.
• NHS number or other patient identification number where applicable.
• Appointment details and attendance history.
• Medical history, dental history, treatment records and clinical notes.
• X-rays, scans, photographs, impressions and other clinical images.
• Prescriptions, referrals, laboratory work and correspondence with other healthcare professionals.
• Information about allergies, medication, medical conditions and health needs.
• Payment, billing, insurance, finance or dental plan information.
• Records of complaints, concerns, consent forms and patient communications.
• Emergency contact details where provided.

Health information is classed as special category data and is given extra protection under data protection law. Special category data requires both an Article 6 lawful basis and an Article 9 special category condition, with additional Data Protection Act 2018 conditions where relevant.

Website and enquiry information

• Information submitted through website forms.
• Email address, telephone number and enquiry details.
• IP address and device/browser information.
• Website usage information.
• Cookie preferences and analytics data.
• Marketing preferences where applicable.

Telephone and communication records

We may process records of telephone calls, voicemails, emails, text messages, letters or other communications. Where calls are recorded, this will be made clear at the point of call and the purpose of recording will be explained.

Staff, contractor and supplier information

• Recruitment and employment information.
• Right to work checks and identification documents.
• Payroll, pension, tax and banking details.
• Training, appraisal, disciplinary and absence records.
• Occupational health information where necessary.
• Contractor, supplier and business contact details.
• Invoices, contracts and payment records.

3. How we use your information

We use personal information for the following purposes:

• To provide safe, effective and appropriate dental care.
• To assess your dental and medical needs.
• To arrange appointments and manage treatment plans.
• To maintain accurate patient records.
• To communicate with you about appointments, treatment, payments or queries.
• To process payments, invoices, refunds, finance or dental plan arrangements.
• To make referrals to specialists, hospitals, laboratories or other healthcare providers.
• To comply with NHS, regulatory, professional and legal requirements.
• To respond to complaints, claims, audits, investigations or legal requests.
• To manage staff, recruitment, suppliers and contractors.
• To operate, secure and improve our website, IT systems and services.
• To send marketing communications only where legally permitted.
• To monitor quality, safety, training and clinical governance.

4. Lawful bases for processing

We only use personal information where we have a valid lawful basis under UK data protection law. Depending on the circumstances, we may rely on:

• Contract – where processing is needed to provide dental treatment or services you have requested.
• Legal obligation – where we must process or keep information to comply with the law, regulatory requirements, tax rules, employment law or professional obligations.
• Public task – where we provide NHS treatment or perform functions connected with public healthcare services.
• Legitimate interests – where processing is necessary for the proper management, administration, security and operation of the Practice, provided your rights do not override those interests.
• Consent – where we need your clear permission, for example for certain marketing communications, non-essential cookies, some photographs, or optional uses of information.

We do not rely on consent for all patient care processing. In many healthcare situations, we need to keep and use information because it is necessary for treatment, legal compliance, clinical safety or public healthcare duties. Consent should be specific, informed, clear and separate from general terms.

5. Special category health data

Dental records often include health information, medical history and treatment information. This is special category data under UK GDPR. We process health information where it is necessary for:

• Dental diagnosis and treatment.
• Preventive or occupational medicine.
• Health or social care purposes.
• Clinical governance, quality assurance and patient safety.
• Legal claims or regulatory requirements.
• NHS care and reporting where applicable.
• Public health obligations where applicable.

We apply appropriate confidentiality and security safeguards to health records at all times.

6. NHS and private treatment

The Practice provides mixed NHS and private treatment.

For NHS treatment, we may need to share relevant information with NHS bodies, NHS Scotland bodies, local health boards, payment authorities, regulators and other healthcare organisations where required for treatment, claims, audit, reporting, patient safety or legal obligations.

For private treatment, we may use information to provide treatment, manage fees, communicate with you, process payments, liaise with laboratories or specialists, and meet professional and legal duties.

Whether treatment is NHS or private, we will only use and share information where it is necessary, lawful, proportionate and secure.

7. Children’s data

We process children’s personal information and dental records with particular care.

Where a child is old enough to understand how their information is used, we may explain privacy matters directly to them in clear language. Where appropriate, we may also communicate with parents, guardians or those with parental responsibility.

We may process children’s data for dental care, safeguarding, NHS requirements, legal obligations and communication with parents or guardians. We will only share children’s information where there is a lawful reason to do so, such as providing care, safeguarding the child, complying with the law, or working with other healthcare professionals.

8. How we store and protect information

We use appropriate technical and organisational measures to protect personal information. These may include:

• Secure practice management systems.
• Password protection and access controls.
• Staff confidentiality obligations.
• Staff training.
• Secure backups.
• Encryption where appropriate.
• Audit trails and activity logs.
• Locked storage for paper records.
• Secure disposal of records.
• Data processing agreements with service providers.
• IT security, antivirus and system monitoring.

No system can be guaranteed to be completely secure, but we take reasonable and proportionate steps to protect personal information from loss, misuse, unauthorised access, disclosure, alteration or destruction.

9. Sharing information with third parties

We only share personal information where it is necessary, lawful, proportionate and secure. This may include sharing information with:

• Dentists, hygienists, therapists and other members of the dental team.
• Dental specialists, hospitals, consultants and other healthcare professionals.
• Dental laboratories.
• NHS bodies, NHS Scotland bodies and local health boards where applicable.
• Payment providers, finance providers and dental plan providers.
• Insurance providers where relevant.
• IT, website, cloud hosting, software, email and data storage providers.
• Online booking, reminder, CRM or communication providers.
• Accountants, auditors, legal advisers and professional advisers.
• Regulators, such as the General Dental Council or relevant healthcare regulator.
• Public authorities, safeguarding bodies or law enforcement where required by law.
• Debt recovery providers, only where necessary and lawful.
• Emergency services where necessary.

We do not sell personal information to third parties.

Where we use third-party processors, we expect them to protect personal information and only process it in accordance with our instructions and applicable law.

10. International transfers

Some technology providers, cloud providers, analytics providers or communication systems may process personal information outside the United Kingdom.

Where this happens, we will ensure that appropriate safeguards are in place, such as UK-approved contractual protections, adequacy arrangements or other lawful transfer mechanisms.

11. Cookies, analytics and website use

Our website may use cookies and similar technologies to:

• Make the website function properly.
• Improve performance and security.
• Understand how visitors use the website.
• Support online forms, bookings or enquiries.
• Measure marketing performance where applicable.
• Support advertising or remarketing where consent has been provided.

We may use tools such as:

• Google Analytics.
• Google Ads.
• Google Tag Manager.
• Meta Pixel.
• Online booking systems.
• Live chat tools.
• Cookie consent platforms.
• Website hosting, security and performance tools.
• CRM or enquiry management systems.

Where required, we will ask for your consent before placing non-essential cookies or using analytics or advertising technologies. You can change or withdraw cookie preferences through the website’s cookie settings, where available, or through your browser settings.

Where Google or similar third-party services are used, those providers may process personal data in accordance with their own business, privacy and advertising service policies. For more information about how Google uses and processes data, please refer to Google’s Business Data Responsibility Site.

12. Marketing communications

We may use your contact details to send marketing communications about services, offers, events or updates only where legally permitted.

For email and text marketing to individuals, we will usually rely on your consent unless the limited soft opt-in applies to existing customers.

You can opt out of marketing communications at any time by following the unsubscribe instructions or by contacting us at info@glasgowdentalcentre.co.uk.

We will not use your clinical records for marketing purposes without a clear lawful basis and appropriate safeguards.

13. CCTV

The Practice may use CCTV for safety, security, crime prevention, protection of patients, staff and visitors, and investigation of incidents.

CCTV will not normally be used in areas where individuals would expect a high level of privacy, such as treatment rooms, toilets or changing areas, unless there is an exceptional and lawful reason.

CCTV footage is usually retained for a short period, normally up to 30 days, unless it is required for an incident, investigation, legal claim, safeguarding concern or regulatory matter.

Clear signage will be displayed where CCTV is in operation.

For CCTV-related queries, please contact the Data Protection Lead using the Practice contact details above.

14. Data retention

We keep personal information only for as long as necessary for the purpose it was collected and to meet legal, clinical, regulatory, tax, accounting and professional obligations.

Type of record	Typical retention period
Adult dental clinical records	Normally 11 years after the last entry.
Children’s dental records	Normally until the patient reaches age 25, or 11 years after the last entry, whichever is longer.
NHS records	In line with NHS records management requirements.
Complaints records	Usually at least 10 years, depending on the nature of the complaint.
Financial, tax and accounting records	Usually 6 years.
Staff employment records	Usually 6 years after employment ends, subject to legal requirements.
Recruitment records for unsuccessful applicants	Usually 6-12 months unless a longer period is justified.
Supplier and contractor records	Usually 6 years after the relationship ends.
Website enquiry records	Only as long as needed to respond and manage the enquiry.
Marketing preferences	Until you withdraw consent or opt out, plus suppression records to ensure we respect your choice.
CCTV footage, where used	Usually up to 30 days unless required for an incident or investigation.

Records may be kept longer where required for legal claims, regulatory investigations, safeguarding, clinical safety, public inquiries or other lawful reasons.

15. Your data protection rights

Subject to legal limits, you have the following rights:

• The right to access your personal information.
• The right to request correction of inaccurate or incomplete information.
• The right to request erasure of information in certain circumstances.
• The right to request restriction of processing in certain circumstances.
• The right to object to processing in certain circumstances.
• The right to data portability where applicable.
• The right to withdraw consent where processing is based on consent.
• Rights relating to automated decision-making and profiling.

These rights are not absolute. For example, we may need to retain dental records where required for clinical, legal, regulatory or professional reasons.

To exercise your rights, please contact:

We may need to verify your identity before responding.

16. Subject access requests

You have the right to request a copy of personal information we hold about you. This is known as a Subject Access Request, or SAR.

You can make a SAR verbally or in writing. We will usually respond without delay and within one month. In most circumstances, we cannot charge a fee.

We may extend the response period where a request is complex, but we will tell you if this applies. We may refuse or charge a reasonable fee for requests that are manifestly unfounded or excessive, where permitted by law.

To make a Subject Access Request, please contact:

17. Accuracy of information

Please tell us if your personal information changes, such as your address, telephone number, email address, medical history, medication or GP details. Keeping accurate records helps us provide safe and effective care.

18. Automated decision-making and profiling

We do not normally make decisions about patients based solely on automated processing where the decision would have a legal or similarly significant effect.

If this changes, we will update this Privacy Policy and explain the logic involved, the significance of the processing and your rights.

19. Complaints

If you are concerned about how we use your personal information, please contact us first so we can try to resolve the matter.

You also have the right to complain to the Information Commissioner’s Office:

20. Updates to this Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our services, systems, legal obligations or regulatory guidance. The latest version will be published on our website and/or made available at the Practice.

“`