Confidentiality policy


The Practice is aware of its obligations regarding protection of data as governed by the General Data Protection Regulation 2018 (GDPR) which applies to manually recorded as well as printed data. We need to keep comprehensive and accurate personal data about our employees and our patients in order to provide safe and appropriate dental care. We also need to process personal data in order to provide care under NHS arrangements. This document sets out our policy for maintaining confidentiality and all members of the practice must comply with these safeguards as part of their contract of employment in accordance with the GDPR.


If confidentiality is breached, it is the patient’s dentist who is responsible to the General Dental Council. An enrolled hygienist whose act or omission has breached confidentiality may also be called before the council.



Employees may be required to give certain information relating to themselves in order that the Practice may properly carry out its duties, rights and obligations as an employer. Such information will be processed and controlled principally for personnel, administrative and payroll purposes.


In order to provide a high standard of dental care and attention we need to hold certain personal information about our patients. This personal data comprises:

  • Personal details such as age, address, telephone number(s), email address and general medical practitioner;
  • Past and current medical and dental condition;
  • Radiographs, clinical photographs and study models;
  • Information that the individual is or has been a patient of the practice and attended, cancelled or failed to attend an appointment on a certain day
  • Information about treatment that we have provided or propose to provide and its cost;
  • The amount paid for treatment, the amount owing or the fact that the patient is a debtor to the practice;
  • Credit/debit card receipts;
  • Notes of conversations/incidents that might have occurred for which a record needs to be kept;
  • Records of consent to treatment;
  • Any correspondence relating to patients to/from other healthcare professionals, e.g. in the hospital or community services.


Personal information about a patient:

  • Is confidential in respect of that patient and to those providing the patient with health care,
  • Should only be disclosed to those who would be unable to provide effective care and treatment without that information (the need to know concept)
  • Should not be disclosed to third parties without the consent of the patient except in certain circumstances described in this policy

Data processing

The term ‘processing’ may include the Practice obtaining, storing or holding the information or data or carrying out any set of procedures on the information or data; including organising, altering, retrieving, consulting, using, disclosing or destroying the information or data. The practice will adopt appropriate technical and organisational measures to prevent unauthorised or unlawful access to, processing or disclosure of the information.

We will process personal data that we hold about patients in the following way:

  • We will retain patients’ dental records while they are attendees at the practice and for at least eleven years after they cease to be a patient or for children, until the age of 25; whichever is the longer
  • Personal data is held in the practice’s computer system and/or in a manual filing system. The information is not accessible to the public and only authorised members of staff have access to it
  • Credit/debit card receipts will be retained for a minimum of 18 months after the transaction
  • Disposal of out of date records will be by shredding
Disclosure of information

There are certain restricted circumstances where the wider public interest outweighs the rights of the patient to confidentiality. This might include cases where disclosure would prevent a serious future risk to the public or assist in the prevention or prosecution of serious crime.

Disclosures can be made:

  • Where expressly the patient has given consent to the disclosure
  • Where disclosure is required by statute or is ordered by a court of law
  • Where disclosure is necessary for a dentist to pursue a bona-fide legal claim against a patient, when a solicitor, court or debt collecting agency may be necessary
  • Where information may need to be disclosed to third party organisations to ensure the provision of care and the proper functioning of the NHS:

NHS payment authorities,

The Benefits Agency, where exemption from NHS charges is claimed,

Private dental schemes of which the patient is a member;

  • Where disclosure is necessary for the purpose of enabling someone else to provide health care to the patient and the patient has consented to this sharing of information. In order to provide proper and safe dental care, we may need to disclose personal information to:

A general medical practitioner

A hospital or the community dental services

Other healthcare professionals

Disclosure will take place on a ‘need to know’ basis. Only that information that the recipient needs to know will be disclosed and the personnel concerned are covered by the same strict confidentiality rules.


Employees have the right to have access to information held about them and to have that information amended or deleted where appropriate.

Patients have the right of access to their health records held on paper or on computer. A request from a patient to see records or for a copy must be referred to their dentist. Access may be obtained by making a request in writing and the payment of a fee for access of £10. We will provide a copy of the record within 40 days of the request together with an explanation of the record should it be required.

The fact that patients have a right to the access to their records makes it essential that information is properly recorded. Records must be:

  • Contemporaneous and dated
  • Complete
  • Legible
  • Honest
  • Accurate and comprehensive
  • Attributable
  • Comprehensive
  • Strictly necessary for the purpose
  • Be such that disclosure to the patient would be unproblematic

Any patient not wishing personal data held about them to be disclosed or used in the way that is described in the Code of Practice should discuss the matter with their dentist. They have the right to object, but this may affect our ability to provide them with dental care.

Practical Rules

The principles of confidentiality give rise to a number of practice rules that everyone in the practice must abide by:

  • Records must be kept secure and in a location where it is not possible for the other patients or individuals to read them
  • Identifiable information about patients should not be discussed with anyone outside the practice, including relatives or family
  • A school should not be given information about whether a child attended for an appointment on a particular day. It should be suggested that the child is asked to obtain the dentist’s signature on his/her appointment card to signify attendance.
  • Demonstration of the practice’s administration/computer system should not involve actual patient information
  • When talking to a patient on the telephone or in person in a public area, care should be taken that sensitive information is not overheard by other patients
  • Information about a patient’s appointment record should not be provided to an employer.
  • Messages about a patient’s care should not be left with third parties or on an answering machine. A message to call the practice is all that can be left
  • Appointment recalls and reminders and other personal information must be sent in a sealed envelope
  • Disclosure of appointment books, record cards or other information should not be made to police officers or Inland Revenue officials unless on the instructions of the dentist
  • Patients should not be able to see information contained in appointment books or on computer screens
  • Discussions about patients should not take place in the practice’s public areas
Disciplinary Action

If after investigation, a member of staff is found to have breached confidentiality or this policy, he/she shall be liable to summary dismissal in accordance with the practices disciplinary policy.


These guidelines have been approved by the undersigned and will be reviewed on an annual basis.

Name: L Goodrick
Date approved: 16/05/2019
Review Date: May 2020

Related Policies
Information Security Policy
Information Governance Legal Compliance Policy
Freedom of Information Publication
Information Governance Policy