British Dental Institute is committed to complying with the Data Protection Act 2020 (DPA), the General Data Protection Regulation (GDPR), GDC, NHS and other data protection requirements relating to our work. We only keep relevant information about staff and students for the purposes of employment, research and education. This policy should be read in conjunction with Data Protection Overview and the other related policies and procedures at the end of this policy. All data protection and information security policies procedures and risk assessments are reviewed annually.
The person responsible for data protection and information security is the Programme Co-ordinator. Our lawful bases for processing your personal data are listed in our Privacy Notice.
Consent British Dental Institute offers its staff and students real choice and control. Our consent procedures put individuals in charge to build trust and engagement. Our consent for marketing requires a positive opt-in, we don’t use pre-ticked boxes or any other method of default consent. We make it easy for people to withdraw consent, tell them how to and keep contemporaneous evidence of consent. Consent to marketing is never a precondition of a service.
Sharing Personal Date with Third-party
Personal data may be passed onto third-party service providers contracted to the British Dental Institute. All such parties are required to keep your data securely, and to only use them to fulfil the services they provide on our behalf. British Dental Institute shares personal data, subject to the options chosen by the delegate. Such examples are given below:
· Payment
o Financial Conduct Authority (FCA) regulated providers, where a finance option has been taken out,
o Direct Debit Administrators in case the delegate chooses staged payment options
· Registration with awarding body
British Dental Institute may disclose your personal information to third parties:
1. in the event that we sell or buy any business or assets, in which case we may disclose your personal data to the prospective seller or buyer of such business or assets;
2. if British Dental Institute, or substantially all its assets, are acquired by a third party, in which case personal data held by it about its delegates/staff will be one of the transferred assets;
3. if we are under a duty to disclose or share your personal data to comply with any legal obligation, or to enforce or apply our Website Terms of Use or other agreements, or to protect the rights, property, or safety of British Dental Institute, or others. This includes exchanging information with other companies and organisations for the purposes of fraud protection and credit risk protection.
We will not otherwise pass on your personal data to third parties.
Data protection officer (DPO)
Our DPO is the Programme Co-ordinator.
The Data Protection Officer has primary responsibility for British Dental Institute’s compliance with the DPA. This comprises:
· maintaining British Dental Institute’s notification with the Information Commissioner’s Office
· ensuring completion of the Annual Survey of Personal Data Holdings
· handling subject access requests and requests from third parties for personal data
· promoting and maintaining awareness of the DPA and regulations, including training
· investigating losses and unauthorised disclosures of personal data.
Pseudonymisation Pseudonymisation means transforming personal data so that it cannot be attributed to an individual unless there is additional information.
· Pseudonymisation – the data can be tracked back to the original data subject
· Anonymisation – that data cannot be tracked back to the original data subject
Examples of pseudonymisation we use are:
· We never identify learners in research, learner feedback reports or other publicly available information
· When we store and transmit electronic data it is encrypted and the encryption key is kept separate from the data
Data breaches
We report certain types of personal data breaches to the relevant supervisory authority within 72 hours of becoming aware of the breach, where feasible. If the breach results in a high risk of adversely affecting individuals’ rights and freedoms we also inform those individuals without undue delay. We keep contemporaneous records of any personal data breaches, whether or not we need to notify.
Right to be informed
We provide ‘fair processing information’, through our Privacy Notice, which provide transparency about how we use personal data.
Your data rights
Right of Access
Individuals have the right to access their personal data and supplementary information. The right of access allows individuals to be aware of and verify the lawfulness of the processing. If an individual contacts the Academy to access their data they will be provided with, as requested:
· Confirmation that their data is being processed
· Access to their personal data
· Any other supplementary information about your rights as found below and in our Privacy Notices
Right to erasure
The right to erasure is also known as ‘the right to be forgotten’. The Institute will delete personal data on request of an individual where there is no compelling reason for its continued processing. If the individual is or has been a delegate, the records will be retained per the retention periods (see below) and after such periods can be deleted upon request.
In line with GDC standards British Dental Institute will retain delegate data for a duration of 10-year after completion of a programme.
In line with legal requirements British Dental Institute will retain learner data for 11-year duration.
Right of rectification
Individuals have the right to have personal data rectified if it is inaccurate or incomplete.
Right to restriction
Individuals have a right to ‘block’ or suppress the processing of their personal data. If requested we will store their personal data, but stop processing it. We will retain just enough information about the individual to ensure that the restriction is respected in the future.
Right to object
Individuals have the right to object to direct marketing and processing for purposes of scientific research and statistics.
Data portability
An individual can request the practice to transfer their data in electronic or another format.
Privacy by design
We implement technical and organisational measures to integrate data protection into our processing activities. Our data protection and information governance management systems and procedures take Privacy by design as their core attribute to promote privacy and data compliance.
Records We keep records of processing activities for future reference.
Privacy impact assessment
To identify the most effective way to comply with their data protection obligations and meet individuals’ expectations of privacy we review our Privacy Impact Assessment annually.
Information security
Information Governance Procedures includes the following information security procedures:
· Team members and Students follow the ‘Confidentiality Code of Conduct’, which clarifies their legal duty to maintain confidentiality, to protect personal information and provides guidance on how and when personal or special category data can be disclosed
· How to manage a data breach, including reporting
· A comprehensive set of procedures, risk assessments and activities to prevent the data we hold being accidentally or deliberately compromised and to respond to a breach in a timely manner
· The requirements and responsibilities if team members use personal equipment such as computer, laptop, tablet or mobile phone for practice business
Regular review
This policy and the data protection and information governance procedures it relates to are reviewed annually.
We reserve the right to change this privacy policy in the future and any changes will be posted to our Website and, where appropriate, sent to you by e-mail notification.
Further information
Information Commissioner www.ico.org.uk
EU – US Privacy Shield www.privacyshield.gov
British Dental Institute
Copyright © 2022 British Dental Institute - All Rights Reserved.