Data Protection Policy Kinsale Dental

Kinsale Dental, as a Data Controller, is required by law to comply with the following Irish
legislation relating to the processing of Personal Data:
• The Data Protection Act 1988 (The Principle Act) and
• The Data Protection (Amendment) Act 2003

This is Kinsale Dentals Policy in response to the requirements of the Data Protection Acts.  In order to carry out its statutory and administrative functions Kinsale Dental needs to collect and process personal information relating to many categories of people, which include patients, customers, suppliers, contractors, associates and staff of Kinsale Dental.

The Practice takes the confidentiality of all personal information exceptionally serious, and thus takes all reasonable steps to comply with the principles of the Data Protection Acts. Kinsale Dental aims to collect personal information only in order to meet specific legitimate purposes, and to retain that information only for as long as those purposes remain valid.

Kinsale Dental is committed to ensuring that all employees, agents, contractors and data processors comply with the Data Protection Acts regarding:
• the processing and confidentiality of any personal data held by Kinsale Dental and
• the privacy rights of individuals under the legislation.

Data Protection Principles

To comply with the law, information (as defined by the Data Protection Acts) must be collected and used fairly, stored safely and not disclosed to any other person unlawfully.

To do this, Kinsale Dental complies with the following eight Data Protection Principles or

Obligations:
• We ensure that the processing of information is fair and lawful; The Data is
obtained and processed fairly and lawfully and only when certain conditions are
met.
• Keep it only for one or more specific, explicit and lawful purposes; The Data can only be obtained for specified, lawful and clearly defined purposes.
• Used and disclosed only in ways compatible with these purposes.
• Keep it safe and secure: The Data is kept safe and secure. Kinsale Dental, as the Data Controller, is responsible for applying adequate security structures to prevent unlawful or inadvertent processing, alteration or loss of the data.
• Information is kept accurate, complete and up-to-date;
• Information is adequate, relevant , and limited to what is necessary;
• Retain for no longer than is required;
• Provide a copy of personal data on request; The person to whom the information relates, has a Right of Access. The Controller must store and maintain the data in such a manner, as to be able to respond to a Subject Access Request in a timely manner.

Disclosure of Personal Data:

The legislation recognises two categories of Personal Data –
• ‘Ordinary’ Personal Data such as name, address, mobile phone number, car
registration, PPS Number.
• Sensitive Personal Data, which is more deeply personal to an individual, such as their racial or ethnic background, political opinions, religious or similar beliefs, trade union membership, physical or mental health, sexual life, the (alleged) commission of any offence, subsequent proceedings or sentence.
Using Customer Consent as Grounds of Processing Data:• Consent must be ‘freely given, specific, informed and unambiguous.
• Data contributors must know exactly what they are consenting to, and there can be no doubt that they are consenting.
• Obtaining consent requires a positive indication of agreement – it cannot be
inferred from silence, pre-ticked boxes or inactivity.
• If consent is the legal basis relied upon to process personal data, we at Kinsale Dental ensure it will meet the standards required by the GDPR.
• Individuals are informed in advance of their right to withdraw consent.
• It is the responsibility of Kinsale Dental to verify that consent was indeed given,
Kinsale Dental comply with by keeping a written record of all consents given.
• The GDPR introduces special protections for children’s data, particularly in the
context of social media and commercial internet services. At Kinsale Dental, we
have systems in place to verify individual’s ages, and a consent form for parents.
• The legislation applies equally to automated and manual data, i.e. data held or
processed on a computer, or data held in ‘hard copy’, stored in a relevant filing
system.

All Data Processors have an individual obligation to ensure that they adhere to Kinsale Dental’s Data Protection Policy.
Summary of Responsibilities;
• All personal data being processed within Kinsale Dental complies with the Data
Protection Acts and Kinsale Dental’s Data Protection Policy.
• All contractors, agents and other non-permanent staff used by Kinsale Dental are aware of and comply with, the Data Protection Act.
• All personal data held within Kinsale Dental is kept securely, and is disposed of, in a safe and secure manner, when no longer needed.
Responsibilities of Staff, Contractors and Associates must ensure that;
• Personal data which is provided in connection with their employment is accurate and up-to-date, and that they inform Kinsale Dental of any errors, corrections or changes to their personal circumstances, ie.,, change of address, contact phone number etc.
• Personal data relating to active individuals, which they hold, or process is kept
securely;
• Personal data relating to active individuals is not disclosed, either orally or in
writing, accidentally or otherwise, to any unauthorised third party.
• Where it necessary for external support systems to access to our internal systems ,
Kinsale Dental can confirm that all external support agencies complies with GDPR compliance.
.

Rights under the Acts (1988 & 2003)

The Data Subject is entitled to:
• Access to a copy of any data held by the Kinsale Dental which relates to them;
• Request, that any inaccurate data held by Kinsale Dental, is corrected or erased;
• Object to the processing of their personal data for the purposes of Direct
Marketing;
• Restrict the processing of personal data, including automated decision-making;
• Object to data portability; CCTV on the Kinsale Dental:

Kinsale Dental has closed circuit television cameras (CCTV) located throughout the surgery covering surgeries, offices and internal space. Whilst CCTV footage is monitored by Kinsale Dental, access to recorded material is strictly limited to authorised personnel.

The images captured are retained for between 20 and 60 days, depending on activity levels, except when the images identify an issue and are retained specifically in the context of an investigation of that issue. CCTV footage may be entered as evidence in the event of disciplinary proceedings involving staff, customers, suppliers, contractors and associates. CCTV footage is not disclosed to any third party except An Garda Síochána in the case of a disclosure pursuant to Section 8 of the Data Protection Act 1988 (i.e. where
it is required for the purpose of preventing, detecting or investigating alleged offences). A full list of camera locations is available on request from Kinsale Dental. This Policy document will be reviewed regularly and updated as appropriate in line with any legislative or other relevant development.

Definitions:

Data: Information which is being used or held in a computerised system, or a ‘relevant filing system’ i.e. a manual filing system that is structured in such a way that data contained within it is readily accessible. Data can be written information, photographs, photos, or voice recordings.
Personal Data: Information that identifies and relates to an active individual. Personal data could be contact details, date of birth, qualifications, PPSN or anything pertaining to the individual. It is something that affects that person’s privacy (to include their personal/ family life or business/professional capacity) in the sense that the information identifies that person – by itself or with other information.

Personal data shall not be processed unless at least one of the following conditions is met;

• The consent of the individual.
• The performance of a contract with the individual.
• A requirement under a legal obligation.
• The protection of the individual’s vital interests.
• The processing is necessary –
(i) for the administration of justice,
(ii) (ii) for the performance of a function conferred on a person by or
under an enactment, (iii) for the performance of a function of the
Government or a Minister of the Government,
(iii) (iv) for the performance of any other function of a public nature
performed in the public interest by a person,
• The processing is necessary for the purposes of the legitimate interests pursued by Kinsale Dental or by a third party or parties to whom the data are disclosed, except where the processing is unwarranted in any particular case by reason of prejudice to the fundamental rights and freedoms or legitimate interests of the data subject.

Sensitive Personal Data: Sensitive personal data is defined as information relating to an individual’s: Racial or ethnic origin.
• Political opinions
• Religious beliefs or beliefs of a similar nature
• Membership of a trade union
• Physical or mental health or condition
• Sexual life
• Commission or alleged commission of an offence
• Proceedings for any offence or alleged offence, or sentence of court.
Sensitive personal data shall not be processed unless at least one of the conditions detailed in respect of personal data is met and at least one of the following conditions is also met:
• The Explicit consent of the individual.
• A legal obligation in the context of employment.
• The protection of the vital interests of the individual.
• The processing is carried out in the course of the legitimate activities by any
body corporate, or unincorporated body of persons, that –
(A) is not established, and whose activities are not carried on for
profit, and (B) exists for political, philosophical, religious or trade union purposes.

• The information has been made public by the individual.
• The information is required in connection with legal proceedings.
• The information is required for medical purposes.

Processing: Anything which can be done with personal data i.e. obtaining, recording, holding, organising, adapting, altering, retrieving, consulting, disclosing, aligning, combining, blocking, erasing, destroying etc.

Data Subject: An individual who is the subject of personal data. This will include: staff, customers, suppliers of goods and services, and business associates.

Data Controller: If your organisation controls and is responsible for the personal data which it holds, then your organisation is a data controller.

Data Processor: If you hold or process personal data, but do not exercise responsibility for or control over the personal data, then you are a “data processor”. An employee of a data controller, or a section or unit within a company which is processing personal data for the company as a whole, is not a “data processor”.

Recipient: Any person or organisation to which personal data is disclosed