0207 836 6866

Smilepod GDPR policy

Smilepod GDPR
Data Protection Policy
Version 2 updated 26th April 2019 key changes 0

Smilepod GDPR
Data Protection Policy

SECTION 3 – Scope

3.1. Inclusions:
This policy applies to the following groups at Smilepod:
• All permanent staff, temporary staff, contractors and any suppliers of data services.
The geographies covered by this policy are the territorial United Kingdom. The key organisation areas impacted by this policy are:
• Clinical (Dentists, Hygienists and Nurses).
• Administrative (Reception Staff).
• Technical (IT Support and Projects).
• Senior Management.
• Marketing and PR.
• Legal and Finance staff / contractors.

The key processes and procedures of the organisation impacted by this policy are:
• Patient History data gathering (both electronic and paper based).
• Patient Treatment Plans (both electronic and paper based).
• OPG and medical imaging data.
• General data protection.
• Information security
• Marketing
• Customer service etc.

The key stakeholders of the organisation impacted by this policy are:
• Clinical staff (Dentists, Hygienists and Nurses).
• Patients.
• The Board of Directors and Senior Management.
• Permanent staff, temporary staff, contractors, consultants and partners working with Smilepod.
• Shareholders.

3.2. Exclusions:
This policy does not cover the following aspects, which are covered in other policies and should be read in conjunction with this policy:
• Clinical Policies.
• Specific and detailed information security policies such as:

o Password policy
o Email policy
o Internet usage policy
o Information classification policy
o Cryptographic controls policy
o Backup policy
o Mobile and remote working policy
o Public wi-fi policy
o Equipment Disposal and destruction policy
o Marketing Policies.

Smilepod GDPR
Data Protection Policy

SECTION 4 – Purpose

This data protection policy is important to Smilepod. Smilepod is committed to collect, manage and store data on its patients and data subjects in a transparent manner that ensures that data is safe, protected and liable to cause no detriment to patients or data subjects.
Smilepod also understands the importance of designing its products and services in such a way that ensures its patients and data subjects privacy is assured and that they are ‘private by default’. Smilepod also understands the importance of ensuring data subjects and customers have effective access to their data and can easily and simply request their data be amended or erased where incorrect or inappropriately collected, managed or stored.
This data protection policy is consistent with Smilepod’s business objectives and planned corporate strategies. Furthermore this data protection policy is written to be compliant with the General Data Protection Regulation (GDPR). Its purpose is to ensure that all the Smilepod stakeholders have a usable reference guide to help direct their attitudes and behaviors in relation to the proper collection, management and storage of data as laid out in the DPA and GDPR. It builds specifically on the eight data principles listed in the DPA and the subsequent guidance detailed in the GDPR.
The outcome that this policy is designed to foster is the safe, transparent and effective collection, management and storage of data to ensure the risk of customer and/or data subject detriment is minimised in all of Smilepod’s services, products and activities.

Smilepod GDPR
Data Protection Policy

SECTION 5 – Policy Statement

This data protection policy is a key reference document for all Smilepod staff and key stakeholders. Collecting, managing and storing personal data in a transparent, safe and effective manner is of real importance to Smilepod.

Smilepod wishes to ensure that it is effectively collecting and protecting customer and data subject data in a manner that minimises the risk of detriment to those parties.

Smilepod wishes to ensure that its staff and key stakeholders have access to this policy and have read and understood its contents and requirements. This is important to Smilepod as it expects all of its stakeholders to comply with the policy and its guidelines.

Smilepod is committed to developing effective data protection processes and procedures to enact the ethos and standards contained within this policy.

Smilepod is committed to ensuring that its staff and key stakeholders are appropriately informed of and trained in the data protection activities associated with this policy.

Smilepod is committed to identifying, reporting and remediating any significant breaches to this policy to the data compliance team, the board and any external regulators as detailed in the guidelines within this policy.

Smilepod will not tolerate a failure to abide by this policy and will take management action against those who fail to follow this policy and its guidelines.

Smilepod GDPR
Data Protection Policy

SECTION 6 – Policy Standards

This Smilepod data protection policy has the following key policy standards.

6.1 Governance:

Smilepod commits to put in place effective governance arrangements to ensure the management of data protection activities. These include:

6.1.1 – Discussion of Smilepod data protection activities at board level on a monthly basis.

6.1.2 – If required by regulation, and/or deemed useful by the board, Smilepod will appoint a data protection officer and establish their standing and their reporting arrangements in line with the GDPR requirements – specifically that they are able to report directly to the Board with independence

6.1.3 – The development of and approval by the Board of a Smilepod data protection policy and associated processes that comply with the GDPR

6.1.4 – The set up and support of a suitable data compliance team to monitor data protection activities and report on compliance with the GDPR regulation to the Board and if necessary following a significant breach to ICO, affected individuals and other regulated authorities within the timeframe specified within the GDPR

6.2 New Staff (General)

Smilepod commits to provide new staff and stakeholders who are not directly handling personal data with access to the data protection policy and associated training within one month of joining the firm.

6.3 Existing Staff (General)

Smilepod commits to provide existing staff and stakeholders who are not directly handling personal data with access to the data protection policy and associated recap training annually.

6.4 New Staff (Data Handlers)

Smilepod commits to provide new staff and stakeholders who are directly handling personal data with access to the data protection policy and associated training before they handle any client data.

6.5 Data Protection Impact Assessments

Where there is a possibility that Smilepod will be engaging in a potentially high-risk data processing activity (see GDPR guidelines) then Smilepod commits to undertake a data protection impact assessment (DPIA).

6.6 Lawful Basis

Smilepod also commits to reviewing, approving and documenting its ‘lawful basis’ for collecting data prior to collecting or processing new data sets.

6.7 Purpose

Smilepod commits to only using the data it collects from data subjects for the purpose(s) it was collected. Further consent will be sought if the data is to be used in a different manner.

6.8 Rights

Smilepod commits to respecting the rights of individuals in relation to the protection of their data as detailed in the GDPR and including:

6.8.1 – The right to be informed: Smilepod, when collecting data, commits to inform individuals of the following:

6.8.1.1 – The firm’s identity
6.8.1.2 – How the firm will use the information
6.8.1.3 – The lawful basis under which the data is being collected
6.8.1.4 – The duration the data will be retained for
6.8.1.5 – The individuals’ right to and process for complaining to ICO

6.8.2 – The right of access: Smilepod commits to respond to subject access requests:

6.8.2.1 – Within one month of receiving a request
6.8.2.2 – Without charge unless the request is manifestly unfounded or excessive
6.8.2.3 – Without refusal unless a clear and compelling reason for the refusal can be provided and details of the process for complaining are provided with the refusal.

6.8.3 – The right to rectification: Smilepod commits to rectify any errant information within one month of it being acknowledged as errant by Smilepod.

6.8.4 – The right to erasure: Smilepod commits to erase any unwarranted information that it holds within one month of it being acknowledged as unwarranted by Smilepod.

6.8.5 – The right to restrict processing: Smilepod commits to restrict the processing of any information within one month of it being acknowledged as necessary to do so by Smilepod.

6.8.6 – The right to data portability: Smilepod commits to provide requested personal data in a structured commonly used and ‘machine readable’ form

6.8.7 – The right to object: Smilepod commits to ensure that all individuals are provided with details about how to register a complaint with ICO at the time a complaint is raised

6.8.9 Rights in relation to automated decision making and profiling: Smilepod commits to ensure that individuals’ data is not used to make automated decisions or complete individual profiling without explicit consent.

6.9 Consent

Smilepod commits to ensure that all data is collected with appropriate consent. Specifically that when data is collected the consent obtained is:

6.9.1 – Specific and granular in nature
6.9.2 – Clearly articulated in plain English
6.9.3 – Prominent within the collection process and documentation
6.9.4 – Requires the individual giving consent to opt-in
6.9.5 – Properly documented and stored
6.9.6 – Easily withdrawn
6.9.7 – Not gained from children under the age of 16 who do not have the ability to give informed consent without the consent of a parent or guardian

6.10 Duration:

Smilepod commits to keeping its data in a form which permits the identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed.

6.11 Quality:

Smilepod commits to keep its data accurate and up to date and will take reasonable steps to ensure that personal data that is inaccurate with regard to the purposes for which it is processed, is erased or rectified within one month of being recognised as such.

6.12 Information Security:

Smilepod commits to ensure the appropriate security of the personal data it collects, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage by using appropriate technical or organisational measures. A number of these are detailed in separate information security policies.

6.13 International Data:

Smilepod commits to the guidelines provided in GDPR and the DPA with regard to sharing data internationally and recognises that the level of protection afforded by GDPR must not undermined if any personal data is transferred outside of the European Union.

Smilepod GDPR
Data Protection Policy

SECTION 7 – Policy Controls & Processes

7.1. Monitoring Structure

7.1.1 – It is the responsibility of the first line of defense (Clinical and Reception staff) to ensure that it is enacting and following the policy guidelines and meeting the policy standards.

7.1.2 – It is also the responsibility of the first line of defense (Clinical and Reception staff) to raise and report any breaches to the operation or application of the policy to the Senior Management Team and the Board of Directors.

7.1.3 – To support the first line of defense (Clinical and Reception staff) the Senior Management Team (the second line of defense) will carry out additional monitoring activities on both a scheduled and unscheduled basis:

7.1.3.1 – The scheduled monitoring will take place on a monthly and annual basis and will involve regular site checks to ensure that all data protection policies are being formally followed across all Smilepod sites. These activities will review the first line of defense and carry out additional monitoring activities on both a scheduled and unscheduled basis as required.

7.1.3.2 – The unscheduled monitoring is likely to be triggered by a specific incident (e.g. a specific breach) and will review and assess compliance with any relevant aspects of the data protection policy or process.

7.2. Reporting Procedures

Smilepod takes very seriously the reporting of management information in relation to the carrying out of its data protection activities. In particular it is very aware of the need to and is committed to reporting significant breaches of the regulations to ICO as soon as is possible after the breach has come to the attention of the Senior Management Team and Board of Directors. All breaches should be reported to Senior Management immediately.

Smilepod also acknowledges that on occasions it may also need to inform data subjects if they are impacted by a data breach and that Smilepod is committed to ensuring it has the procedures in place to be able to carry this out if required.

Smilepod expects, that in addition to the normal flow of management information (detailing any data related risks and issues) from the business areas handling data that the Smilepod’s Board of Directors will receive a quarterly report from the Senior Management Team detailing the risks and issues generated by the monitoring it has completed in relation to Smilepod’s data protection activities.

7.3. Policy Communication and Training

This data protection policy is stored in the Site CQC file each Smilepod location maintains and can be accessed {directly or on request to the manager responsible for each Smilepod Studio by all key stakeholders.

In addition to the initial post-recruitment training provided by Smilepod to all staff and the additional training provided to those staff handling data, Smilepod commits to provide annual refresher training in data protection for all its staff and further commits to keep key stakeholders informed of (and if necessary trained in) any changes made to the data protection policy. The Senior Management team will be asked to provide evidence on the quality and coverage of the requisite training as part of its reports to the board.

Smilepod GDPR
Data Protection Policy

SECTION 8 – Policy Review & Update Process

Events that will trigger a policy review:

Standard Triggers:
• Calendar-based, annual review.
• Business change-based e.g. changes to business strategy or policies that relate to this policy.

Emergency Triggers:
• Incident-based e.g. as a result of identifying a major issue either during the monitoring process or as the result of an incident or breach that is the outcome of a weakness in the policy
• Regulatory-based e.g. as a result of the implementation of new regulation
• Customer sensitivity based e.g. as a result of customer perceptions changing that may require the policy to drive different outcomes or behaviors.

Smilepod GDPR
Data Protection Policy

SECTION 9 – Definitions & Glossary

This section itemises a list of the key technical terms used within this policy document and provides a simple explanation of their meaning:

Board of Directors:
The team directly responsible to the Shareholders for the executive operations of the company.

Breach Management Policy:
The process, which is implemented in the occurrence of a data loss by Smilepod.

Business Team:
Any specific function, department or division within the organisation that has ‘first line’ responsibilities (Site Managers, Dentist and Nurses) or handling data and ensuring compliance with data protection regulations.

Business Manager:
The individual who heads up a business team, or in Smilepod terms a Site Manager.

Controller:
A person or an organisation who determines the purposes and means of the processing of personal data. The processing may be carried out jointly or in common with other persons.

Data Compliance Team:
The compliance team is the individual who determines the purposes and means of the process of compliance of the organisation’s business teams with the data protection regulations.

Data Protection Impact Assessment (DPIA):
The assessment required to be carried out by the organisation if its planned data collection/processing activity carries an inflated risk of detriment to customers or data subjects. See GDPR legislation for specific risk triggers.

Data Protection Officer:
An individual who has responsibility for informing and advising the firm and its employees about their obligations to comply with the GDPR and other data protection requirements; monitoring compliance with the GDPR; and acting as the first point of contact for supervisory authorities.

Data Services:
Services related to the collection, management, processing or storing of data.

Data Subject:
An identified, or identifiable natural person to whom data collected, stored or processed refers.

First Line of Defense:
A term that derives from the three lines of defense model where the first line of defense is the business, the second is the compliance function and the third is the audit function and board.

Information Security Policies:
The specific policies that relate directly to the securing and storage of data by the organisation.

Policy:
This specific data protection policy.

Policy Owner:
The individual responsible for the development and maintenance of the policy.

Policy Writer:
The individual responsible for drafting and updating the policy.

Processor:
A person or an organisation that processes data on behalf of the controller.

Personal Data:
Information relating to an identified or identifiable person (data subject). An identifiable person is one who can be identified directly or indirectly in particular by reference to an identification number or to one or more factors specific to their physical, physiological, mental, economic, cultural or social identity.

Special Categories of Personal Data:
Article 9 of the GDPR sets out special categories of personal data. The processing of such personal data (which includes a) racial or ethnic origin; b) political opinions; c) religious or philosophical beliefs; and d) trade union membership) is prohibited, except where the data subject has given their explicit consent. There are other select circumstances.

Smilepod GDPR
Data Protection Policy

SECTION 10 – Further Associated Reading

None specified or defined.

Smilepod GDPR
Data Protection Policy

SECTION 11 – Associated Documents Table

Associated documents will include related policies, processes, how to guides and procedures. None are currently listed.

Document reference Document Name Hyperlink Stored location
– Data Protection Act – –
– General Data Protection Regulation – –
– General TCF GDPR guidance – –

Bank

18-20 Cullum Street
EC3M 7JJ

Canada Place

Canary Wharf
E14 5HX

Jubilee Place

Canary Wharf
E14 5NY

Covent Garden

Relocated to
Soho/Holborn

Moorgate

24 Chiswell Street
EC1Y 4TY

Soho

56 Poland Street
W1F 7NN

Holborn

16 Procter Street
WC1V 6NX
[sg_popup id=9001]