Privacy Policy

Sandstone Dental Practice

Data Protection Privacy Notice for Patients

Date of policy review:	27.04.2026
Date of next planned review:	27.04.2027
Version:	3.0

 

Introduction

In providing your dental care and treatment, we ask for information about you and your health. Occasionally, we receive information from other providers who have been involved in your care. This privacy notice describes the personal information we hold, why we hold it, what we do with it, and the third-party services we use to provide your care.

This notice was last updated in [date] to reflect changes in the third-party services we use, including new tools to support clinical record-keeping. We will continue to review this notice as our processes evolve and as guidance from regulators and professional bodies develops.

1. About us

We are The Sandstone Dental Practice, operating at 102 Telegraph Road, Heswall CH60 0AQ.

Data Controller: Professor Fadi Jarad, Practice Principal, is the registered Data Controller for the practice.

Practice Manager: Jenny Fearns is responsible for the day-to-day handling of data protection enquiries and Subject Access Requests, and can be contacted at management@sandstonedental.co.uk.

ICO registration: ZA231507

The management team are responsible for keeping your information secure. Those at the practice who have access to your information include dentists and other dental professionals involved with your care and treatment, the nursing team, and the reception and administrative staff responsible for the management and administration of the practice.

2. Information we hold

We can only keep and use information for specific reasons set out in the law. If we want to keep and use information about your health, we can only do so in particular circumstances. Below, we describe the information we hold, why, and the lawful basis for collecting and using it.

Contact details

We hold personal information about you, including your name, date of birth, address, telephone number, and email address. This information allows us to fulfil our contract with you to provide appointments. We also use this information to send you reminders, recall appointments, letters, and emails about your care, in line with our legitimate interest in ensuring continuity of your care and informing you about our services.

 

 

 

 

 

Dental records

We hold information about your dental and general health, including:

• Clinical records made by dentists and other dental professionals involved with your care and treatment;
• X-rays, clinical photographs, digital scans of your mouth and teeth, and study models.
• Medical and dental histories.
• Treatment plans and consent.
• Notes of conversations with you about your care, including notes generated with the help of AI tools (see Section 4).
• Dates of your appointments.
• Details of any complaints you have made and how those complaints were dealt with.
• Correspondence with you and with other health professionals or institutions.

We collect and use this information to fulfil our contract with you to discuss treatment options and provide dental care that meets your needs. We also use it for the legitimate interest of ensuring the quality of the treatment we provide.

Financial information

We hold information about the fees we have charged, the amounts you have paid, and some payment details. This information forms part of our contractual obligation to provide dental care and allows us to meet legal financial requirements.

Telephone calls

We record incoming and outgoing telephone calls between the practice and patients (see Section 4 for details on the telephone system we use). Recording supports patient care, accurate records of communication, and quality assurance.

CCTV

We have CCTV at the practice for the purposes of patient and staff safety. Please see our CCTV policy for further details.

3. The lawful bases on which we use your information

Under UK GDPR, we must have a lawful basis for processing your personal data. The bases we rely on are:

For general personal data (UK GDPR Article 6):

• Article 6(1)(b) — performance of a contract: necessary for the performance of our contract with you to provide dental care.
• Article 6(1)(c) — legal obligation: necessary to comply with legal obligations including record-keeping and tax requirements.
• Article 6(1)(f) — legitimate interests: for the day-to-day management and quality assurance of the practice, where this does not override your interests, rights, or freedoms.

For health and other special category data (UK GDPR Article 9):

• Article 9(2)(h) — provision of health care: necessary for the provision of health care, treatment, and management of health care services, by health professionals subject to a duty of confidentiality.

We rely on consent for marketing communications (newsletters, service updates) and for some specific uses of your data, which we will always tell you about at the time. We do not normally rely on consent as the lawful basis for processing your clinical data, because the bases above are more appropriate

4. Third-party services we use

To deliver dental care effectively and to manage the practice, we use a number of digital tools and third-party suppliers. Each of them processes some of your personal data on our instructions. We have written agreements in place with each of them, requiring them to handle your data only on our instructions and in accordance with UK data protection law. We have completed Data Protection Impact Assessments for the principal services described below.

4.1 Dentally — patient management system

Dentally is our central patient management system. It holds your clinical records, appointment history, payment history, and clinical imagery (X-rays, scans, intra-oral photographs). Dentally is a UK-hosted cloud system. Each practice using Dentally has its own separate environment within the system; your records held with us are not visible to any other dental practice.

4.2 VoiceStack — practice telephone system

We use VoiceStack as our practice telephone system. VoiceStack records and transcribes incoming and outgoing calls between the practice and patients. We use these recordings and transcripts to:

• Support patient care (for example, to confirm what was discussed during a call to book an appointment or to check an instruction was passed on correctly).
• Improve the quality of our service through training and review.
• Maintain a record of our communications with you.

You will be informed at the start of each call that the call is being recorded. If you do not wish for a particular call to be recorded, please tell the team member at the start of the call and we will arrange to discuss the matter through an alternative channel.

4.3 AI-assisted clinical note-taking tools

The use of AI-assisted note-taking tools in dental care is a recently emerging area. These tools help our clinicians produce more accurate and contemporaneous clinical notes during consultations. We currently use, or are evaluating, the following:

Heidi Health — an AI-enabled “ambient scribing” tool used by some of our clinicians. During a consultation, with your awareness, the tool listens to the conversation and produces a draft clinical note for the clinician to review and edit before it is added to your record. Heidi Health is UK-hosted, holds ISO 27001, SOC 2 Type 2, and Cyber Essentials certifications, and aligns with NHS standards including the Data Security and Protection Toolkit (DSPT) and DCB0129. The audio of your consultation is not stored after the draft note is generated.

Kiroku — an AI-assisted clinical note-taking tool that may be used by some of our clinicians. Kiroku can be used either with voice (similar to Heidi) or with structured templates that the clinician completes by hand. Kiroku Ltd is a UK-incorporated company, and the platform is built around dental-specific templates.

Common to both tools:

• No patient name, date of birth, address, or other direct identifier is entered into either platform by the clinician.
• The clinician will tell you at the start of an appointment if a tool is going to be used, before activating it. If you would prefer that the tool is not used, please say so — your care will not be affected in any way, and the clinician will produce notes manually instead.
• Audio is not stored by either platform after the draft note has been produced.
• The clinician reviews and edits every draft note before it is added to your clinical record in Dentally.
• Not every clinician at the practice uses these tools.
• These tools never make decisions about your care; they support the clinician in producing notes only.

4.4 Practi (by Denplan) — patient finance and payments

Practi is operated by Simplyhealth Venture One Limited, part of the Denplan/Simplyhealth group. We use Practi to introduce patients to treatment finance options and to administer payment plans and membership schemes. Where you express interest in finance, we share your contact details and the treatment cost with Practi so that you can complete a finance application directly with the underlying lender, Zopa Bank Limited (trading as DivideBuy). The practice does not see or process your full financial application or the lender’s decision rationale; that is held by Practi and Zopa as separate Data Controllers.

We act as an Introducer Appointed Representative for these finance arrangements, regulated by the Financial Conduct Authority. We can introduce you to Practi but cannot give specific advice about which finance option is right for you; that is the role of the lender and the Practi platform.

4.5 Microsoft OneDrive and Dropbox — clinical imagery and practice administration

We use Microsoft OneDrive and Dropbox for two purposes:

• Clinical imagery: 3D dental scans and clinical photographs are stored on these platforms. These files form part of your clinical record alongside the records held in Dentally and are retained for the same period (11 years from the date of your last visit, or until you reach the age of 25, whichever is longer).
• Practice administration: documents relating to the running of the practice, including HR, finance, supplier contracts, and other operational records that may incidentally contain personal data.

We use only the business versions of these services (Microsoft 365 Business and Dropbox Business), which are governed by written terms that include the contractual safeguards required by UK GDPR. Access to files containing your personal data is restricted to the practice users who need it, controlled by individual user accounts.

We do not share files containing your personal data with patients or with external referrers via OneDrive or Dropbox.

4.6 Other suppliers

We also use third-party suppliers for specific limited purposes, including:

• Card and direct-debit payment providers, who process payment data when you settle a fee or join a membership scheme;
• Email and IT service providers who host our practice email and file storage;
• Professional advisers such as our accountants, solicitors, and indemnity provider, where legally or contractually necessary;
• Marketing email service providers for newsletters and service updates, where you have given consent.

A current list of all the third-party suppliers we use is available on request from our Practice Manager.

5. How we use your information

To provide you with the dental care and treatment that you need, we require up-to-date and accurate information about you.

We may contact you to conduct patient surveys or to find out whether you are happy with the treatment you received for quality control purposes.

We will seek your preference for how we contact you about your dental care. Our usual methods are telephone, email, SMS, and post.

If we wish to use your information for dental research or dental education, we will discuss this with you and seek your consent. Where possible we will anonymise your information; if not possible, we will tell you and discuss your options.

We may use your contact details to inform you of products and services available at our practice, where you have given consent.

We do not make decisions about your care or about your account based solely on automated processing. The clinical notes produced with the assistance of AI tools are always reviewed and edited by a human clinician before being entered into your record. Where the practice introduces you to a finance provider (Practi), the finance decision itself is taken by the lender (Zopa Bank); you have the right to a human review of any automated credit decision, which is handled by the lender directly.

6. Sharing information

Your information is normally used only by those working at the practice, but there may be instances where we need to share it — for example, with:

• Your doctor.
• The hospital or community dental services or other health professionals caring for you.
• Specialist dental or medical services to which we may refer you.
• Dental laboratories.
• Debt collection agencies.
• Private dental schemes of which you are a member.
• Practice Plan / Plan4Health, in connection with your dental treatment.

We will only disclose your information on a need-to-know basis and will limit any information we share to the minimum necessary. We will tell you in advance if we send your medical information to another provider and give you the details of that provider at that time.

In certain circumstances, or where required by law, we may need to disclose your information to a third party not connected with your health care — for example HMRC or other law enforcement or government agencies.

We do not transfer your personal data outside the United Kingdom. The principal services we use (Dentally, Heidi, Kiroku, VoiceStack, Practi, Microsoft 365 and Dropbox business accounts) host data in the UK or operate under data protection terms aligned with UK GDPR requirements.

7. Keeping your information safe

We store your personal information securely on our practice computer systems. Your information cannot be accessed by people who do not work at the practice; only those working at the practice have access. They understand their legal responsibility to maintain confidentiality and follow practice procedures to ensure this.

We take precautions to ensure security of the practice premises and computers. We use high-quality specialist dental software (Dentally) to record and use your personal information safely and effectively. The system has a secure audit trail and we back up information routinely.

The third-party services we use (described in Section 4) are bound by written contracts requiring them to handle your data only on our instructions and to maintain appropriate security. We have reviewed each of them through Data Protection Impact Assessments.

We keep your records for 11 years after the date of your last visit to the practice, or until you reach the age of 25 years, whichever is longer. At your request, we will delete non-essential information (for example some contact details) before the end of this period.

 

 

 

8. Access to your information and your other rights

Under UK GDPR, you have the following rights:

• The right to be informed about how we use your information — this notice is part of how we meet that right.
• The right of access to a copy of the information we hold about you (a Subject Access Request). We will respond within one month.
• The right to rectification — to ask us to correct any information you believe is inaccurate or incomplete. If we have shared that information with a third party, we will let them know about the change.
• The right to erasure — to ask us to delete some of the information we hold. For legal reasons, we cannot erase certain information (for example, clinical records during their retention period). We can delete some contact details and other non-clinical information on request.
• The right to restrict processing — to ask us to stop using your information in certain circumstances, including for marketing.
• The right to data portability — to ask us to supply your information electronically to another dentist.
• The right to object to our use of your information in certain circumstances, including for direct marketing.
• Rights in relation to automated decision-making — see Section 5; the practice does not make solely automated decisions about your care.

If we are relying on your consent for a particular purpose, you may withdraw your consent at any time and we will stop using your information for that purpose.

We do not usually charge for copies of your information; if we pass on a charge, we will explain why.

All requests should be made by email to our Practice Manager, Jenny Fearns, at management@sandstonedental.co.uk.

9. If you do not agree

If you do not wish us to use your personal information as described, please discuss this with your dentist or with the Practice Manager. If you object to the way we collect and use your information, we may not be able to continue to provide your dental care; we will discuss this with you so that you can decide how you wish to proceed.

If you have any concerns about how we use your information and you do not feel able to discuss them with the practice, you may contact the Information Commissioner’s Office (ICO):

Information Commissioner’s Office Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF Telephone: 0303 123 1113 or 01625 545745 Website: ico.org.uk

 

 

 

 

 

 

10. Changes to this notice

We will review this notice at least annually, and earlier if we make material changes to our processes or to the third-party services we use, or if there are material changes in regulation or guidance. The “Date of policy review” at the top of this notice will be updated each time. The previous version is available on request.

We anticipate that the use of AI tools and other digital services in healthcare will continue to evolve. We will continue to update this notice as further guidance becomes available from the General Dental Council, the British Dental Association, NHS England, and the Information Commissioner’s Office.

 

This privacy notice is based on the BDA template (February 2026) and expanded to reflect the third-party services used by The Sandstone Dental Practice.