Whitetree Orthodontic Centre / Straight and Bright Dental Ltd Privacy Notice

Data controller

Straight and Bright Dental Ltd

Data Protection Leads

Helen Leach and Nicola Loveridge

Purpose of Processing and Source of Personal Data

Data is collected direct from patients or their families, and from dentists referring patients for treatment. Occasionally NHS organisations may provide patient details for transfer cases. This data is used for:

  • The general running and business administration of Whitetree Orthodontic Centre (Straight and Bright Dental Ltd).
  • To record clinical data relating to patients and progress their treatment.
  • Data is shared with other dentists, doctors and organisations where that is required for safe care.
  • Data is shared with government and NHS organisations for contractual reasons.
  • Data may be shared when a patient is referred to other services as part of their dental care.
  • Data may be shared with organisations making ‘laboratory’work for a patient or analysing patient records for quality control purposes.
  • Data may be shared with debt recovery organisations in the event of non-payment of private fees.
  • Data may be used for marketing purposes if you consent to that.

Legal basis upon which processing is undertaken

There are different legal bases for holding your data:

  • legal obligation. Sometimes we are legally obliged to collect and hold your data.
  • legitimate interests. This applies when we collect data you would reasonably expect us to hold to carry out our work with you.
  • Where we hold non-essential data for you, for example for marketing purposes, or where we use your data for multiple purposes including non-essential purposes, we will ask for your consent. It is possible to consent to us using your data for only specific purposes and not others.
  • We may need to hold your data in order to perform a contract agreed with you.

Categories of Personal Data

Data categories:

  1. Name, date of birth and contact details.
  2. Information about health, medical history and dental history (‘sensitive data’).
  3. Photographs, radiographs (x-rays), scans and models of your face and teeth.
  4. Parent/ guardian name and contact details.
  5. Banking details for private payments.

Transfer of Data to other Countries, Data Security and Safeguards

We share your data only where essential to your care or data security.

We never pass your information on to third parties for marketing purposes.

Wherever possible we avoid transfer of your data outside of the EU to countries where the same data protection legislation does not apply. We do use laboratories in the United States for certain brace types, but only those with the highest data protection standards where we have been assured that they will comply with European data protection regulations.

We encrypt your information when we share it with third parties. We back up our data and store these back ups with a EU cloud service. Your records are password protected on our practice computers and paper records are scanned and disposed of wherever possible. Paper records are held under lock and key. We employ a specialist IT company to assist us in maintaining your records securely, protecting our records from unauthorised access and cyber attack. Our staff are trained regarding data protection laws.

Your rights

  1. You have the right to be informed which data we collect, why and how we use it.
  2. You have a right to see the personal data we hold for you.
  3. Personal data can be rectified. Let us know if you find errors.
  4. In some circumstances, data can be erased (the ‘right to be forgotten’).
  5. Data subjects can request restrictions to processing.
  6. Data can be transferred at a subject’s request (‘data portability’).
  7. Data subjects can object to their data being processed.
  8. Data subjects have the right not to be subjected to automated decision-making or profiling (this is not currently relevant to Whitetree Dental Centre).

Not all rights apply in every situation. For example whether we can delete you data depends on which legal basis the data is held.

Data Retention

Essential data is retained for at least 11 years and a maximum of 30 years after the end of your treatment with us. This is in case you need further care, for communication with anyone treating you later, and as a medico-legal record.

Financial data is retained for 7 years after its last use.

How to Complain

If you have concerns about data protection, please let us know by phone, letter, email or in person and we will put you in touch with one of our data protection leads.

If you wish to make a complaint and our answers have not been satisfactory, you can complain to The Information Commissioner’s Office, at, or on

0303 123 1113.