Your region
General Data Protection Regulations
Information for referrers and providers on the GDPR process for referral management.

GDPR Information

We have been updating this section of the website with more information on the General Data Protection Regulations recently.  You can find out lots of information on GDPR at the Information Commissioners Office (ICO) – see the links at the bottom of the page or click here.

While there is much concern over GDPR the health care sector has been applying strict information governance controls for many years, and hence there are only a few changes that we need to make to ensure that we are compliant.  Most of these relate to the “fairness” of data sharing.

One of the requirements is to have a signed data processing agreement (DPA) between organisations that handle patient data for the purposes of direct care. This has been updated for March 2022 to include references to UK GDPR.

See our DPA here and get a signed copy sent to you by completing the form on the right

We will email your signed DPA to you in a few minutes – and then thats one less job that needs to be done!

Do you want to read our Privacy Policy and fair processing notice?  This contains information about the data we collect and how we use it. You can read it here.

Please see the tabbed information below for more on the GDPR and our approach to compliance.

Get compliant processing contracts – Updated March 2022

Just fill and sign this simple form and we will email you our standard Data Processing Agreement – Version 4 – keep it safe as it demonstrates how you comply with the GDPR. If you need another copy – just complete the form again.

Please Note: this DPA is for the areas currently looked after by our RMS only.

Step 1 of 4

    This makes sure we send you the right version.


  • Consent
  • Secondary Use
  • Subject Access Requests
  • Fair Processing
  • Data Protection Officer
  • Security of Data

Consent is an issue which has concerned many dental practices in relation to GDPR and data sharing.  However, within the NHS data sharing is not undertaken using consent.

This might seem surprising.  However, if the nature of consent within GDPR is examined – we can see why it isn’t used. The ICO have stated that “Organisations in positions of power over individuals, like the providers of medical (or dental) services, should avoid relying on consent unless they are confident they can demonstrate it is freely given” You can read the ICO information on Consent here.

If not consent – what is our lawful basis?

So if not consent, then what is the basis for collecting and processing patient data? GDPR has six lawful grounds for processing data and these are contained within Article 6 of the regulations.  These are:

  • the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
  • processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
  • processing is necessary for compliance with a legal obligation to which the controller is subject;
  • processing is necessary in order to protect the vital interests of the data subject or of another natural person;
  • processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
  • processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

As stated above, the GDPR states that a person’s consent cannot be “freely given” if they have no genuine or free choice, or are unable to refuse or withdraw consent without suffering a detriment, e.g. being refused treatment or health care. Also, consent should not be used as the basis for processing, if there is an imbalance between the person asking for consent, and the person giving it, for example an individual and the NHS – a clear in balance of power. In addition, if consent is used the “right to be forgotten” would apply – which would be impossible in relation to medico-legal documents.

What about sensitive data ?

The basis upon which the dental referral centre, and many dentists, will process data for patients will be Article 6 (1) f – processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party.

Article 9 of the GDPR concerns the processing of sensitive data, which of course, health care data falls within.  There is a medical purposes exemption present; Article 9, section 2 – h:

processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3

So the basis for data processing within the referral management service is one of a combination of legitimate interests (Article 6) and for the provision of healthcare (dentistry) in Article 9 in relation to sensitive data.  As we are dealing with sensitive data, there are some other obligations on us – you can read more in the tabs.

We also hold data on our users for other purposes beyond direct patient care.  For example, you may have completed one of our online courses, or you may be on our mailing list to receive important updates on the referral system. In these examples we act as a data controller and we collect and use these data with your consent.  The differences between our roles in relation to your data are explained in our fair processing notice for professionals, and you can read this here.

In the consent tab we explored the lawful basis for processing sensitive patient data within the referral system (and in general dental practices more broadly). What is a secondary use of data? Put simply, its the use of data for a purpose other than that originally intended. Examples of secondary use for dental care data might include: commissioning intelligence, risk stratification, financial and national clinical audit, healthcare management and planning, research and public health surveillance.

What permission is needed?

While we discussed that consent is not required for primary health care use, the GDPR is very clear that express patient consent is needed for the use of identifiable information for secondary purposes.  However, if patient data is fully anonymised – i.e. there is no means by which the data can be matched back to an individual, then no such consent is required.

The removal of patient identifiers may not be enough to secure anonymity, especially if a disease is rare, or a geographical location is sparsely populated.

Data from the referral management system is fully anonymised within the N3 hosting environment before it is provided to commissioners, managed clinical networks and others for the purposes of commissioning and research.  We remove all patient identifiable data and all identifiable data relating to the referring dentist or practice.  For example, we change date of birth to age in years, the URN is removed leaving only the geographical indicator i.e. MAN, and the postcode is exchanged for the local authority area.

Is any consent needed for referrals and patient contact?

We do contact patients about their experience of their treatment, the Friends and Family Test, as well as other PROMS and PREMS that are requested by managed clinical networks.  This is undertaken using text message surveys and explicit consent for the patient to be contacted in this way is collected at the time of referral.

If you would like more information on secondary uses, the British Medical Association, has produced some very useful guidance – you can read it here.

Patient’s have always had a right to access their health data – the GDPR changes a few things about this process works.

  • Individuals have the right to access their personal data and supplementary information.
  • The right of access allows individuals to be aware of and verify the lawfulness of the processing.

The main difference is that you can no longer charge individuals for access to their data, and you must supply it within a month.  However, you can charge a ‘reasonable fee’ when a request is manifestly unfounded or excessive, particularly if it is repetitive. You may also charge a reasonable fee to comply with requests for further copies of the same information. This does not mean that you can charge for all subsequent access requests. It is likely that many SAR will now wait until June 2018 when they will be free of charge. For some organisations, especially those with CCTV or other imaging systems, such requests could be complex to provide – and expensive.

How long do I have to comply?

Information must be provided without delay and at the latest within one month of receipt.

You will be able to extend the period of compliance by a further two months where requests are complex or numerous. If this is the case, you must inform the individual within one month of the receipt of the request and explain why the extension is necessary.

The GDPR includes a best practice recommendation that, where possible, organisations should be able to provide remote access to a secure self-service system which will not be appropriate for most health care providers.

What about referrals?

We do occasionally get SAR from patients directly or via their Solicitors.  In most cases we will refer them to the referring dentist as they are often requesting full dental records.  If a data subject wishes to see their referral we will provide this to them as soon as possible.  As a data processor we will also notify the referring dental practice that a SAR has been made.

How do I make a SAR?

While we expect that patients will be the main requesters of data, we recognise that our professional users are also entitled to the same rights under GDPR.  You can find out how to make a SAR on this page.  We will provide you with any data that we hold, this will mainly be in relation to the use of the system and this website.  These data will normally be personal rather than sensitive data.  Of course, you may have been referred yourself as a patient, and in which case we will also make these data available to you on request.

We have fair processing information for both professional users and patients.  We have aimed to make the documents brief, simple and easy to understand.

We will also provide a fair processing notice leaflet so that you can display this in your surgery for patient’s information.  This will be available on this page shortly.

The GDPR encourages data processors and controllers to act in a fair manner, by explaining how and why their data is being used.  This is especially important when it comes to the processing of sensitive data – such as that provided in dental referrals.  The documents also include straight-forward guidance on how all data subjects can see the information that is held on them.

Click here to see the privacy information that relates to professional use of this website and the referral system.

Click here to see the privacy information that relates to patient use of this website and the referral system.

Other resources

We will be developing further resources for patients, including a simple video, that explains how their data are used to support their dental care.  Referring patients is an essential part of all aspects of health care and we aim to support this process through clear and straight forward documentation and information.

We are not a public authority, but we know that the nature of our processing activities requires the appointment of a DPO. We have chosen our DPO based on their professional qualities and expert knowledge of data protection law and practices. Our DPO is responsible for the professional aspects of data processing in relation to the referral application, rather than any information we may hold on individuals using this website. The differences between the two data types are explained within our fair processing notice.

Position of the DPO

Our DPO reports directly to our highest level of management and is given the required independence to perform their tasks. We make sure that we involve our DPO in all matters relating to the protection of personal data and ensure that they are well resourced to be able to perform their duties.

We do not penalise the DPO for performing their duties, indeed we encourage openness, candour and transparency in all aspects of our IG work.

Tasks of the DPO

Our DPO is tasked with monitoring compliance with the GDPR and other data protection laws, our data protection policies, awareness-raising, training, and audits. We take full account and act upon our DPO’s advice and the information they provide on our data protection obligations.

When we update our DPIA, and when we seek to change any aspect of our referral application that may change how we protect our data, we seek the advice of our DPO who also monitors the process. Our DPO acts as a contact point for the ICO. They co-operate with the ICO, including during prior consultations under Article 36, and will consult on any other matter. When performing their tasks, our DPO has due regard to the risk associated with processing operations, and takes into account the nature, scope, context and purposes of processing. We have worked with out DPO for many years in the preparation of our IGTK and they understand our data processing requirements.

Accessibility of the DPO

Our DPO is easily accessible as a point of contact for our employees, individuals and the ICO.

Our DPO is:

Mr J. Curtiss Green of GR Governance & Consultancy Service

He can be contacted via email here.

For more information on the role of the DPO and other matters related to GDPR please see the ICO website here.

Much has been made of the security implications of GDPR, with some stating that certain elements are mandated, while others not.  However, the appropriate section, Article 32, is fairly brief – indeed a single page.  Again, the regulation is designed to be proportionate to the data risk.  Here we outline some of the measures that we take to ensure patient referral data is secure.


We ensure that when personal and sensitive data are transmitted they are done so in an encrypted manner – including all data entered on webforms or similar.  We only ever use NHS NET email for sending patient data and are increasingly using other secure means of document transfer between providers and referrers.


We ensure that the ongoing security of patient data by undertaking regular security tests of all of our systems.  These take the form of so called penetration tests, where approved individuals attempt to “hack” into systems to see if there are any vulnerabilities.  We use two companies to provide this service to ensure that there is a robust assessment.

In addition we use a regular scanning service, that checks common system failings and provides alerts if any vulnerabilities are found. All of our data are stored in UK data centres, we never place any data overseas, even in the EU. We are working towards additional certifications in relation to our data security measures. All of our data is hosted in N3 approved sites.


Disasters happen – and we have seen this in the media on many occasions, and we may even have experienced the loss of data personally.  Frequent, robust and tested backup procedures are therefore essential to provide evidence of GDPR compliance.  All of our data are backed up on a nightly basis, with some essential data backed up every hour.  We ensure data are secured both in our data centres, but also off site to prevent loss in the event of a data centre fire or similar.


We take data security extremely seriously and work hard to ensure that our systems are world leading, that they are tested and that we have plans in place in the event of a failure of any of our major IT infrastructure.


Area: Central Midlands | Cheshire & Merseyside | East Anglia and Essex | Greater Manchester | Lancashire | Thames Valley | Yorkshire & Humber