Please select a language

Dewisiwch iaith os gwelwch yn dda

NHS Wales Dental Referral Management System
Your Health Board
General Data Protection Regulations
Information for referrers and providers on the GDPR process for referral management and access to a compliant DPA.

GDPR Information

We will be updating this section of the website with more information on the General Data Protection Regulations over the next few weeks. You can find out lots of information on GDPR at the Information Health Boards Office (ICO) – see the links at the bottom of the page or click here. While there is much concern over GDPR the health care sector has been applying strict information governance controls for many years, and hence there are only a few changes that we need to make to ensure that we are compliant. Most of these relate to the “fairness” of data sharing. One of the requirements is to have a signed data processing agreement between organisations that handle patient data for the purposes of direct care.

See our DPA here and get a signed copy sent to you by completing the form on the right

We will email your signed DPA to you in a few minutes – and then that’s one less job that needs to be done! Do you want to read our Privacy Policy and fair processing notice? This contains information about the data we collect and how we use it. You can read it here.

Get compliant processing contracts

Just fill and sign this simple form and we will email you our standard Data Processing Agreement – keep it safe as it demonstrates how you comply with the GDPR. If you need another copy – just complete the form again.

Step 1 of 4

    This makes sure we send you the right version.

Read the GDPR?

Want to know more about GDPR? Why not read the document itself – here is a link to the entire regulations that has been laid out in a really easy way to read.

  • Consent
  • Secondary Use
  • Subject Access Requests
  • Fair Processing

Consent is an issue which has concerned many dental practices in relation to GDPR and data sharing. However, within the NHS data sharing is not undertaken using consent.

This might seem surprising. However, if the nature of consent within the GDPR is examined – we can see why it isn’t used. The ICO have stated that “Organisations in positions of power over individuals, like the providers of medical (or dental) services, should avoid relying on consent unless they are confident they can demonstrate it is freely given” You can read the ICO information on Consent here.

If not consent – what is our lawful basis?

So if not consent, then what is the basis for collecting and processing patient data? GDPR has six lawful grounds for processing data and these are contained within Article 6 of the regulations. These are:

  • the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
  • processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
  • processing is necessary for compliance with a legal obligation to which the controller is subject;
  • processing is necessary in order to protect the vital interests of the data subject or of another natural person;
  • processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
  • processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

As stated above, the GDPR states that a person’s consent cannot be “freely given” if they have no genuine or free choice, or are unable to refuse or withdraw consent without suffering a detriment, e.g. being refused treatment or health care. Also, consent should not be used as the basis for processing, if there is an imbalance between the person asking for consent, and the person giving it, for example an individual and the NHS – a clear imbalance of power. In addition, if consent is used the “right to be forgotten” would apply – which would be impossible in relation to medico-legal documents.

What about sensitive data ?

The basis upon which the dental referral centre, and many dentists, will process data for patients will be Article 6 (1) f – processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party.

Article 9 of the GDPR concerns the processing of sensitive data, which of course, health care data falls within. There is a medical purposes exemption present; Article 9, section 2 – h:

processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3

So the basis for data processing within the referral management service is one of a combination of legitimate interests (Article 6) and for the provision of healthcare (dentistry) in Article 9 in relation to sensitive data. As we are dealing with sensitive data, there are some other obligations on us – you can read more in the tabs.


In the consent tab we explored the lawful basis for processing sensitive patient data within the referral system (and in general dental practices more broadly). What is a secondary use of data? Put simply, it is the use of data for a purpose other than that originally intended. Examples of secondary use for dental care data might include: commissioning intelligence, risk stratification, financial and national clinical audit, healthcare management and planning, research and public health surveillance.

What permission is needed?

While we discussed that consent is not required for primary health care use, the GDPR are very clear that express patient consent is needed for the use of identifiable information for secondary purposes. However, if patient data is fully anonymised – i.e. there is no means by which the data can be matched back to an individual, then no such consent is required.

The removal of patient identifiers may not be enough to secure anonymity, especially if a disease is rare, or a geographical location is sparsely populated.

Data from the referral management system is fully anonymised within the N3 hosting environment before it is provided to Health Boards, managed clinical networks and others for the purposes of commissioning and research. We remove all patient identifiable data and all identifiable data relating to the referring dentist or practice. For example, we change date of birth to age in years, the URN is removed leaving only the geographical indicator i.e. MAN, and the postcode is exchanged for the local authority area.

Is any consent needed for referrals and patient contact?

We do contact patients about their experience of their treatment, the Friends and Family Test, as well as other PROMS and PREMS that are requested by managed clinical networks. This is undertaken using text message surveys and explicit consent for the patient to be contacted in this way is collected at the time of referral.

If you would like more information on secondary uses, the British Medical Association, has produced some very useful guidance – you can read it here.

Patient’s have always had a right to access their health data – the GDPR changes a few things about how this process works.

  • Individuals have the right to access their personal data and supplementary information.
  • The right of access allows individuals to be aware of and verify the lawfulness of the processing.

The main difference is that you can no longer charge individuals for access to their data, and you must supply it within a month. However, you can charge a ‘reasonable fee’ when a request is manifestly unfounded or excessive, particularly if it is repetitive. You may also charge a reasonable fee to comply with requests for further copies of the same information. This does not mean that you can charge for all subsequent access requests. It is likely that many SAR will now wait until June 2018 when they will be free of charge. For some organisations, especially those with CCTV or other imaging systems, such requests could be complex to provide – and expensive.

How long do I have to comply?

Information must be provided without delay and at the latest within one month of receipt.

You will be able to extend the period of compliance by a further two months where requests are complex or numerous. If this is the case, you must inform the individual within one month of the receipt of the request and explain why the extension is necessary.

The GDPR includes a best practice recommendation that, where possible, organisations should be able to provide remote access to a secure self-service system which will not be appropriate for most health care providers.

What about referrals?

We do occasionally get SAR from patients directly or via their Solicitors. In most cases we will refer them to the referring dentist as they are often requesting full dental records. If a data subject wishes to see their referral we will provide this to them as soon as possible. As a data processor we will also notify the referring dental practice that a SAR has been made.

We have fair processing information for both professional users and patients. We have aimed to make the documents brief, simple and easy to understand.

We will also provide a fair processing notice leaflet so that you can display this in your surgery for patient’s information. This will be available on this page shortly.

The GDPR encourages data processors and controllers to act in a fair manner, by explaining how and why their data is being used. This is especially important when it comes to the processing of sensitive data – such as that provided in dental referrals. The documents also include straight-forward guidance on how all data subjects can see the information that is held on them.

Click here to see the privacy information that relates to professional use of this website and the referral system.

Click here to see the privacy information that relates to patient use of this website and the referral system.

Other resources

We will be developing further resources for patients, including a simple video, that explains how their data is used to support their dental care. Referring patients is an essential part of all aspects of health care and we aim to support this process through clear and straight forward documentation and information.

Area: Aneurin Bevan | Betsi Cadwaladr | Cardiff & Vale | Cwm Taf | Hywel Dda | Powys | Swansea Bay

Rydym yn defnyddio cwcis i wella eich profiad yn ein gwefan. We use cookies to enhance your experience in our web site