top of page

Privacy Notice & GDPR

Privacy Notice for Patients

This privacy notice sets out how Wood MediSpa uses and protects any information that you give when joining the hospital.

The hospital is committed to complying with the General Data Protection Regulation (GDPR), the Data Protection Act 2018, GMC, NHS and other standards.

The person responsible for Data Protection is Francesca McDiarmid.


What type of information do we hold?

  • Personal details such as your address, date of birth, phone number and email address

  • This is for the provision of health care, providing treatment plans, estimates and recalls

  • Details of your NHS number and entitlement to healthcare treatment and exemption status if applicable

  • Personal details of family members or emergency contact details

  • Medical history including your GP’s name and address

  • Past and present medical history including x-rays and photographs

  • Information about the treatment we have proposed and provided along with its price.

  • Notes of conversations or incidents that might occur for which a record needs to be kept

  • Records of permission or consent for treatment.

  • Correspondence to other healthcare professions such as referrals

  • Financial information relating to your treatment

  • Details of any complaints made


Why do we need to keep this information?

We need to keep records of personal information regarding our patients in order to provide safe and appropriate dental care and treatment. It is also used to maintain accurate treatment records.

We also need to process personal data about you if we are providing care under NHS arrangements and to ensure the proper management and administration of the NHS.


Our legal basis for processing data is:

  • Consent

  • Legitimate interest - Processing is necessary for the performance of our care for patients and for defence of legal claims

  • Data relating to your health care records is classed as special category data. Our legal basis for processing this is that it falls under Legal claims or judicial acts and Health and Social Care (Article 9 UK GDPR (f,h)).


What do we do with your Information?

We will only share your information if it is done securely and it is necessary for us to do so.

Your personal information may be securely shared with other healthcare professionals who need to be involved in your care (for example if we refer you to a specialist, need laboratory work undertaken or need to consult with your doctor)

We may also share your personal information securely to third parties where we are required by law or regulation to do so. This may include:

  • The General Medical Council


  • Payment plans or insurers

  • NHS Bodies if NHS care and treatment is provided

How do we store your Information?

  • Your Information is stored securely at the practice in paper form and on protected computer systems. Computer information is backed up regularly and may be securely stored away from our premises.

Retention periods

  • We are required to retain your medical records, X-rays and study models while you are a patient of the hospital and after you cease to be a patient for a minimum of 7 years.

  • There are several other documents that we may collect that have a variety of retention dates, for example the NHS PR form – used to declare payment exemptions – which needs to be kept for 2 years minimum. We have a retention schedule listing all documents and the timeframes for disposal. Retention periods may be changed from time to time based on business or legal and regulatory requirements


Your rights under GDPR

  • Access

You have a right to access the information that we hold about you and to receive a copy. You can make a request by contacting the hospital or by e-mailing

  • Rectification

You have a right to correct any information that you believe is inaccurate or incomplete. Please contact the hospital to request a change in information.

  • Erasure

You have a right to request that we delete your personal information, although you should be aware that, for legal reasons, we may be unable to erase certain information (for example, information about your treatment). Please contact the hospital to make this request.

  • Restriction

You have the right to request us to restrict the processing of your personal information for example, sending you reminders for appointments or information about our service. Please contact the hospital to make this request.

  • Portability

You have a right to data portability; this could include supplying your information to another consultant. Please contact the hospital to make this request.


If you have any concerns about how we use your information and you do not feel able to discuss it with your consultant or anyone at the hospital, you can contact our Data Protection Officer via email at

You can also seek advice from The Information Commissioner’s Office (ICO), Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF, or start a live chat or call helpline on 0303 123 1113.

bottom of page