Privacy Notice
The Thatch Dental Practice
Last updated: March 2026
1. Who We Are
The Thatch Dental Practice is a primary dental care provider delivering NHS and private dental services. We are the data controller responsible for your personal information.
Practice Name | The Thatch Dental Practice |
Principal Dentist | Dr Amrit Kaur (GDC: 245227) |
Address | 1 King Street, Mildenhall, Suffolk, IP28 7ES |
management@thethatchdental.co.uk | |
Website | www.thethatchdental.co.uk |
ICO Registration | ZC086769 |
CQC Registration | Provider ID: 1-18576565725 |
NHS Contract | 9662150001 (SNEE ICB) |
If you have any questions about how we use your personal information, please contact us using the details above.
2. What Personal Information We Collect
We collect and process the following categories of personal information:
Identity and Contact Information
Full name, date of birth, gender
Address, telephone number, email address
Next of kin and emergency contact details
Health and Clinical Information
Medical history, current medications, allergies and contraindications
Dental records, treatment plans, clinical notes and X-rays
Referral information to and from other healthcare providers
NHS exemption status and eligibility information
Special category data including physical and mental health conditions where relevant to your dental care
Financial Information
NHS charge band and payment records
Private treatment invoices and payment history
Bank or card payment details (processed securely and not retained)
Administrative Information
Appointment history and recall dates
Communication preferences
Patient satisfaction feedback and complaints correspondence
3. Why We Collect Your Information and Our Legal Basis
We collect and use your personal information for the following purposes:
| Purpose | Legal Basis (UK GDPR) | Special Category Basis |
| Providing dental treatment and clinical care | Article 6(1)(b) — Performance of a contract; Article 6(1)(c) — Legal obligation | Article 9(2)(h) — Healthcare provision |
| NHS dental reporting and contract compliance | Article 6(1)(c) — Legal obligation (NHS Regulations) | Article 9(2)(h) — Healthcare provision |
| Appointment booking and patient recalls | Article 6(1)(b) — Performance of a contract | N/A |
| Processing NHS charges and exemptions | Article 6(1)(c) — Legal obligation | Article 9(2)(h) — Healthcare provision |
| Referring you to other NHS or specialist services | Article 6(1)(b) — Performance of a contract | Article 9(2)(h) — Healthcare provision |
| Safeguarding vulnerable adults and children | Article 6(1)(c) — Legal obligation | Article 9(2)(g) — Public interest |
| Infection prevention and clinical audit | Article 6(1)(c) — Legal obligation | Article 9(2)(h) — Healthcare provision |
| Responding to complaints and patient feedback | Article 6(1)(c) — Legal obligation; Article 6(1)(f) — Legitimate interests | Article 9(2)(h) — Healthcare provision |
| Improving our services and quality assurance | Article 6(1)(f) — Legitimate interests | Article 9(2)(h) — Healthcare provision |
4. Who We Share Your Information With
We only share your personal information where it is necessary, lawful and in your best interests. We may share information with:
NHS and Healthcare Organisations
NHS Business Services Authority (NHSBSA) — for NHS charge processing and dental claims
NHS Suffolk and North East Essex ICB (SNEE ICB) — our commissioning body, for contract monitoring and performance reporting
NHS England — for regulatory oversight and national dental datasets
Other dental practices or specialists — when referring you for further treatment
Your GP and other healthcare providers — where clinically relevant to your care
NHS 111 and urgent dental care services — where you require out-of-hours treatment
Regulatory and Statutory Bodies
Care Quality Commission (CQC) — in the course of inspections and regulatory oversight
General Dental Council (GDC) — where professional registration matters arise
Information Commissioner’s Office (ICO) — in the event of a data breach or regulatory inquiry
Local Authority Safeguarding Teams — where safeguarding concerns arise for vulnerable adults or children
Our Service Providers
Our dental software provider (practice management system) — under a data processing agreement
Our IT support provider — under a data processing agreement
Our accountant and financial advisors — for practice financial management only
We do not sell your personal data to any third party. We do not share your information for marketing purposes without your explicit consent.
5. How Long We Keep Your Information
We retain your personal information in line with NHS and professional guidance:
Adult dental records | 10 years from the date of last treatment |
Children’s dental records | Until the patient’s 25th birthday (or 26th if treatment ended at 17) |
NHS dental claim records | 10 years in line with NHSBSA requirements |
Financial records | 7 years in line with HMRC requirements |
Complaints correspondence | 10 years from resolution |
Referral letters | Retained as part of the clinical record |
CCTV footage (if applicable) | 31 days, unless required for an investigation |
After the retention period has expired, records are securely destroyed in accordance with NHS and ICO guidance.
6. Your Rights
Under UK GDPR, you have the following rights in relation to your personal information:
Right of Access — you can request a copy of the personal information we hold about you (Subject Access Request)
Right to Rectification — you can ask us to correct inaccurate or incomplete information
Right to Erasure — in certain circumstances, you can ask us to delete your information (note: this may be limited where we have a legal obligation to retain records)
Right to Restrict Processing — you can ask us to limit how we use your information in certain circumstances
Right to Data Portability — you can request your data in a structured, machine-readable format in certain circumstances
Right to Object — you can object to processing based on legitimate interests or for direct marketing
Rights relating to Automated Decision-Making — we do not make solely automated decisions that significantly affect you
To exercise any of these rights, please contact us in writing at the address or email above. We will respond within one calendar month. We may need to verify your identity before processing your request.
Where processing is based on your consent, you have the right to withdraw consent at any time without affecting the lawfulness of processing before withdrawal.
7. How We Protect Your Information
We take the security of your personal information seriously. Our security measures include:
All electronic patient records are stored on secure, password-protected systems with role-based access controls
All personal data is encrypted at rest and in transit
We use NHSmail (dental.v00422@nhs.net) for secure electronic communication within the NHS
We maintain a current Data Security and Protection Toolkit (DSPT) submission at Standards Met level
All staff receive annual information governance and data protection training
Paper records are stored securely and destroyed using confidential waste services
We have a Business Continuity Plan that includes cyber security incident response procedures
We report any personal data breaches to the ICO within 72 hours where required
8. International Transfers
We do not transfer your personal data outside of the United Kingdom. All our systems and service providers process data within the UK.
9. Cookies and Website
Our website (www.thethatchdental.co.uk) may use cookies to improve your experience. Cookies are small text files stored on your device. We use:
Essential cookies — necessary for the website to function correctly
Analytics cookies — to understand how visitors use our site (where consent is given)
You can control cookies through your browser settings. Refusing non-essential cookies will not affect your ability to use our core services.
10. How to Complain
If you are unhappy with how we have handled your personal information, please contact us in the first instance:
management@thethatchdental.co.uk | |
Post | Dr Amrit Kaur, The Thatch Dental Practice, 1 King Street, Mildenhall, Suffolk, IP28 7ES |
If you remain dissatisfied after contacting us, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO):
ICO Website | www.ico.org.uk |
ICO Helpline | 0303 123 1113 |
ICO Address | Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF |
11. Changes to This Privacy Notice
We review and update this Privacy Notice periodically to ensure it remains accurate and compliant with current legislation. The date of the most recent update is shown at the top of this document.
Any significant changes will be communicated to active patients. We encourage you to review this notice periodically.
The Thatch Dental Practice — Committed to protecting your information |
www.thethatchdental.co.uk | management@thethatchdental.co.uk |
