Station House Dental Care (operated by Station House DC Limited, registered in England & Wales, company no. 14096344)
Fernlea Avenue, Barnoldswick BB18 5DW
01282 965286 · teeth@stationhousebarnoldswick.com
Last reviewed: 2 July 2026
This notice explains how Station House Dental Care (“we”, “us”, “the practice”) collects, uses, shares and protects your personal information, and the rights you have over it. It is provided in line with Articles 13 and 14 of the UK GDPR. We are the data controller for the information we hold about you, and we are registered with the Information Commissioner’s Office (ICO) under registration number ZA105692.
We handle personal data in line with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018 and the Data (Use and Access) Act 2025. As a practice that holds an NHS contract, we also work to the NHS Records Management Code of Practice 2023, the Caldicott Principles, the common law duty of confidentiality, and the NHS Data Security and Protection Toolkit (DSPT), which we complete every year.
The people responsible for your information
- Data Protection Officer (DPO) — oversees our compliance and is your point of contact for data protection questions: you can contact the Data Protection Officer by email at teeth@stationhousebarnoldswick.com (marked “FAO Data Protection Officer”), by phone on 01282 965286, or by post at Station House Dental Care, Fernlea Avenue, Barnoldswick BB18 5DW.
- Caldicott Guardian — a senior person responsible for protecting the confidentiality of patient information and making sure it is shared appropriately: our named Caldicott Guardian can be contacted through the practice using the details above.
- Senior Information Risk Owner (SIRO) — responsible for managing information risk across the practice: our named SIRO can be contacted through the practice using the details above.
The information we collect
- Identity & contact details — name, date of birth, address, email, phone number, emergency contact.
- NHS information — your NHS number and, where relevant, evidence of your entitlement to free NHS treatment or help with charges.
- Health information — medical history, medications, allergies, dental records, clinical notes, treatment plans, x-rays and clinical photographs. This is “special category” data, given extra protection in law.
- Financial information — payment card details (handled securely by our payment provider), payment-plan and account information.
- Other details — your GP’s details, correspondence, marketing preferences, and limited website/analytics data (see Cookies).
Why we use your information, and our lawful basis
The law requires us to have a “lawful basis” for everything we do with your data, plus an additional condition for your health information. Our bases are:
- To provide your dental care. For NHS treatment our basis is UK GDPR Article 6(1)(e) — a task carried out in the public interest / in the exercise of official authority under the NHS Act 2006 and our NHS contract — together with Article 9(2)(h) (the provision of health care). For private treatment our basis is Article 6(1)(b) (performance of our contract with you) together with Article 9(2)(h).
- To manage appointments and send reminders, recalls and treatment information — as a necessary part of providing your care.
- To take payment and keep our accounts — Article 6(1)(b) (contract) and Article 6(1)(c) (legal obligation, e.g. tax records).
- To meet our legal and regulatory duties — for example court orders, safeguarding, public-health reporting, or requests from the GDC or CQC — Article 6(1)(c), with Article 9(2)(h), (b) or (g) for health data where relevant.
- To send marketing or newsletters, where we do this at all — only with your consent, Article 6(1)(a), which you can withdraw at any time.
Everyone who handles your information is bound by the common law duty of confidentiality and the Caldicott Principles. Where we rely on Article 9(2)(h) for your health information, we also keep an Appropriate Policy Document as required by Schedule 1 of the Data Protection Act 2018.
How your information is used — direct care and beyond
Your direct care. Members of our dental team and reception staff use your records to provide, plan and coordinate your treatment, and we share information with others involved in your care (see below).
Other NHS purposes. As an NHS-contracted practice we also use information to process and verify NHS treatment claims and entitlement through the NHS Business Services Authority, and to support NHS payment, commissioning, planning and clinical audit. Where the law requires it, we submit data to national NHS collections. Where we use confidential patient information for purposes beyond your individual care, we apply the national data opt-out wherever it is required (see below).
Who we share your information with
We share your information only where it is necessary for your care or where the law requires it. We never sell your data, and we do not use it for third-party advertising. This may include:
- Other healthcare providers in your care — hospitals, specialists, or your GP when we refer you.
- NHS bodies — NHS England, our commissioning Integrated Care Board (NHS Lancashire and South Cumbria), and the NHS Business Services Authority, to process and verify NHS claims, check entitlement, and support commissioning.
- Dental laboratories that make crowns, dentures, aligners and other appliances prescribed for you.
- Our suppliers acting as data processors — practice-management software, secure SMS/messaging, IT support and payment processors — acting only on our written instructions under contracts that meet Article 28 of the UK GDPR.
- Our regulators and advisers — the Care Quality Commission, the General Dental Council, and our indemnity provider or legal advisers, where lawful.
- Public bodies — public health, safeguarding partners, or the police and courts, where we are legally required or permitted to disclose.
- Insurers, solicitors or other third parties — only with your consent, or where we are legally required to disclose.
The national data opt-out
The NHS may use information collected during your care to support research and planning. You have the right to stop your confidential patient information being used in this way — the national data opt-out. It does not affect your individual care and treatment in any way. You can view or change your choice at nhs.uk/your-nhs-data-matters. We apply the national data opt-out wherever it is required.
How long we keep your information
We keep dental records in line with the NHS Records Management Code of Practice 2023:
- Adults — for a minimum of 11 years after your most recent course of treatment.
- Children — until their 25th birthday (or 26th if they were 17 when treatment ended), or 11 years, whichever is longer.
Financial and business records are kept for as long as the law requires (for example, tax records for at least 6 years). When records are no longer needed they are securely and confidentially destroyed — we never delete records automatically without review.
Keeping your information secure
We hold your information securely using access controls, staff confidentiality and information-governance training, and appropriate technical safeguards. As an NHS-contracted practice we complete the NHS Data Security and Protection Toolkit every year, our staff are bound by the Caldicott Principles, and our Caldicott Guardian and SIRO oversee how patient information is protected and shared.
Where your information is held
Your information is normally held within the UK. Some suppliers (for example Google Analytics) may process limited website data outside the UK; where that happens we rely on the safeguards required by UK data protection law, such as the UK International Data Transfer Addendum, the UK–US data bridge, or another approved transfer mechanism. Your clinical records are not transferred outside the UK.
Photographs, images and recordings
Clinical photographs and x-rays form part of your dental record and are used for your care. Where we would like to use any image for another purpose, such as training or marketing, we will ask for your separate written consent first, and you can withdraw it at any time. Where telephone calls are recorded, or CCTV is in operation on the premises, this is for the safety of patients and staff and the quality of our service, notices will be displayed where relevant, and recordings are handled in line with this notice.
Automated decisions
We do not make decisions about your care or treatment by solely automated means. Some tools — such as automated appointment reminders and confirmations by text message, our online enquiry assistant, and an automated (AI) telephone assistant that may answer or assist with calls to the practice — help us communicate with you, but clinical decisions are always made by a member of our dental team, and you can ask to speak to a member of staff at any time.
Where calls or messages are handled by these tools, the call audio, transcripts and message content are processed by our telephony, messaging and AI suppliers acting as data processors under written contracts that meet Article 28 of the UK GDPR. Some of these suppliers may process this data outside the UK; where that happens we rely on the safeguards required by UK data protection law, such as the UK International Data Transfer Addendum or the UK–US data bridge. Your dental records themselves remain held as described above.
Your rights
Under data protection law you have the right to:
- Access the data we hold about you (a “subject access request”). This is free, and we will respond within one month. You don’t need to use any special wording.
- Rectification — ask us to correct information that is wrong or incomplete.
- Erasure — ask us to delete your data, although we may be unable to where the law requires us to keep your dental records (see above).
- Restriction — ask us to limit how we use your data in certain situations.
- Object to certain uses of your data.
- Data portability — receive certain data in a reusable format, where this right applies.
- Withdraw consent at any time, where we rely on your consent.
To exercise any of these rights, email teeth@stationhousebarnoldswick.com, call 01282 965286, or contact our DPO above.
Cookies
This website uses essential cookies for site functionality (these are always active) and optional Google Analytics cookies to help us understand how visitors use the site. Analytics IPs are anonymised.
Your consent. When you first visit our website, you’ll see a banner asking whether you accept analytics cookies. You can choose to Accept All or Reject non-essential cookies. Your choice is saved in your browser and remembered on future visits. You can change it at any time by clearing your browser cookies for this site.
What we use. Google Analytics 4 (with IP anonymisation enabled) is used solely to understand visitor traffic patterns. We use Google’s Consent Mode v2, so analytics cookies and pings do not fire until you explicitly accept them. We do not use any advertising cookies, retargeting pixels or third-party marketing cookies on this site.
Complaints about your data
If you have any concern about how we handle your information, please contact us or our DPO first so we can try to put it right. You also have the right to complain to the ICO, the UK’s data protection regulator, at any time: ico.org.uk/make-a-complaint, or by calling 0303 123 1113.
Freedom of Information
As a practice providing NHS dental services, we are a public authority under the Freedom of Information Act 2000 in respect of our NHS services. Our publication scheme explains what information we routinely make available and how to request other information. Requests for your own records are handled as subject access requests under this notice, not FOI.
Changes to this notice
We may update this notice from time to time. The date at the top shows when it was last reviewed.