Are dental records special category data under UK GDPR?

Yes. Dental and medical records are health data, a special category of personal data under UK GDPR Article 9. Processing requires an explicit legal basis (typically the provision of healthcare under Article 9(2)(h) UK GDPR plus the Schedule 1 Part 1 condition in the Data Protection Act 2018), and stronger security measures than for ordinary personal data.

How long must UK dental practices retain patient records?

NHS Digital's Records Management Code of Practice 2021 sets the standard retention periods: 11 years from the date of last attendance for adult NHS patients, or until age 25 for child patients (whichever is later). Private dental records typically follow a similar minimum. The General Dental Council (GDC) recommends retaining clinical records for at least 11 years for adults and until age 25 for children, in line with NHS practice.

Do I need to report a data breach to the ICO?

Yes, if the breach is likely to result in a risk to the rights and freedoms of individuals. For health data breaches, the risk threshold is typically met. You must notify the ICO within 72 hours of becoming aware. If the breach poses a high risk to the individuals concerned, you must also notify the patients directly. NHS-contracted practices have additional reporting obligations to NHS England and the Data Security and Protection Toolkit.

GDPR & Privacy

GDPR for dental practices in the UK

Steven | TrustYourWebsite · 3 May 2026 · Last updated: May 2026

UK dental practices process some of the most sensitive personal data of any small business: patient health records, X-rays, medical history, financial information. Under UK GDPR, health data is a "special category" requiring heightened protection. The General Dental Council (GDC) and the ICO both have specific expectations for healthcare providers. Scan your practice website for UK GDPR issues to check whether your privacy notice, cookie banner and trader details are in order.

Patient data as special category

Health data is a special category of personal data under UK GDPR Article 9. For dental practices, this covers:

Clinical records, treatment plans and notes
Dental X-rays and other imaging
Prescribed medications and allergy information
Referral letters and specialist reports
Payment and insurance information (when linked to health treatment)

What this means in practice:

You need a lawful basis under Article 6 plus a special-category condition under Article 9. The standard combination for clinical care is Article 6(1)(c)/(e) (legal obligation / public task for NHS work or contract for private) plus Article 9(2)(h) (provision of health treatment), supplemented by Schedule 1 Part 1 paragraph 2 of the Data Protection Act 2018 which provides the UK-specific authorisation
You must implement stronger technical and organisational security measures
Staff must be trained on data protection and the common-law duty of confidentiality
Access must be strictly limited to those who need it for patient care

NHS-contracted practices must also complete the annual Data Security and Protection Toolkit (DSPT), the NHS Digital framework for healthcare data protection assurance.

Record retention

Standard UK retention periods for dental records, drawn from NHS Digital's Records Management Code of Practice 2021 and GDC guidance:

Record type	Retention period
Adult patient records (NHS or private)	11 years from last attendance
Child patient records	Until age 25 (or 11 years from last attendance if later)
X-rays (radiographs)	Same as patient records
Referral letters	Retain as part of the patient file
Consent forms	Retain for the duration of the patient record
Financial records	6 years (HMRC)

After the retention period, patient records must be securely destroyed (shredded, not simply deleted without proper data wiping for digital records).

Online booking systems

Dental practices increasingly use online booking and practice-management systems such as Software of Excellence (Exact), SOE, Kiroku, Dentally, Carestream R4 and similar tools. Each of these systems processes patient personal data on your behalf.

Your obligations:

Sign a Data Processing Agreement (DPA) with your provider, required under UK GDPR Article 28
Confirm the provider stores data on UK or EU servers (or has appropriate transfer safeguards under the IDTA or UK Addendum)
Review the provider's own privacy policy and security certifications (Cyber Essentials Plus and ISO 27001 are standard expectations)
Ensure only authorised staff can access patient records through the system

NHS-contracted practices must also confirm any system handling NHS patient data is compliant with the NHS Digital DSPT.

Your practice website

If your website has a contact form, appointment-request form or online booking integration, it processes personal data.

Required on your practice website:

Privacy notice explaining how patient data is collected and processed
Cookie banner if you use analytics (Google Analytics uses cookies that identify visitors)
Companies House number and registered office in your footer (Companies (Trading Disclosures) Regulations 2008, if you're a registered company)
GDC registration number displayed (professional body requirement under the Dentists Act 1984 and GDC Standards)

The GDC has consistently reminded registrants that patient-facing communications, including websites, must comply with the GDC's Standards for the Dental Team, including in relation to confidentiality and the use of testimonials.

Data breach procedure

If patient records are accessed without authorisation (a cyberattack, a lost device, a misdirected email), you must:

Identify and contain the breach
Assess the likely impact on patient rights and freedoms
Notify the ICO within 72 hours via ico.org.uk/for-organisations/report-a-breach
If the breach poses high risk to patients: notify the affected patients directly
Document the breach and your response

Health data breaches almost always meet the notification threshold due to the sensitivity of the data involved.

NHS-contracted practices must additionally report through the DSPT incident reporting tool, which feeds the breach into NHS England's incident management framework.

Practical checklist for dental practices

Item	Required?
Lawful basis documented for health data processing	Yes
DPA signed with practice management software	Yes
Data Processing Agreement with any booking system	Yes
Staff training on UK GDPR and confidentiality	Yes
Record retention policy documented	Yes
Breach notification procedure in place	Yes
Privacy notice for patients	Yes
Privacy notice on practice website	Yes
Cookie banner on website	Yes, if using analytics
Companies House details in website footer	Yes, if a registered company
GDC registration number on website	Yes
Data Security and Protection Toolkit (DSPT) submission	Yes, if NHS-contracted

Check your practice website

Free website compliance check →

Sources

This is technical analysis, not legal advice. Consult the GDC and a data protection specialist for specific guidance.

Share this article

Check your website now

Scan your website for GDPR & Privacy issues and 30+ other checks.

Start free check

UK Website Guides

GDPR compliance for UK businesses: website checklist 2026

GDPR compliance for UK businesses in 2026: nine website obligations under UK GDPR and PECR. Privacy notice, cookie consent, ICO fee, Companies House details.

GDPR for UK solicitors: SRA, Law Society, ICO rules

UK GDPR for solicitors. SRA Standards, Law Society guidance, LPP overlap, MLR 2017 retention and website compliance.

UK GDPR for Charities: Fundraising, Volunteers, Donor Data

UK GDPR for charities in 2026. Fundraising consent, donor data, Gift Aid records, volunteer information and what the Fundraising Regulator now expects.

GDPR for UK Hotel Websites: Booking Data, Loyalty and CCTV

UK GDPR for hotels in 2026. Hotel booking data, passport scans, dietary needs, loyalty programmes, CCTV and what the ICO checks on hospitality sites.