Are dental records special category data under UK GDPR?

Yes. Dental and medical records are health data, a special category of personal data under UK GDPR Article 9. Processing requires an explicit legal basis (typically the provision of healthcare under Article 9(2)(h) UK GDPR plus the Schedule 1 Part 1 condition in the Data Protection Act 2018), and stronger security measures than for ordinary personal data.

How long must UK dental practices retain patient records?

NHS Digital's Records Management Code of Practice 2021 sets the standard retention periods: 11 years from the date of last attendance for adult NHS patients, or until age 25 for child patients (whichever is later). Private dental records typically follow a similar minimum. The General Dental Council (GDC) recommends retaining clinical records for at least 11 years for adults and until age 25 for children, in line with NHS practice.

Do I need to report a data breach to the ICO?

Yes, if the breach is likely to result in a risk to the rights and freedoms of individuals. For health data breaches, the risk threshold is typically met. You must notify the ICO within 72 hours of becoming aware. If the breach poses a high risk to the individuals concerned, you must also notify the patients directly. NHS-contracted practices have additional reporting obligations to NHS England and the Data Security and Protection Toolkit.

GDPR & Privacy

GDPR for dental practices in the UK

Steven | TrustYourWebsite · 3 May 2026

UK dental practices process some of the most sensitive personal data of any small business: patient health records, X-rays, medical history, financial information. Under UK GDPR, health data is a "special category" requiring heightened protection. The General Dental Council (GDC) and the ICO both have specific expectations for healthcare providers.

Patient data as special category

Health data is a special category of personal data under UK GDPR Article 9. For dental practices, this covers:

Clinical records, treatment plans, and notes
Dental X-rays and other imaging
Prescribed medications and allergy information
Referral letters and specialist reports
Payment and insurance information (when linked to health treatment)

What this means in practice:

You need a lawful basis under Article 6 plus a special-category condition under Article 9. The standard combination for clinical care is Article 6(1)(c)/(e) (legal obligation / public task for NHS work, or contract for private) plus Article 9(2)(h) (provision of health treatment), supplemented by Schedule 1 Part 1 paragraph 2 of the Data Protection Act 2018 which provides the UK-specific authorisation
You must implement stronger technical and organisational security measures
Staff must be trained on data protection and the common-law duty of confidentiality
Access must be strictly limited to those who need it for patient care

NHS-contracted practices must also complete the annual Data Security and Protection Toolkit (DSPT), the NHS Digital framework for healthcare data protection assurance.

Record retention

Standard UK retention periods for dental records, drawn from NHS Digital's Records Management Code of Practice 2021 and GDC guidance:

Record type	Retention period
Adult patient records (NHS or private)	11 years from last attendance
Child patient records	Until age 25 (or 11 years from last attendance if later)
X-rays (radiographs)	Same as patient records
Referral letters	Retain as part of the patient file
Consent forms	Retain for the duration of the patient record
Financial records	6 years (HMRC)

After the retention period, patient records must be securely destroyed (shredded, not simply deleted without proper data wiping for digital records).

Online booking systems

Dental practices increasingly use online booking and practice-management systems such as Software of Excellence (Exact), SOE, Kiroku, Dentally, Carestream R4, and similar tools. Each of these systems processes patient personal data on your behalf.

Your obligations:

Sign a Data Processing Agreement (DPA) with your provider — required under UK GDPR Article 28
Confirm the provider stores data on UK or EU servers (or has appropriate transfer safeguards under the IDTA or UK Addendum)
Review the provider's own privacy policy and security certifications (Cyber Essentials Plus and ISO 27001 are standard expectations)
Ensure only authorised staff can access patient records through the system

NHS-contracted practices must also confirm any system handling NHS patient data is compliant with the NHS Digital DSPT.

Your practice website

If your website has a contact form, appointment-request form, or online booking integration, it processes personal data.

Required on your practice website:

Privacy notice explaining how patient data is collected and processed
Cookie banner if you use analytics (Google Analytics uses cookies that identify visitors)
Companies House number and registered office in your footer (Companies (Trading Disclosures) Regulations 2008, if you're a registered company)
GDC registration number displayed (professional body requirement under the Dentists Act 1984 and GDC Standards)

The GDC has consistently reminded registrants that patient-facing communications — including websites — must comply with the GDC's Standards for the Dental Team, including in relation to confidentiality and the use of testimonials.

Data breach procedure

If patient records are accessed without authorisation (a cyberattack, a lost device, a misdirected email), you must:

Identify and contain the breach
Assess the likely impact on patient rights and freedoms
Notify the ICO within 72 hours via ico.org.uk/for-organisations/report-a-breach
If the breach poses high risk to patients: notify the affected patients directly
Document the breach and your response

Health data breaches almost always meet the notification threshold due to the sensitivity of the data involved.

NHS-contracted practices must additionally report through the DSPT incident reporting tool, which feeds the breach into NHS England's incident management framework.

Practical checklist for dental practices

Item	Required?
Lawful basis documented for health data processing	Yes
DPA signed with practice management software	Yes
Data Processing Agreement with any booking system	Yes
Staff training on UK GDPR and confidentiality	Yes
Record retention policy documented	Yes
Breach notification procedure in place	Yes
Privacy notice for patients	Yes
Privacy notice on practice website	Yes
Cookie banner on website	Yes, if using analytics
Companies House details in website footer	Yes, if a registered company
GDC registration number on website	Yes
Data Security and Protection Toolkit (DSPT) submission	Yes, if NHS-contracted

Check your practice website

Free website compliance check →

Sources

This is technical analysis, not legal advice. Consult the GDC and a data protection specialist for specific guidance.

Check your website now

Scan your website for GDPR & Privacy issues and 30+ other checks.

Scan your site free

Website Guides

Can You Run Analytics Without Consent in the UK? The ICO's Position

The ICO's position on running analytics without consent in the UK. Why Google Analytics requires prior consent, what server-side and privacy-preserving alternatives qualify as exempt, and how to decide.

Complete GDPR Website Audit: Step-by-Step Checklist

A step-by-step GDPR audit checklist for your website. Check cookies, tracking, privacy policy, forms, third-party services, and security in one pass.

Cookie banner dark patterns in the UK: ICO enforcement in 2026

The 12 cookie banner dark patterns per EDPB taxonomy. ICO top-100 letter campaign, PECR enforcement and what the scanner detects after clicking reject all.