🧠 TL;DR — Why I Challenged an Online Dental Form

Many GP and dental practices now ask patients to fill in online forms — but often through third-party platforms with vague or missing information. I paused before clicking, and I’m glad I did.

This post explores:

• 🕵️‍♂️ Who might really be collecting your data (hint: not always your dentist)
• 🧾 What kind of sensitive info you’re being asked to give
• ⚖️ What the law says about consent, data sharing, and your rights
• 🚪 What to do if you’re told you must complete the form
• ✍️ How to ask the right questions — even after you’ve submitted it

⚙️ I’ve also included free downloadable letter templates and visual guides to help you speak up — calmly, clearly, and confidently.

🦷 “Just Fill Out This Form…”

Why I Chose to Challenge It … And Why You Might Want to Think Twice Too

Before a recent dental appointment, I received a link asking me to complete an online form. It looked like a routine check-in, something we’re becoming increasingly familiar with.

But something didn’t sit right.

The link didn’t take me to my dentist’s website. It directed me to a third-party platform I hadn’t heard of. The terms were vague. I wasn’t told exactly what data would be collected, how it would be used, or who might see it.

That’s when I decided to pause … and ask some questions.

🔍 Who’s Really Collecting Your Data?

You might assume you’re giving information directly to your dentist… but that’s not always the case.

In many practices, online check-in forms are handled through a third-party website, often managed by an external provider. While your dentist remains responsible for your care, the data you enter may first be collected, processed, and stored by a separate company that isn’t part of the NHS — or even part of the dental practice itself.

In data protection terms, your dental practice is the data controller. The company running the online form acts as a data processor — handling your information on their behalf. But as a patient, you might not realise this… especially if there’s no clear privacy notice, no explanation of how your data will be used, and no option to decline the system without losing access to care.

❓ Why Should You Care?

You might be thinking… “It’s just a form — does it really matter?”

The short answer is yes — because those forms often ask for more than just your name and phone number.

You could be asked to enter things like:

• Medications you’re taking
• Ongoing health conditions
• Allergies
• Mental health or lifestyle questions
• Emergency contact details
• Gender identity or other personal background info

This isn’t just admin — it’s sensitive information. And once you click submit, that data may be stored in more than one place, seen by more people than you expect, or kept for longer than you realise.

In some systems, it might even be used for stats, automation, or passed to other companies working behind the scenes… and the truth is, you might never be told that’s happening.

This isn’t about being dramatic — it’s about making sure you stay in control of your personal information. In fact, the law says you must be told clearly what’s being collected, why it’s needed, and who will have access… before you’re asked to share anything at all.

More on that in the next section.

⚖️ Is This Even Legal?

The short answer is… maybe — but only if it’s done properly.

When a dental practice asks for your personal or health information, they’re required by law to follow the UK GDPR and the Data Protection Act 2018. These laws are there to make sure your data is handled fairly, securely, and transparently.

That means:

• You must be told exactly what data is being collected
• You must know why they’re asking for it
• You must be shown who else will see it — including any third parties or companies involved
• You must be told how long your data will be kept
• And — if it’s sensitive information like your health — you must usually give clear, informed consent

If any of that is missing… it’s a problem. And if you’re being pushed to accept vague or hidden terms just to get seen, that’s not real consent.

Even if the form is run by a third-party company, your dental practice is still responsible for how your data is handled. It’s their job to make sure:

• The system is safe
• The privacy information is clear
• And that you know exactly who your data is being shared with, and why

Because if you don’t know where your personal information is going… you can’t give proper permission in the first place.

🚪 What If They Refuse to See You?

This is something more and more people are running into… you’re told you must complete the online form or you can’t be seen. And let’s be honest — when you’re unwell, chasing an urgent appointment, or just trying to keep life on track, most people don’t have the energy to argue. You just want to be seen.

Healthcare providers know that. They know people will often take the path of least resistance — click the link, tick the box, and move on.

And that’s exactly why consent needs to be real — not something given under pressure or confusion.

The law says consent must be freely given and informed. But in practice, it often isn’t. If you’re told “you have to use the portal or we can’t book you in,” that’s not really a choice — it’s a barrier.

To make matters harder, the first person you speak to — usually a receptionist — probably won’t know who processes the data, where it goes, or how long it’s kept. They’re not trying to be difficult… they’re under pressure too, just doing their job, and often haven’t been given the full picture either.

So what can you do?

• You can ask if there’s another way to give your information — a paper form, a phone call, or in-person.
• You can ask for the practice’s privacy policy — they’re required to provide it.
• And even if you go ahead with the form, you can still follow up afterwards to ask where your data went.

This isn’t about blaming reception staff. It’s about fixing a system that leaves patients and staff alike in the dark.

🖊️ What If Someone Else Fills In the Form for You?

This part often gets overlooked… but it happens more than you’d think.

If a patient doesn’t have internet access, struggles with forms, or simply calls the practice for help, a receptionist or staff member may offer to fill out the online form on their behalf — over the phone or at the desk.

Now, in principle, that sounds helpful. But in practice, it raises some serious questions.

If you don’t see the form yourself…

• How can you know what information is being recorded?
• How can you agree to the terms if you’ve never read them?
• How can you give proper consent to share your data with a third-party system?

Even if the staff member is doing their best to help, it doesn’t change the fact that you’re being signed up to something you haven’t seen.

And that’s a problem — because under UK GDPR, consent must be informed and specific. That means you should be the one reading the terms, understanding what’s being collected, and agreeing to it knowingly.

If someone else fills in the form for you without explaining the terms first, it’s hard to see how that meets the legal standard for informed consent — especially when sensitive health data is involved.

This isn’t about blaming staff. Most of the time, they’re just trying to help under tight time pressure. But that’s exactly why the system itself needs to change, so that patients aren’t being signed up to third-party platforms they haven’t seen or understood.

🧩 What Practices Might Say… and Why It Still Matters

To be fair, most dental practices and GP surgeries aren’t trying to mislead anyone. They’re juggling high demand, tight budgets, and limited staff time — and digital check-in systems are often sold as a way to make life easier for everyone.

So if you raise concerns, you might hear something like:

• “It’s just admin, not clinical.”
• “It speeds things up and keeps everyone safe.”
• “We only use trusted systems — they’re all GDPR compliant.”
• “If you don’t want to use it, just tell us.”

And all of that might be true — to a point.

But it still doesn’t change the fact that you deserve to know where your personal data is going, and who might be accessing it. Even if the system is reputable… even if the intentions are good… and even if it’s just one small form.

Because today, data breaches are rising year after year. Identity theft is no longer a rare crime — it’s an industry. And once your details are out there, it’s very hard to get them back.

This isn’t about being awkward, or suspicious, or anti-tech.

It’s about balance.

It’s about asking: can we have digital convenience without losing control over our data?

That’s all most people want — to be informed, respected, and given a real choice.

✅ What You Can Do (Even If You’re Not a Tech Expert)

You don’t need to be a privacy expert to take back a bit of control. Most of this comes down to asking the right questions and giving yourself permission to pause before clicking “Accept.”

Here are a few small things you can do:

• Ask what system they’re using. If it’s part of the NHS, it’s usually software like:
  • SystmOne (used in many GP surgeries)
  • EMIS (another major NHS records system)
  • ICE (used for lab results and referrals). These systems are managed under strict NHS data rules.
• Check if there’s another option. You can usually ask for a paper form, a quick phone call, or to fill in the info in person.
• Request a copy of the practice’s privacy policy. They’re legally required to provide one.
• Look for any mention of who your data is shared with. Ask if any external companies or cloud platforms are involved.
• Take a screenshot of the form or terms. Especially if you’re being asked to agree to something you haven’t seen before.
• Don’t be afraid to ask questions. If the form includes medical info, lifestyle questions, or anything sensitive — it’s fair to want clarity first.
• Even if you’ve already filled it in, you can still follow up afterwards and ask where your data went, who handled it, and how long it will be kept.

And if something doesn’t feel right — you can always raise it with the practice manager, or contact the Information Commissioner’s Office (ICO) for guidance.

This isn’t about saying no to technology. It’s about making sure that digital convenience doesn’t come at the cost of your right to choose.

📬 Need Help Asking the Right Questions?

Not sure what to say? These downloadable letters make it easier to ask your practice the right questions — whether you’re raising a concern or simply want to understand how your data is used.

If you’d like to check how your GP or dental practice handles your personal information when using digital forms, here are two easy-to-use letter templates:

📄 Quick Letter (for everyday use)

A short, friendly request that asks the key questions without any legal jargon.
✅ Great for patients who just want a clearer picture before clicking “Accept.”

🧾 Full Letter (for formal use or detailed enquiries)

Covers everything — including legal references and detailed questions about data storage, retention, third-party processors, and your rights.
✅ Ideal if you want a comprehensive response or feel something isn’t quite right.

🕵️ Have You Ever Wondered Where Your Data Went?

If you’ve ever filled out an online form and later received unexpected contact — or just had a nagging feeling that your information was being used in ways you weren’t clearly told about — you’re not alone.

Sometimes these things slip through unnoticed. You might not remember clicking anything. You might not even know which company was involved. That’s okay.

It’s never too late to ask.

“Hi, I completed a form a while ago and would like to know how my data was used.”

That one sentence is enough to start a conversation.

You have a legal right to ask — even after the fact — how your data was collected, shared, stored, and for how long. Whether you’re curious or concerned, you’re well within your rights to request a clear answer.

🔄 What If You’ve Already Filled It In?

If you’ve already submitted the online form and now want to check where your data went — don’t worry, it’s not too late.

You can still use either of the template letters above, with a small tweak to the opening line:

Instead of:
“Before doing so, I would be grateful if you could provide further information…”
Try:
“After completing your online form, I’d be grateful if you could confirm how my personal data is being handled.”

Your rights don’t disappear once the form is submitted — in fact, that’s when they matter most.
You’re entitled to know:

• What data was collected
• Who has access to it
• Where it’s stored
• How long it will be kept
• And how you can access or erase it if needed

If you don’t get a clear response, you can always raise it with the Information Commissioner’s Office (ICO).

📭 What If You Don’t Get a Response?

If you send a letter or raise a concern and don’t receive a reply — or if the response feels vague, incomplete, or dismissive — you can take it further.

The Information Commissioner’s Office (ICO) is the UK regulator that helps people understand and exercise their data rights. They oversee how organisations handle personal data, including health records.

You can contact them if:

• You don’t receive a reply after a reasonable time
• You’re not satisfied with how your query was handled
• You think your data may have been misused or processed without proper explanation

👉 Learn more at: ico.org.uk/your-data-matters

Raising a concern doesn’t have to be formal or aggressive — and you don’t need legal knowledge to ask. You’re simply exercising your right to know where your personal information went and how it’s being protected.

🔚 Final Thoughts: Pause, Ask, Choose

Digital forms aren’t going away — and in many cases, they do make things faster and easier.

But that convenience shouldn’t come at the cost of understanding, or at the cost of your control over what happens to your personal data.

You don’t have to be an expert. You don’t need to memorise the law.
All you really need is to pause for a moment, ask a couple of questions, and make sure you’re comfortable before clicking “Accept.”

Because once your data is out there… it’s not always easy to pull it back.

The more we speak up — even quietly, even once — the more likely it is that systems will start respecting the people they’re built for.

This isn’t about saying no to technology… it’s about making sure you still have a choice.

Thanks for reading — and if this post helped you think twice before handing over your information, feel free to share it with someone else too. These things only change when more of us start asking the same questions.

📚 Further Reading & Case References

If you’d like to dive deeper into the rules that protect your data — and what happens when organisations get it wrong — here’s a short reference list:

🔒 UK GDPR & Data Protection Act 2018
Covers lawful processing, consent, and transparency — especially Articles 6, 9, 13, and 14.
🔗 UK GDPR Overview – ICO

📜 UK Data Protection Act 2018
Works alongside UK GDPR, setting national rules for data handling, special category data (like health), and enforcement.
🔗 View the full UK Data Protection Act 2018

🧑‍⚕️ NHS Data Security & Protection Toolkit (DSPT)
Sets expectations for NHS-funded providers using third-party systems.
📄 NHS Data Security & Protection Toolkit (DSPT)

This comprehensive guide outlines the standards for managing health and care records within the NHS and related organizations. It covers legal obligations, best practices for record-keeping, and retention schedules.​NHS Transformation Directorate

HTML Version:
🔗 Read the Code Online

🤝 Common Law Duty of Confidentiality
Requires healthcare professionals to protect patient information and only share it with informed consent, a legal obligation, or strong public interest justification.
🔗 https://www.gov.uk/government/publications/confidentiality-nhs-code-of-practice

🦷 GDC Standards for the Dental Team – Standard 4
Requires practices to be transparent and respectful when handling patient information.
🔗 GDC Standards

🏥 CQC Digital Records Guidance
Outlines what good digital record-keeping looks like in regulated care settings — including availability, security, person-centred care, and oversight.
🔗 Read the CQC Guidance on Digital Records
📄 Download the PDF