Primary Eyecare Services (“the Organisation”) has been established to specifically act as the lead for a network of local optical practices (“subcontractors”) dedicated to delivering excellent eyecare in the local community.
1. Data Protection
1.1 The principles of data processing
The Organisation processes personal information and complies with the principles of data processing under the Data Protection Act 2018 (DPA 2018). DPA 2018 reflects the EU Directive General Data Protection Regulation (GDPR). The Organisation complies with GDPR that states personal data shall be:
- processed lawfully, fairly and in a transparent manner in relation to individuals
- collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes
- adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed
- accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay
- kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals.
- processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
1.2 Meaning of personal data
The definition of personal data has been substantially expanded under the GDPR. Personal data means any information about a living individual which:
- Identifies that individual (for example, by name, address, qualifications, credit card number, national insurance number);
- together with other information, which is held by, or is likely to come into the possession of the data controller that will identify that individual; or
- includes any expression of opinion about the individual or indication of the intentions of the data controller or any other person in respect of the individual.
It also includes sensitive personal data such as cultural records, sexuality information and health records.
1.3 Data Protection – controlling your personal information
The Organisation is registered as a Data Controller with the Information Commissioner’s Office. Register Entry: Z3576057.
You may choose to restrict the collection or use of your personal information in ways detailed below. You should make requests in writing to Primary Eyecare Services Waulk Mill (unit 2.3) 51 Bengal Street Manchester M4 6LN or email to email@example.com . We will require verification of the individual making the request.
Under GDPR you have several rights as below:
- Right to be informed: You have the right to be informed about the collection and use of your personal data. If you make a request of this nature, we will provide:
- our purposes for processing your personal data
- our retention periods for your personal data
- whom it will be shared with.
- Right of access: Individuals have the right to access their personal data and supplementary information and be aware of and verify the processing of their personal data.
Individuals have the right to obtain:
- confirmation that their data is being processed
- access to their personal data
- other supplementary information as per our privacy notice.
We will respond to Subject Access Requests (SARs) within one month of receipt of the written request. We will extend the period of compliance by a further two months where requests are complex or numerous. There is no cost to you making an SAR unless the request is ‘manifestly unfounded or excessive.’ In this case we will charge a reasonable fee for multiple or complex requests or refuse the request. The Organisation can withhold disclosing personal data if doing so would adversely affect the rights and freedoms of others. If we refuse a request, we will explain to you within a month why we have refused it. You can appeal this to the ICO.
- Right to rectification: you can request that your inaccurate personal data is corrected or completed if it is incomplete. You can make this request verbally or in writing.
Upon such a request we will take reasonable steps to satisfy whether the data is accurate or inaccurate. If it is inaccurate, we will take reasonable steps to rectify this data within one month. We will also contact other organisations that we have disclosed the data to unless this proves impossible or involves disproportionate effort.
If we are satisfied that the data is accurate, we will inform you within one month that we will not be amending the data explaining our decision. If the data is an opinion it may be difficult to say that the data is inaccurate and requires rectification. We can refuse a request for rectification within one month if the request is manifestly unfounded or excessive charging a reasonable fee as necessary. You can raise this to the ICO if necessary.
We can extend the time to respond to a request by a further two months having explained within one month this is what we will be doing.
- Right to erasure: you have the right to have your personal data erased by the Organisation where:
- the personal data is no longer necessary for the purpose which we originally collected or processed it for
- we are relying on consent as our lawful basis for holding the data, and the individual withdraws their consent
- we are relying on legitimate interests as our basis for processing, the individual objects to the processing of their data, and there is no overriding legitimate interest to continue this processing
- we are processing the personal data for direct marketing purposes and the individual objects to that processing
- we have processed the personal data unlawfully
- we have to do it to comply with a legal obligation
- we have processed the personal data to offer information society services to a child
Where we have disclosed the personal data to others, we will contact each recipient and inform them of the erasure, unless this proves impossible or involves disproportionate effort. If asked to, we will also inform the individuals about these recipients.
Where personal data has been made public in an online environment reasonable steps should be taken to inform other controllers who are processing the personal data to erase links to, copies or replication of that data, taking into account available technology and the cost of implementation.
The right to erasure does not apply if processing is necessary for one of the following reasons:
- to exercise the right of freedom of expression and information
- to comply with a legal obligation;
- for the performance of a task carried out in the public interest or in the exercise of official authority;
- for archiving purposes in the public interest, scientific research historical research or statistical purposes where erasure is likely to render impossible or seriously impair the achievement of that processing; or
- for the establishment, exercise or defence of legal claims.
- Right to restrict processing: Individuals have the right to request the restriction or suppression of their personal data. This is not an absolute right and only applies in certain circumstances. When processing is restricted, we are permitted to store the personal data, but not use it. An individual can make a request for restriction verbally or in writing.
We have the right to restrict the processing of their personal data in certain circumstances. This means that an individual can limit the way that an organisation uses their data. This is an alternative to requesting the erasure of their data.
Individuals have the right to restrict the processing of their personal data where they have a particular reason for wanting the restriction. This may be because they have issues with the content of the information we hold or how we have processed their data. In most cases we will not be required to restrict an individual’s personal data indefinitely but will need to have the restriction in place for a certain period of time.
Individuals have the right to request we restrict the processing of their personal data in the following circumstances:
- you contest the accuracy of their personal data and we are verifying the accuracy of the data
- the data has been unlawfully processed and the individual opposes erasure and requests restriction instead
- we no longer need the personal data but the individual needs us to keep it in order to establish, exercise or defend a legal claim
- the individual has objected to us processing their data, and we are considering whether our legitimate grounds override those of the individual.
If an individual has challenged the accuracy of their data and asked for us to rectify it, they also have a right to request we restrict processing while we consider their rectification request. If an individual exercise their right to object under Article 21(1), they also have a right to request we restrict processing while we consider their objection request.
Therefore, as a matter of good practice we will automatically restrict the processing whilst we are considering its accuracy or the legitimate grounds for processing the personal data in question.
We will not process the restricted data in any way except to store it unless:
- we have the individual’s consent
- it is for the establishment, exercise or defence of legal claims
- it is for the protection of the rights of another person (natural or legal) or
- it is for reasons of important public interest.
If we have disclosed the personal data in question to others, we will contact each recipient and inform them of the restriction of the personal data – unless this proves impossible or involves disproportionate effort. If asked to, we will also inform the individual about these recipients.
In many cases the restriction of processing is only temporary. Once we have made a decision on the accuracy of the data, or whether our legitimate grounds override those of the individual, we may decide to lift the restriction. If we do this, we will inform the individual before we lift the restriction.
You can make a complaint to the ICO or another supervisory authority or you can seek a judicial remedy.
We can refuse to comply with a request for restriction if the request is manifestly unfounded or excessive, taking into account whether the request is repetitive in nature. If we consider that a request is manifestly unfounded or excessive, we can:
- request a “reasonable fee” to deal with the request
- refuse to deal with the request.
In either case we will explain our decision.
If we decide to charge a fee, we will contact the individual promptly and inform them. We do not need to comply with the request until we have received the fee.
You can make a request for restriction verbally or in writing.
We will act upon the request without undue delay and at the latest within one month of receipt. We can extend the time to respond by a further two months if the request is complex or you have received a number of requests from the individual. We must let the individual know within one month of receiving their request and explain why the extension is necessary.
- Right to object: Individuals have the right to object to:
- processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling)
- direct marketing (The Organisation does not engage in this)
- processing for purposes of scientific/historical research and statistics.
You must have an objection on “grounds relating to your particular situation”.
We will stop processing the personal data unless:
- we can demonstrate compelling legitimate grounds for the processing, which override the interests, rights and freedoms of the individual; or
- the processing is for the establishment, exercise or defence of legal claims.
We will inform individuals of their right to object at the point of first communication. We will stop processing personal data for direct marketing purposes as soon as we receive an objection.
We will deal with an objection to processing for direct marketing at any time and free of charge.
We will inform individuals of their right to object “at the point of first communication” and in our privacy notice. This must be “explicitly brought to the attention of the data subject and shall be presented clearly and separately from any other information”.
If we process personal data for research purposes individuals have “grounds relating to your particular situation” in order to exercise your right to object to processing for research purposes. If we are conducting research where the processing of personal data is necessary for the performance of a public interest task, we are not required to comply with an objection to the processing.
1.4 What we collect
We may collect and process the following information:
- Personal identifiers – name, address, NHS number, date of birth.
- Contact information – postal address, email address, telephone number(s)
- Medical information – general health conditions, medications, previous and current ocular and medical records
- Clinical information – details of any examinations undertaken and test results, these may include images and radiographs.
- Management plan – advice given, copies of referrals and reports.
- Other information – any other information you have voluntarily given to us. This may include:
- Information about medical or health conditions of your family
- Information on disabilities where the organisation needs to make reasonable adjustments
- Information shared for complaints / incident investigation
- Information in response to surveys patient satisfaction and protected characteristics (age, disability, gender reassignment, race, religion or belief, sex, sexual orientation, marriage and civil partnership and pregnancy and maternity)
If you are or work for a provider of our services, we may collect and process the following information:
- Personal identifiers – name, address, date of birth, professional registration numbers
- Contact Information – postal address, email address, telephone number(s)
- Other information – any other information you have voluntarily given to us. This may include:
- Disclosure & Barring Service (DBS) certificates and updates
- Information in response to workforce surveys this may include information on protected characteristics (age, disability, gender reassignment, race, religion or belief, sex, sexual orientation, marriage and civil partnership and pregnancy and maternity)
If you are a stakeholder representative, we may collect and process the following information:
- Personal identifiers – name, address
- Contact Information – postal address, email address, telephone number(s)
- Other information – any other information you have voluntarily given to us.
1.5 Why we collect and process your personal data
Personal data is collected and processed so that we can provide our patients with the best possible care and experience. We will only collect and process your information where we have a lawful basis to do this.
The lawful basis we rely on when collecting and processing your data to provide healthcare or for the treatment or management of a healthcare condition is legitimate interest. This may include the following:
- Booking your appointment
- To communicate with you
- confirm your appointment and to send a reminder
- contact you for any changes to our service that may cause inconvenience e.g. changes and cancelations
- To perform and review clinical and diagnostic examinations
- To review clinical and diagnostic examinations
- To make onward referrals and notifications to other healthcare professionals
- To investigate complaints / incidents
The lawful basis we rely on when collecting and processing data from individuals involved in the provision of healthcare services is to comply with our obligations under the contract. This may include:
- Review information provided by sub-contractors
- Review evidence provided by clinicians
- To process payments and associated queries from sub-contractors
- To ensure all sub-contractors and staff involved in the provision of services are kept up to date.
- To communicate with stakeholders in the development and provision of eyecare services
We rely on legal obligations where we have a statutory or legal obligation to process the data. This may include:
- When you exercise your rights under data protection law and make requests e.g. subject access requests
- For compliance with legal and regulatory requirements and related disclosures
- For establishment and defence of legal rights
- For activities relating to the prevention, detection and investigation of crime
We rely on consent and ask for explicit permission to process your data for surveys and patient feedback questionaires.
1.6. Security of personal data
Personal data is stored electronically and within the UK. It is not stored in paper format.
The Organisation shall continue to take appropriate technical and organisational measures to limit the opportunity for unauthorised or unlawful processing of personal data and to guard against accidental loss or destruction of or damage to personal data. Appropriate contractual obligations shall be incorporated into contracts which the Organisation enters into with third parties.
The Organisation will continue to ensure that appropriate staff are employed to undertake data processing and that they are aware of their responsibilities in relation to the processing of personal data as it applies to their area of work. Where appropriate, training will be given.
1.7 Sharing of personal data
We may share your information with third parties that are involved in the direct delivery of your healthcare, these may include but not limited to:
- NHS healthcare providers who have or will be providing treatment to you.
- Other healthcare professionals including your GP, optometrist, pharmacist
- Sub-contractors and other persons who help us to provide healthcare services to you
- Companies and other persons including interpreters providing services to you
- Any other clinician involved in the delivery of your healthcare
There may be occasions when we share your information for reasons not directly linked to the delivery of healthcare. Where this is the case, this would be to comply with our contractual and legal requirements, these may include but not limited to:
- NHS Digital
- NHS England / Improvement
- To receive payment from a commissioner
- Local authority safeguarding team and PREVENT
- In an emergency or to otherwise protect your vital interests
- We may share your information to others to keep with any legal obligation (including court orders and for the administration of justice)
- General Optical Council and other professional bodies
- Our legal advisors and insurers where a claim has been made or could be made
- A representative nominated by yourself, separate consent would be obtained in this scenario.
We may also share your information with third parties where we outsource certain functions, including but not limited to, our finance and logistics functions and other service products that we use. We would do this, for our legitimate interests, such as the effective financial and business management of the Organisation
We would never share your data for marketing purposes
1.8 Email privacy
1.8.1 Why did you receive an email from us?
If you received a mailing from us, (a) your email address is either listed with us as someone who has expressly shared this address for the purpose of receiving information in the future (“opt-in”), or (b) you have an existing relationship with us. We respect your time and attention by controlling the frequency of our mailings.
1.8.2 How can you stop receiving email from us?
Each email sent contains an easy, automated way for you to cease receiving email from us, or to change your expressed interests. If you wish to do this, simply follow the instructions at the end of any email.
If you have received unwanted, unsolicited email sent via this system or purporting to be sent via this system, please forward a copy of that email with your comments to firstname.lastname@example.org for review.
2. Website privacy
The Organisation is committed to ensuring that your privacy is protected. Should we ask you to provide certain information by which you can be identified when using this website, you can be assured that it will only be used in accordance with this privacy statement.
We are committed to ensuring that your information is secure. In order to prevent unauthorised access or disclosure, we have put in place suitable physical, electronic and managerial procedures to safeguard and secure the information we collect online.
A cookie is a small file which asks permission to be placed on your computer’s hard drive. Once you agree the file is added and the cookie helps analyse web traffic or lets you know when you visit a particular site. Cookies allow web applications to respond to you as an individual. The web application can tailor its operations to your needs, likes and dislikes by gathering and remembering information about your preferences.
2.3 Links to other websites
Our website may contain links to other websites of interest. However, once you have used these links to leave our site, you should note that we do not have any control over that other website. Therefore, we cannot be responsible for the protection and privacy of any information which you provide whilst visiting such sites and such sites are not governed by this privacy statement. You should exercise caution and look at the privacy statement applicable to the website in question.
2.4 How we protect your privacy
We use security measures to protect against the loss, misuse and alteration of data used by our system.
This policy was updated in September 2020 and will be reviewed annually.