At Chetty & Das Optometrists we are committed to the highest privacy standards. However you choose to interact with us, we will only collect data that is necessary for us to deliver the best possible service and ensure you are reminded about appointments or anything else relevant to your ongoing care. This policy provides detailed information on when and why we collect your personal information, how we use it and the very limited conditions under which we may disclose it to others.
Why we collect and process your personal data?
We collect and process patients’ personal data for the purposes of healthcare and marketing.
Our legal bases for processing personal data for healthcare purposes, including appointment reminders, include public task or legitimate interests.
- When we provide services under the NHS General Optical Services contract (such as a sight test funded by the NHS), our legal basis for processing personal data in respect of that service is public task
- Otherwise our legal basis is legitimate interests
Our condition for processing special category data is the provision of health or social care.
We process our patients’ personal data for marketing purposes with their consent or to meet a legitimate interest. This means we can tell you about eye care products and services that may be relevant to you. If you do not want us to process your personal data for marketing purposes, please let us know and we will stop.
What information do we collect about you?
The personal data of patients that we may collect and process includes:
- Your name, contact details and personal identifiers (such as date of birth and NHS number)
- Your general and ocular health history, your family medical and ocular history, and any relevant signs or symptoms you tell us about
- Details of medicines, spectacles and contact lenses prescribed for you
- Details of examinations and other healthcare checks and treatments we provide
- Information relevant to your continued care from other people who care for you or know you well, such as other health professionals and relatives
This data is always held securely and we will only ever collect information that is relevant and necessary.
What do we do with your personal data?
We will use your personal data to provide you with the best and most appropriate products and services. We will use your contact details to remind you when your appointments are due and respond to queries from you. We may suggest relevant products or services that we believe would be of interest to you and where appropriate, your bank details to collect Direct Debits as agreed.
We may occasionally contact you to ask for your feedback on services we have provided and to offer the opportunity to trial new products. We may email you with details of upcoming events being held at the practice which you may wish to attend.
We process your personal data in strict confidence. We keep your personal data securely in our filing and electronic systems. Patient records are only accessible to the healthcare professionals working at the practice and those under their supervision.
We will usually keep any personal data we hold about you for ten years after our last contact with you before we delete it. This is the period recommended as good practice by the College of Optometrists. If we collected the data when you were aged under 18 we will keep it until your 25th birthday, in line with NHS requirements. In exceptional cases we may need to retain personal data for a longer period, and will explain our reasons for doing so on request.
In the course of processing your personal data we may share it with:
- The healthcare professionals working at this practice and those under their supervision
- Healthcare professionals and those under their supervision at other optical practices, but only if you have specifically asked us to pass your personal data (such as your prescription) to them
- Your GP, ophthalmologists and other healthcare providers and commissioners, and suppliers of optical appliances or similar products, in connection with your ongoing healthcare treatment
- Software providers for our patient record and invoicing systems, and financial institutions, so that we can keep patient records up to date and arrange payment for services provided to you
How do we store, process and retain your personal data?
To provision and manage our services, your data is stored and processed by Optix Software Ltd within their UK facilities that are certified to ISO27001. If we collect Direct Debits from you these payments will be processed by Eyecare Payments Ltd. Any third-party company is only permitted to process your data for the specified purposes and in accordance with our instructions.
We retain your information for as long as reasonably necessary to provide our products and services and to maintain records to satisfy tax and other legal requirements.
Electronic data is password protected. We also hold some personal data in paper form which we store securely. Employees can only access the information essential for their role and receive appropriate training for their role.
How and when would we share your personal information?
If we are providing any third-party company with your personal data, such as manufacturers, distributors and suppliers, they will only be permitted to process your data for the specified purposes and in accordance with our instructions. Where we do so, we will only share your personal data to the extent necessary and in accordance with contracts which require those organisations not to retain your personal data for any longer than needed or use it for any other purposes (including marketing).
Where necessary we may disclose your information to health care professionals including the NHS. We may also pass information to external agencies and organisations, including the police, for the prevention and detection of fraud and criminal activity. Should any claim be made, we may pass your personal information to our insurers and if our business is wholly or partially transferred to a third party, your personal information may be one of the transferred assets.
What are your rights with respect to the Personal Information we hold?
You have legal rights in respect of the personal data we hold about you. The Information Commissioner’s Office (ICO) has published guidance on the full range of rights. The rights that are most relevant to the way in which we use your personal data include:
- The right to be informed about how we use personal data – this privacy notice gives that information
- The right to object – if you object to us processing your data for marketing purposes, or for healthcare purposes where our legal basis is legitimate interests (see ‘why we collect and process your personal data’, above), we will then stop doing so, unless we are processing the data in respect of a legal claim or can otherwise show that our legitimate interest in processing the data overrides your rights and interests
- The right of access – if you ask us for the personal data we hold about you we will provide it within a month, free of charge (unless we have already provided it to you, in which case we may have to charge you the administrative cost of providing it again).
- The right to rectification – if you ask us to correct personal data about you that is inaccurate or incomplete, we will do so within a month (unless we need longer, in which case we will discuss this with you)
- The right to erasure – also known as the ‘right to be forgotten’. If you ask us to delete your personal data, we will do so if there is no compelling reason to continue processing the data. We will not usually delete healthcare data before our usual time limit (see ‘how we hold and share your personal data’ above) where we have a duty to keep accurate records – for example, to comply with a legal obligation, or in connection with a legal claim. If you ask us to delete such data we will discuss this with you
Can you update your communication preferences?
You may choose to opt-out of any marketing activities. You may ask that we do not send you communications using any of the contact details we hold on our records, this may include your email, SMS, telephone and postal information. You may also request we restrict our communications to clinically necessary messages. Your personal preferences can be changed at any time by using the link at the end of every email and SMS message we send or by using our contact details below.
A cookie is a small text file containing information that a web site transfers to your computer’s hard disk for record-keeping purposes. A cookie cannot give us access to your computer or to your personal information. Most web browsers automatically accept cookies; consult your browser’s manual or online help if you want information on restricting or disabling the browser’s handling of cookies. If you disable cookies, you can still view the information on our web site, but the functionality of certain areas may be reduced.
Please speak to us first if you have any questions or concerns about the way in which we process personal data. You can get in touch with us by:
Last updated: May 2018