Data Protection Policy
Introduction
The General Data Protection Regulations (GDPR) protects patients, suppliers and manufacturers (hereafter known as “individuals”) against the misuse of personal data and may cover both manual and electronic records.
All records, whether they be held electronically or physically, fall within scope of the Regulations.
The Regulations require that any personal data held should:
- be fairly and lawfully processed
- be processed for limited purposes and not in any manner incompatible with those purposes
- be adequate, relevant and not excessive
- be accurate
- not be kept for longer than is necessary
- be processed in accordance with individuals' rights
- be secure
- not be transferred to countries without adequate protection
The Regulations also provides certain rights. The most important right is the right to access personal data held about the individuals.
This policy helps ensure that we do not breach the General Data Protection Regulations, which provides strict rules (as outlined above).
The Data Controller at the practice is MATTHEW AUSTEN (Deputy: Debby Newton)
PERSONAL DATA
David Austen Optometry holds personal data about you. A privacy notice will be provided separately which tells you what information we hold, what we do with it, who we share it with and the lawful basis for the processing of your data. If this information changes you should let us know at the earliest opportunity so that our records can be up-dated.
The personal data that has been collected about you will be kept for the following purposes:
Patients
- Maintain a record of personal details for use in the ongoing treatment you may receive at this practice. This will enable us to be able to contact you as and when necessary.
- Enable us to look back at your medical history in order to compare, diagnose and provide the right treatment for the continuing health of your eyes.
- Enable us to keep an up to date record of payments you have made during your treatments and examinations at the practice.
- To enable us to provide services via eye care schemes, paid for by monthly direct debits.
All information will be held for the statutory retention period as outlined in the table below:
| Record | Statutory Retention Period |
|---|---|
| Patient personal details |
10 YEARS (as advised by College of Optometry) NHS specified: 7 years or in the case of children under 18, until their 25th birthday. |
| Patient medical history |
10 YEARS (as advised by College of Optometry) NHS specified: 7 years or in the case of children under 18, until their 25th birthday. |
| Information relating to patient complaints |
10 YEARS (as advised by College of Optometry) NHS specified: 7 years or in the case of children under 18, until their 25th birthday. |
However, in exceptional circumstances this information may be held for longer periods and in this case David Austen Optometry will explain the legal basis for retaining the data upon request.
All individuals have the right to request that their personal data is deleted; such requests will be dealt with by Matthew Austen, who will review the request and take appropriate steps. If the request is denied, David Austen Optometry will respond with the reasons, including the legal basis, for retaining data.
Use of Personal Data
To ensure compliance with the Regulations and in the interests of privacy, confidence and good working relations, the disclosure and use of information held by David Austen Optometry is governed by the following conditions:
- a. personal data must only be used for one or more of the purposes specified in this policy.
- b. provided that the identification of the individuals is not disclosed, statistical information may be used to respond to any legitimate internal or external request for data
- c. personal data must not be disclosed, either within or outside the company, to any unauthorised recipient
- d. It may be necessary, where the latest technology allows us to do so, to use your information and health data to facilitate digital consultations and diagnoses but we will always do this with your security in mind.
ACCESS TO PERSONAL DATA (“SUBJECT ACCESS REQUEST”)
All individuals have the right to access personal data held about them. David Austen Optometry will arrange for all personal data held relating to the individuals to be made available within 30 days of receipt of a written request. Information will be provided electronically in a commonly used format.
DATA BREACHES
Where David Austen Optometry becomes aware of a personal data breach it will, without undue delay and where feasible, not later than 72 hours of becoming aware of it, notify the personal data breach to the Information Commissioners Office (ICO), unless the controller is able to demonstrate that the breach is unlikely to result in a risk to the rights and freedoms of individuals.
Where the above aim cannot be achieved within 72 hours, an explanation of the reasons for delay will accompany the notification to the ICO and information may be provided in phases without undue further delay.
In addition, data subjects will be notified without undue delay if the personal data breach is likely to result in a high risk to their rights and freedoms to allow them to take the necessary precautions. This notification will describe the nature of the personal data breach as well as recommendations for the individual concerned to mitigate potential adverse effects. This will be done as soon as reasonably feasible, and in close co-operation with the ICO.
