PRIVACY NOTICE FOR PATIENTS OF BARGOED SIGHT CENTRE. 

Bargoed Sight Centre is the data controller for personal information processed. We are committed to protecting your personal information and respecting your privacy. We have a legal duty to explain how we use personal information about you at our organisation.

What Information do we collect about you?

We will collect information about you to provide you with care and treatment as well as to enable effective management of the practice. We collect sensitive personal information about you (also known as special category data) which includes information relating to your health, this includes details of medications and appliances dispensed as well as significant advice given, referrals made to other health professionals and any other relevant information. We will also collect your personal information to fulfil services and provide goods which you commission from us.

Personal information we may collect includes:

• Your name, address, date of birth, and gender
• Contact details
• NHS number
• GP details
• Ethnicity (for the identification of eye health risk factors)
• Your relevant health details such as:
  • Current and past eye health conditions and other related health information;
  • The reason for any consultation and presenting condition;
  • Details and findings of any assessment or examination conducted;
  • Details of any treatment, referral or advice you provided, including any drugs or appliance prescribed;
  • Glasses, contact lens, appliance or medication prescriptions issued or provided to us;
  • Communications between your optometrist and your GP, ophthalmologist, or other relevant healthcare providers.
• Information about your employment, lifestyle and whether you drive
• Billing, payment and insurance/claim information
• Information that you provide by completing forms on our website
• Any other information you have chosen to give us.

How is your personal data collected?

The information we hold is collected through various routes, these may include:

• Direct interactions with you (or your representative) as our patient or service user, when you receive care and treatment from us, during consultations with optometry staff or on the telephone;
• Indirectly from other healthcare providers, when you attend other organisations providing health services, for example your GP or another optometry practice may share information with us to refer you to our services;
• Automated technologies such as when you interact with our website, we may automatically collect data about your equipment, browsing actions and patterns. This is collected using cookies, for further information about how we use cookies, please see our cookie policy at the very bottom of our website: https://www.bargoedsightcentre.co.uk/

How do we use your information?

The information we collect about you is primarily used for your direct care and treatment, and to fulfil services you commission, it may also be used for:

• The management of healthcare services;
• Legal requirements;
• Security and safety of our staff and premises.

The Optometry practice must keep your personal information and records private. The use and sharing of your information will be in line with the following laws and guidelines:

• UK General Data Protection Regulation (UK GDPR) 2016
• Data Protection Act 2018
• Human Rights Act 1998
• Common Law Duty of Confidentiality
• NHS (Wales) Act 2006
• Health & Social Care (Wales) Act 2016
• Public Health (Wales) 2017

We deploy appropriate organisational and technical measures to ensure the security of your personal information. Access is strictly controlled and every member of staff at the optometry practice must sign a confidentiality agreement and complete regular training.

Partners we may share your information with

We may share your information, subject to agreement on how it will be used, with the following organisations:

• Local Health Board
• Your GP
• Other local healthcare contractors to whom we refer you to receive care
• Local services for social prescribing
• Digital Health and Care Wales (DHCW)
• NHS Wales Shared Services Partnership (NWSSP)
• Legal and Risk Services
• The police and other statutory enforcement authorities such as HMRC
• Public Health Wales (PHW)
• Driver and Vehicle Licensing Agency (DVLA)
• NHS Counter-Fraud Authority
• The General Optical Council (GOC).

We may also use external third-party companies (data processors) to process your personal information. Any third-party company will be bound by contractual agreements to ensure information is kept confidential and secure.  This means that they cannot do anything with your personal information unless we have instructed them to do it.  They will not share your personal information with any organisation apart from us.  They will hold it securely and retain it for the period we instruct.

We will not share your information with any third parties for the purposes of direct marketing.

Our legal basis for processing your personal data

The legal bases for most of our processing relates to your direct care and treatment:

Article 6(1)(e) – processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

Where we have a specific legal obligation that requires the processing of personal data, the legal basis is:

Article 6(1)(c) – processing is necessary for compliance with a legal obligation to which the controller is subject.

Where we are processing personal data to fulfil services or provide you with goods you commission from us, for example to process orders, transactions and payments, our legal basis is:

Article 6(1)(b) – processing is necessary for the performance of a contract.

Where the optometry practice relies on your consent for the processing (for example, if you have consented to receive marketing materials), you have the right to withdraw consent at any time.

 

Where we process special category data, for example data concerning health, racial or ethnic origin or sexual orientation, we need to meet an additional condition in the UK General Data Protection Regulation (UK GDPR). Where we are processing special category data for purposes related to the commissioning and provision of health services, the condition is:

Article 9(2)(h) – processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and service; or

Article 9(2)(i) – processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices.

 

The optometry practice may also process personal data for the purpose of, or in connection with, legal proceedings (including prospective legal proceedings), for the purpose of obtaining legal advice, or for the purpose of establishing, exercising or defending legal rights.  Where we process personal data for these purposes, the legal basis for doing so is:

Article 6(1)(e) – processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; or

Article 6(1)(c) – processing is necessary for compliance with a legal obligation to which the controller is subject

Where we process special category data for these purposes, the legal basis for doing so is:

Article 9(2)(f) – processing is necessary for the establishment, exercise or defence of legal claims; or

Article 9(2)(g) – processing is necessary for reasons of substantial public interest.

 

In rare circumstances, we may need to share information with law enforcement agencies or to protect the wellbeing of others, for example to safeguard children or vulnerable adults. In such circumstances our legal basis for sharing information is:

Article 6(1)(c) – processing is necessary for compliance with a legal obligation to which the controller is subject; or

Article 6(1)(d) – processing is necessary to protect the vital interest of the data subject or another natural person; or

Article 6(1)(e) – processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

Where we share special category data for the purposes of safeguarding, the legal basis for doing so is:

Article 9(2)(g) – processing is necessary for reasons of substantial public interest; Data Protection Act 2018 S10 and Schedule 1, Paragraph 18 ‘Safeguarding of children and individuals at risk’

 

Retention of your Personal Information / Storing your Information

We are required by UK law to keep your information and data for a defined period, often referred to as a retention period.  The optometry practice will keep your information in line with the organisation’s records management policy, which can be found at our practice (please ask for details)]. In line with The Terms of Service for the Wales General Ophthalmic Service, we retain patient records:

• For adults, for 10 years after your last visit.
• For children and young people, for 10 years after your last visit, or until you turn 25, whichever later.

How to Contact us

Please contact the optometry practice if you have any questions about our privacy notice or information, we hold about you, via the below methods:

Bargoed Sight Centre
26 Hanbury Road
Bargoed
CF81 8QT

TEL: 01443830750

EMAIL: info@bargoedsightcentre.co.uk

 

Contact Details of our Data Protection Officer

The optometry practice is required to appoint a Data Protection Officer (DPO).  This is an essential role in facilitating our organisation’s accountability and compliance with UK Data Protection Law.

Our Data Protection Officer is:

Digital Health and Care Wales,
Information Governance, Data Protection Officer Support Service
6th Floor, Tŷ Glan-yr-Afon
21 Cowbridge Road East
Cardiff
CF11 9AD
Email: DPOService@wales.nhs.uk

Your Rights

The UK GDPR includes several rights.  We must generally respond to requests in relation to your rights within one month, although there are some exceptions to this.

The availability of some of these rights depends on the legal basis that applies in relation to the processing of your personal data, there are some circumstances in which we may not uphold a request to exercise a right.

Your rights and how they apply are described below:

Right to be Informed

Your right to be informed is met by the provision of this privacy notice, and similar information when we communicate with you directly – at the point of contact.

Right of Access

You have the right to obtain a copy of personal data that we hold about you and other information specified in the UK GDPR, although there are exceptions to what we are obliged to disclose.

The optometry practice may not provide information where an appropriate health professional has determined that disclosure would be likely cause serious harm to the physical or mental health of you or others.

Right to Rectification

You have the right to ask us to rectify any inaccurate data that we hold about you.

Right to Erasure (right to be forgotten)

You have the right to request that we erase personal data about you that we hold. This is not an absolute right, and depending on the legal basis that applies, we may have overriding legitimate grounds to continue to process the data.

Right to Restriction of Processing

You have the right to request that we restrict the processing of the personal data about you that we hold. You can ask us to do this for example where you contest the accuracy of the data.

Right to Data Portability

This right is only available where the legal basis for processing under the UK GDPR is consent, or for the purposes of a contract between you and the organisation. For this to apply the data must be held in electronic form. The right is to be provided with the data in a commonly used electronic format.

Right to Object

You have the right to object to processing of personal data about you at any time. The right is not absolute, and we may continue to use the data if we can demonstrate compelling legitimate grounds, unless your objection relates to marketing.

Rights in relation to automated individual decision-making including profiling

You have the right to object to being subject to a decision based solely on automated processing, including profiling.  Should we perform any automated decision-making, we will record this in our privacy notice and ensure that you have an opportunity to request that the decision involves personal consideration.

Right to complain to the Information Commissioner

You have the right to complain to the Information Commissioner if you are not happy with any aspect of the organisation’s processing of personal data or believe that we are not meeting our responsibilities as a data controller. The contact details for the Information Commissioner are:

Information Commissioner’s Office
Wycliffe House
Water Lane,
Wilmslow SK9 5AF

Website: www.ico.org.uk

Tel: 0303 123 1113

Email: wales@ico.org.uk

ANNEX 1

 

Invoice Validation – If you have received treatment funded by the NHS, your personal information may be shared within a secure environment, to ensure the correct Health Board covers the cost of your care and treatment.
Purpose of the Processing	Recipients	Legal Basis
To ensure the correct Health Board is charged for the cost of your care and treatment.	Details of the services provided will be shared for charging purposes with Health Boards and NWSSP as part of payment and auditing requirements.	Article 6(1)(e) ‘…. necessary for the performance of a task carried out in the public interest or in the exercise of official authority…’ Article 9(2)(h)’…necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services.

 

 

Registering for NHS Health Care – Everyone who receives NHS care will be registered on a national database, which holds your name, address, date of birth and NHS number.  No medical Information is held.  This database is held within Digital Health and Care Wales (DHCW) who have the legal responsibilities to collect NHS Data
Purpose of the Processing	Recipients	Legal Basis
Centralised national database of all patients who receive NHS care in Wales.  This is held within DHCW who have a legal responsibility for collecting this data.	NHS Wales – Information is shared with Welsh Government in an anonymised form for statistical analysis.	Article 6(1)(e) ‘…. necessary for the performance of a task carried out in the public interest or in the exercise of official authority…’ Article 9(2)(h)’…necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services.
Direct Care – The Optometry practice will share your information with other services to provide you with direct care and treatment for example referring you to received specialist treatment or support, your GP, or secondary care.
Purpose of the Processing	Recipients	Legal Basis
To give direct health or social care to individual patients through working with other health and care professionals to plan and provide specialist services in a hospital setting.	Local Health Boards, GP Practice, other local Optometry Practices who can provide specialist services, local services for social prescribing.	Article 6(1)(e) ‘…. necessary for the performance of a task carried out in the public interest or in the exercise of official authority…’ Article 9(2)(h)’…necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services.

Safeguarding – There may be rare situations where we need to share information to protect people with safeguarding needs such as children, staff or even you from harm.  No consent of permission is needed for the Optometry Practice to do this.
Purpose of the Processing	Recipients	Legal Basis
To protect children, staff or vulnerable adults from harm.	Your information may be shared with Social Services, the Police or other law enforcement bodies where the law allows. or Your information must be shared if a court orders us to do.	Article 6(1)(c) ‘…. necessary for the compliance with a legal obligation to which the controller is subject’ and/or Article 6(1)(d) ‘…. Necessary to protect the vital interests of the data subject or another natural person’. and/or Art 6(1)(e) ‘…. necessary for the performance of a task carried out in the public interest or in the exercise of official authority…’ Art 9(2)(g) ‘… necessary for reasons of substantial public interests.’ Data Protection Act 2018, S10 and Schedule 1 Para 18 ‘Safeguarding of children and individuals at risk’

Driver and Vehicle Licensing Agency (DVLA)– There may be rare situations where we need to share information with the DVLA regarding your fitness to drive
Purpose of the Processing	Recipients	Legal Basis
Where we have assessed that you may not be safe to drive; and we consider that you will not or cannot inform the DVLA yourself; and we have a concern for road safety in relation to yourself and/or the wider public.	DVLA. If you are a train driver, pilot or seafarer and we have concerns regarding your vision means you may not be able to do their job safely, and we believe you will not or cannot inform your employer or the relevant body, we may share information with the Office of Rail and Road, the UK Civil Aviation Authority or the Maritime and Coastguard Agency.	Article 6(1)(c) ‘…. necessary for the compliance with a legal obligation to which the controller is subject’ and/or Article 6(1)(d) ‘…. Necessary to protect the vital interests of the data subject or another natural person’. and/or Art 6(1)(e) ‘…. necessary for the performance of a task carried out in the public interest or in the exercise of official authority…’ Art 9(2)(g) ‘… necessary for reasons of substantial public interests.’

Health Care Inspectorate Wales (HIW) and General Optical Council (GOC) – Healthcare Inspectorate Wales and the General Optical Council are independent inspectorate and regulatory bodies of health and care in Wales. They may work independently or in conjunction to regulate and inspect NHS services and independent healthcare providers to ensure that safe care is provided and to identify areas for improvement. It is compulsory and a legal requirement for the Optometry Practice to inform HIW and GOC of any serious incidents that may occur such as when a patient safety has been put at risk.   Further information can be found at: http://hiw.org.uk/?lang=en
Purpose of the Processing	Recipients	Legal Basis
The law requires information to be shared with the Healthcare Inspectorate Wales and General Optical Council so they can perform their regulatory functions. This means you are unable to object.	Health Care Inspectorate Wales (HIW) and General Optical Council staff as directed	Article 6(1)(c) ‘…. necessary for compliance with a legal obligation to which the controller is subject’ Article 9(2)(h)’ necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services. and/or Article 9(2)(j) – ‘processing is necessary for…scientific or historical research purposes or statistical purposes in accordance with Article 89(1) based on Union or Member States law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and interests of the data subject’

General Optical Council (GOC) – General Optical Council is the statutory regulator for the optical professions in England, Wales and Scotland. GOC role is to maintain the professional register for optometrists, dispensing opticians, optical students and optical businesses. They ensure public protection by investigating complaints and acting on fitness-to-practice issues as well as enforcing compliance with the Opticians Act 1989 and related regulations.   Further information can be found at: https://optical.org/
Purpose of the Processing	Recipients	Legal Basis
The law requires information to be shared with the General Optical Council so they can perform their regulatory functions. This means you are unable to object.	General Optical Council (GOC) staff as directed.	Article 6(1)(c) ‘…. necessary for compliance with a legal obligation to which the controller is subject’ Article 9(2)(h)’ necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services. and/or Article 9(2)(j) – ‘processing is necessary for scientific or historical research purposes or statistical purposes in accordance with Article 89(1) based on Union or Member States law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and interests of the data subject’

Legal Advice/ Claims – There may be rare situations where individuals make claims against the optometry practice, when this occurs, we may share all relevant claim and relative medical records/ information to enable the organisation to obtain legal advice, establish the facts of the case and defend such instances.
Purpose of the Processing	Recipients	Legal Basis
To obtain legal advice, or for the purpose of establishing, exercising or defending legal rights (including prospective legal proceedings)	Your information may be shared with solicitors or legal representatives	Article 6(1)(c) ‘…. necessary for compliance with a legal obligation to which the controller is subject’ and/or Article 6(1)(e) ‘…. necessary for the performance of a task carried out in the public interest or in the exercise of official authority…’ Article 9(2)(f) ‘…necessary for the establishment, exercise of defence of legal claims…’   and/or Article 9(2)(g) ‘… is necessary for reasons of substantial public interest’

Disclosure of Video Surveillance to the police – the Optometry Practice may make voluntary disclosures of any form of video surveillance for incidents that require police intervention to support ongoing investigations
Purpose of the Processing	Recipients	Legal Basis
Where the purpose of the surveillance system is for the prevention and detection of crime, voluntary disclosure(s) of footage/images may be provided to the police, where there is a reporting of an incident to the police for investigation.	Relevant imaged may be shared with the police.	Art 6(1)(e) ‘…. necessary for the performance of a task carried out in the public interest or in the exercise of official authority…’ Art 9(2)(g) ‘…necessary for reasons of substantial public interests.’ Data Protection Act 2018, Schedule 2 (1)(a) the prevention or detection of crime and Data Protection Act 2018 – Schedule 2 (1)(b) the apprehension or prosecution of offenders