At G.T. Harvey and Partners, we are committed to protecting your privacy and data. We value the personal information entrusted to us and make sure we respect that trust. However you may choose to interact with us, we will only collect data that is necessary for us to deliver the best possible service and ensure you are reminded about appointments or anything else relevant to your ongoing care. This policy provides detailed information on when and why we collect your personal information, how we use it and the very limited conditions under which we may disclose it to others.
We have always and will continue to ensure that our patients are our first and overriding priority.
We at GT Harvey and Partners, are registered with the Information Commissioners Office as a Data Controller registration number Z7284204. We provide optometry services and operate from: 9 Saville Row, Newcastle Upon Tyne, NE1 8JE.
Your privacy matters to us and we are committed to the highest data privacy standards, patient confidentiality and adherence with the Data Protection Act 2018 and UK GDPR.
We adopt the six core principles of data protection which are:
- Lawfulness, fairness and transparency – we process personal data lawfully, fairly and in a transparent manner in relation to you, the data subject.
- Purpose limitation – we only collect personal data for a specific, explicit and legitimate purpose. We clearly state what this purpose is in this Privacy Notice, and we only collect data for as long as necessary to complete that purpose.
- Data minimisation – we ensure that personal data we process is adequate, relevant and limited to what is necessary in relation to the processing purpose.
- Accuracy – we take every reasonable step to update or remove data that is inaccurate or incomplete. You have the right to request that we erase or rectify erroneous data that relates to you, and we will complete this task as soon as possible but guarantee to do so within a month.
- Storage limitation – we delete personal data when we no longer need it. Whilst the timescales in most cases aren’t set, we outline our retention strategy within this Privacy Notice.
- Integrity and confidentiality – we keep personal data safe and protected against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
Collection of your Personal Data
We collect your personal information via disclosure directly from you. This might be via our website, via our booking system, telephone, or face to face engagement.
We may also collect it from other sources if it is legal to do so. This includes from the NHS or other healthcare providers, institutions or people you have authorised to provide information on your behalf (for example, parents or guardians), third-party service providers, government, tax or law-enforcement agencies, and others.
Categories and Type of Personal Data Collected and processed.
In addition to your basic contact information (name, date of birth, telephone numbers, your address and email) we will collect other relevant details during your eye examination including current and past health and medication information, family history, your examination results, and lifestyle information. We may also collect payment details where appropriate. We may also store associated information received from other health care professionals e.g., your Doctor or Ophthalmologist, as part of your ongoing care.
We treat all personal data as sensitive but acknowledge that we also process special category data.
Article 8 of the UK GDPR and Article 9 of the UK Data Protection Act 2018 specify how we are permitted to process data relating to children under 16 (for the UK this is under 13). Given our industry we comply with this requirement by permitting parents or guardians to make appointments for children and to provide us with their own contact details to use on behalf of the children. On the appointment confirmation we offer a statement of understanding which confirms that the recipient is indeed a parent or guardian of the child.
Reason for Data collection and processing activities.
Contact information is collected to enable us to contact you through various communication channels on matters directly related to your treatment. This could include appointment reminders, results, check-up reminders and any other information which is felt to be crucial to your care. We may also, with your consent, send updates from us about our services.
Clinical data is collected as an essential means of providing you with the care we provide for you.
Without collecting this information this care could not be delivered.
Payment information is collected to facilitate the payment of our services.
Sharing of Personal Data
During the delivery of our service to you, we will only share your data with other companies who are critical for the provision of our service to you and will be viewed as Data Processors. They are under contract with us and have provided sufficient guarantees that they will process your data only as per the terms of that contract and throughout processing activities will ensure your data is protected using appropriate technical and organisation measures.
A full list of processors, who are applicable to our services to you, are available from Maria Henderson.
Where necessary we may disclose your information to health care professionals including the NHS. We may also pass information to external agencies and organisations, including the police, for the prevention and detection of fraud and criminal activity. Should any claim be made, we may pass your personal information to our insurers and if our business is wholly or partially transferred to a third party, your personal information may be one of the transferred assets.
Securing and Processing of your Personal Data
To provide and manage our services your electronic data is stored and processed by Optix Software Ltd within their UK facilities, certified to ISO27001, which has appropriate security processes in place.
Your data is also stored within local devices secured using passwords and user authentication. Our practice is secure and operated to ensure data and the devices on which that data resides, are protected.
In the unlikely event that we lose your data, or a device on which your data resides, or it is accessed by someone unauthorised, we have a duty to inform you immediately if the loss or unauthorised access of your data has potential to cause you harm. We will also report this to the Information Commissioners Office, who are responsible for regulating data protection legislation in the UK – https://ico.org.uk/
Our legal basis for processing your personal data?
We are required to identify one of six possible legal grounds for processing. These are:
- legitimate interests
- vital interests
- public task
- legal obligation
As all of our processing activities are crucial to the provision of our service, which we enter into a contract with you to provide, we process your data based on that contractual relationship.
We could also process your data under our legitimate interests as all processing activities are essential for the provision of our service to you.
Where special category of data is processed, we do so Article 9 (2) h – where processing is necessary for the provision of health or social care.
How long do we keep your personal data for?
We retain your information for as long as reasonably necessary to provide our products and services and to maintain records to satisfy tax and other legal requirements. We also keep records to satisfy industry body requirements, as well as to protect and defend ourselves against any claims.
We will delete, shred, and dispose of correctly and safely, information when no longer required.
Your rights in relation to personal data
Under UK data protection law, you have following rights:
|Right to be informed|
This means that we have to be transparent in how we collect and use your personal data.
Right of access
You have the right to access your personal data.
Right to rectification
If the information we hold about you is inaccurate or incomplete you can request that we correct this.
Right to erasure
You can request that we delete or remove personal data in certain circumstances.
Right to restrict processing
You have the right to request that we cease using your data if
We will review the validity of your request and respond to you with our decision.
Right to data portability
Where you have consented to our use of your data or where the use of your data is necessary for us to deliver a contract you can request a copy of that data be provided to a third party.
Right to object
You have the right to object to us using your data in certain circumstances. For example, you can object to:
Rights relating to automated decision-making including profiling
If we were to apply automated decision-making, we must:
Please note: at G.T. Harvey and Partners we DO NOT use automated decision-making or profiling.
If you are unhappy with anything we have done with your data, you have the right to complain to the Information Commissioners Office.
To make a complaint to the Information Commissioners Office use the link below or call their hotline on Tel No.: 0303 123 1113. https://ico.org.uk/concerns/
How to contact us?
For all data protection matters or questions relating to how we manage your data, you can contact: Stuart Henderson on –
Email: [email protected]
Telephone: 0191 2327615
Or by post: 9, Saville Row, Newcastle upon Tyne. NE1 2JE
Alternatively, should you not wish to contact Stuart Henderson, you can contact our Data Protection Officer directly via these means:
Data Protection Officer: Clinical DPO.
Phone Number 0203 411 2848
Email: [email protected]