Data & Privacy Policies
Data Management Policies
This policy describes the data that we hold about patients, how we hold it, how we protect it, how we use and process it (including what patients need to be provided with) and how we transfer it (if necessary). There are certain legislative requirements for every organisation to hold information. Information about this is provided below.
The practice complies with the Data Protection Act 2018 in its processing of personal data and is registered with the Information Commissioner’s Office: registration number ZA114281.
The practice has an up to date Freedom of Information Act statement and this is available to patients.
A practice policy notice on handling patient data is available to patients.
Andrea Coulson is responsible for procedures relating to confidentiality and data management.
What information we hold and how we hold it
- Patient records and information in a variety of formats.
- Paper records for a sight test and contact lens clinical records.
- Paper records are used for spectacle prescription and dispending information.
- Clinical records and held electronically on a computer.
- Spectacle prescription and dispensing information is held in the practice management software.
- Recall dates are managed manually.
- Recall dates are held in the practice management software.
- Photographic information (retinal and anterior segment) is held in the imaging software.
- Visual field records may be held as paper, as data in the visual field software or as images within the imaging software.
- Email correspondence will be held when necessary on the practice computers and a copy may be attached to the patient record.
How we protect this information
- All practice staff have a confidentiality clause within their contracts.
- All personal information contained on practice records, whether paper or electronic, is considered confidential.
- We will not discuss your personal information with anyone other than you or, if you are under 16 and not Gillick competent, your parent or guardian without your permission.
- Care is taken that records are not seen by other people in the practice.
- All staff are aware of the importance of ensuring and maintaining the confidentiality of patients’ data and that such data must be processed and stored securely.
- All electronic data is protected by suitable back-up procedures and any on-line backup uses a service, which encrypts the data securely before transmitting it from the practice PC.
- When computers and replaced, old hard drives are securely erased or physically destroyed.
- Records are retained for periods as agreed by the optical bodies (see Appendix 1).
- Confidential paper information requiring destruction is shredded.
- Records due for destruction are shredded.
- If the need arises to transfer information, we have procedures that include consent and secure transfer (see the section on how we transfer personal data below).
- Any suspected breaches of security or loss of information are reported immediately and are dealt with appropriately by the person responsible for confidentiality and data management.
- Paper records are kept secure and away from access by the public.
How we use and process the information we hold
To discharge our legal and contractual duties:
- If you have a sight test you will be given a copy of your spectacle prescription as soon as your sight test is completed.
- If you have a sight test and you are referred to a doctor, we will offer you a copy of the referral letter. If we cannot give this to you straight away, we will give you a written statement that you are being referred, with the reason for the referral (e.g. “cataract”) written on the GOS2 or similar private form.
- If you are fitted with contact lenses you will be given a copy of your contact lens specification when the fitting process has been completed.
- We make sure that staff who help in the provision of GOS are appropriately trained, and supervised for the tasks that they undertake.
- We may also use the information we hold about you to remind you when they are due for check-ups and we may send you eye care and eyewear information. If you do not want us to do this, please let us know.
How we transfer personal data
- We always transfer personal information (data) securely.
- We will normally ask your permission if we want to transfer personal information about you to someone else.
- We may not ask your permission if we transfer the information to another healthcare professional who is responsible for your care and who needs that information to help to care for you.
- We may also not ask your permission if we are ordered by law to transfer the information. This may be if a court asks us for the information.
Our website address is https://www.daseaman.org.uk
What personal data we collect via our website and why we collect it
We do not store any personal data on our website. Any content entered on the Contact Us page is sent to the practice and is stored on the practice computer system so that we can reply to your message. This is then stored and/or treated in the same way as all patient data stored on the practice software system.
See sections: ‘What information we hold and how we hold it’ and ‘How we protect this information’.
Embedded content from other websites
Articles on this site may include embedded content (e.g. videos, images, articles, etc.). Embedded content from other websites behaves in the exact same way as if the visitor has visited the other website.
What rights you have over your data
By entering your contact details on the Contact Us page you are giving your permission for that data to be transferred to the practice in the form of an email. No data is stored on the website.
For further information on policies and procedures about:
- Record retention (see appendix 1)
- Recording telephone calls and conversations (see appendix 2)
- Disclosure of Data to Commissioners (see appendix 3)
- Data Protection principles (see appendix 4)
- NHS Care Record Guarantee (see appendix 5)
- Caldicott recommendations (see appendix 6)
- Handling requests for RX and clinical information (see appendix 7)
- Communicating patient identifiable data (see appendix 8)
This policy applies to the following:
- Spectacle records
- Contact lens records
- Appointment diaries
- Telephone and/or telehealth consultations
- All records are retained for 10 years from the date of last seeing the patient.
- Records of children are retained until they are 25 AND it is 10 years since they were last seen.
- Records of the deceased are kept for 10 years.
- Records are destroyed by shredding.
Age at last test
Time to retain a record
Until age 25
Until age 25
Until age 27
For 10 years
Recording of telephone calls and/or consultations
Telephone calls between patients and providers will not be recorded or monitored due to the complexity of obtaining the consent of this process and the subsequent storing of patient sensitive data. Calls are not currently recorded.
Disclosure of data to Commissioners
The practice (provider) agrees to provide anonymised, pseudonymised or aggregated data as may be requested by the co-ordinating commissioner or LOC company.
Personal data will not be disclosed without written consent or lawful reason for disclosure.
Exceptions to this are covered by:
Section 251 of the NHS Act 2006 (originally enacted under Section 60 of the Health and Social Care Act 2001), allows the common law duty of confidentiality to be set aside in specific circumstances where anonymised information is not sufficient and where patient consent is not practicable.
Data Protection Principles
Article 5 of the GDPR sets out seven key principles which lie at the heart of the general data protection regime.
Article 5 (1) requires that personal data shall be:
(a) processed lawfully, fairly and in a transparent manner concerning individuals (‘lawfulness, fairness and transparency’);
(b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes (‘purpose limitation’);
(c) adequate, relevant and limited to what is necessary concerning the purposes for which they are processed (‘data minimisation’);
(d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that inaccurate personal data, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);
(e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals (‘storage limitation’);
(f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).
Article 5 (2) adds that:
The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (‘accountability’).
NHS Care Record Guarantee
All data processed on behalf of the commissioner concerning community services must be processed and handled in line with the NHS Care Record Guarantee.
All staff handling data are aware of the obligations placed upon them by the NHS Care Record Guarantee and the commitments laid out in it.
In summary, this covers:
- Why people may access patient records:
- As the basis for health decisions
- Ensure safe effective care
- Work effectively with other
- Clinical audit
- Protect the health of the general public
- Monitor NHS spending
- Manage the health service
- To investigate complaints
- Teaching and research
- Law relating to records
- Confidentiality under common-law duty of confidentiality
- Protection about how information is processed
These rights are not absolute and they need to be balanced against those of others.
Other patient rights regarding records
- To ask for a copy of all records held in paper or electronic form (a fee may be payable)
- To choose someone to make decisions about the patient’s healthcare if the patient becomes unable to do so (lasting power of attorney)
- Duties placed upon the practice (provider)
- Maintain accurate records of the care provided
- Keep records confidential, secure, and accurate (even after the patient dies)
- Provide information in accessible formats (e.g. large print)
The complete NHS Care Record Guarantee will be available for staff members to consult.
- Justify the purpose(s) of using confidential information
- Only use it when absolutely necessary
- Use the minimum that is required
- Access should be on a strict need to know basis
- Everyone must understand his or her responsibilities
- Understand and comply with the law
- Patients are treated with dignity, kindness, compassion, courtesy, respect, understanding and honesty.
- Patients experience effective interactions with staff who have demonstrated competency in relevant communication skills.
- Patients are introduced to all healthcare professionals involved in their care and are made aware of the roles and responsibilities of the members of the healthcare team.
- Patients have opportunities to discuss their health beliefs, concerns and preferences to inform their individualised care.
- Patients are supported by healthcare professionals to understand relevant treatment options, including benefits, risks and potential consequences.
- Patients are actively involved in shared decision making and supported by healthcare professionals to make fully informed choices about investigations, treatment and care that reflect what is important to them.
- Patients are made aware that they have the right to choose, accept or decline treatment and these decisions are respected and supported.
- Patients are made aware that they can ask for a second opinion.
- Patients experience care that is tailored to their needs and personal preferences, taking into account their circumstances, their ability to access services and their coexisting conditions.
- Patients have their physical and psychological needs regularly assessed and addressed, including nutrition, hydration, pain relief, personal hygiene and anxiety.
- Patients experience continuity of care delivered, whenever possible, by the same healthcare professional or team throughout a single episode of care.
- Patients experience coordinated care with clear and accurate information exchange between relevant health and social care professionals.
- Patients’ preferences for sharing information with their partner, family members and/or carers are established, respected and reviewed throughout their care.
- Patients are made aware of who to contact, how to contact them and when to make contact about their ongoing healthcare needs.
Handling requests for prescription and clinical information
Spectacle prescription (Spec Rx) or contact lens specification
Where a patient requests a copy of their own or their child’s spectacle prescription or contact lens specification this should be provided. It will be double-checked for accuracy and signed by an optometrist. Such information may be collected or posted or faxed to the patient. It may also be emailed to their email address if they so request.
Contact lens specification
Where a third party supplier requests the verification of a contact lens specification they should provide the following details:
- Patient’s full name and address
- Full specification including parameters and power of the lenses
- The expiry date of the specification
- The name or registration number of the person signing the specification
The answer can only be yes or no; the details are correct or not. If the details are not correct, further information must not be supplied without the explicit consent of the patient. In that event, the supplier will be told that a copy of the specification, with all the correct details, will be posted to the patient. The request and the result should be noted on the patient’s record.
Requests from another optometrist for spec Rx information
In all cases, we must be satisfied that the patient has consented to the transfer of the information. This may be obvious and implicit “the patient is on holiday elsewhere and has broken their glasses”, but if not, we will ask to speak to the patient or for a signed consent to be faxed to us. The request will be noted on the patient’s record.
Requests from another optometrist for clinical information
The optometrist must satisfy themselves that the request is for the clinical and health benefit of the patient and will conduct the phone conversation and provide the information themselves. They must also be satisfied that the patient has consented to the transfer of information.
Requests by us for clinical or spec Rx information.
These requests will be made by the optometrist personally or a qualified member of staff. A signed consent should be held in case this is requested by the other party. If the information is not urgent the request may be made in writing.
Communicating Patient Identifiable Data
Patient data may be communicated in the following ways:
- By ordinary 1st or 2nd class post:
- In a sealed envelope
- By fax:
- This will be to a safe haven fax where possible. The cover sheet will state: This fax contains proprietary confidential information some or all of which may be legally privileged and or subject to the provisions of privacy legislation. It is intended solely for the addressee. If you are not the intended recipient, you must not read, use, disclose, copy, print or disseminate the information contained within this fax. Please notify the author immediately by replying to this fax and then destroy the fax.
- By email:
Patient consent is required for sending data that can identify a patient except where both sender and recipient have NHS emails ending in @nhs.net, or the “SECURE” function of NHS mail is used. Emails will carry a message stating:
This e-mail contains proprietary confidential information some or all of which may be legally privileged and or subject to the provisions of privacy legislation. It is intended solely for the addressee. If you are not the intended recipient, you must not read, use, disclose, copy, print or disseminate the information contained within this e-mail. Please notify the author immediately by replying to this e-mail and then delete the e-mail.
- With the care that confidentiality is maintained
- The recipient of the information is identified
- A note is made on the record
- Information that could result in errors will be communicated in writing where possible