PRIVACY POLICY

Robert E Lloyd

Privacy Notice

Who we are?

We at Robert E Lloyd are registered with the Information Commissioners Office as a Data Controller registration number ZA139844 and ZA139846. We are specialists in Optometry and related services and operate from 310 Heathwood Road, CF14 4HT and 49 High Street, CF71 7AE.

 

Your Privacy

Your privacy matters to us and we are committed to the highest data privacy standards and patient confidentiality. To disclose this to you, our Privacy Notice includes the following:

We adopt the six core principles of data protection which are:

  1. Lawfulness, fairness and transparencywe process personal data lawfully, fairly and in a transparent manner in relation to you, the data subject.
  2. Purpose limitationwe only collect personal data for a specific, explicit and legitimate purpose. We clearly state what this purpose is in this Privacy Notice, and we only collect data for as long as necessary to complete that purpose.
  3. Data minimisationwe ensure that personal data we process is adequate, relevant and limited to what is necessary in relation to the processing purpose.
  4. Accuracywe take every reasonable step to update or remove data that is inaccurate or incomplete. You have the right to request that we erase or rectify erroneous data that relates to you, and we will complete this task as soon as possible but guarantee to do so within a month.
  5. Storage limitationwe delete personal data when we no longer need it. Whilst the timescales in most cases aren’t set, we outline our retention strategy within this Privacy Notice.
  6. Integrity and confidentialitywe keep personal data safe and protected against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

Collection of your Personal Data

We collect your personal information via disclosure directly from you or your parent or guardian. This might be via our website, via our booking system, telephone or face to face engagement.

Categories and Type of Personal Data Collected and processed.

We collect contact details from you including:

In addition to this contact information we collect clinical data including:

Finally, we collect financial information where appropriate including:

We treat all personal data as sensitive but acknowledge that we also process special category data.

Child Data

Article 8 of the GDPR and Article 9 of the UK Data Protection Act 2018 specify how we are permitted to process data relating to children under 16 (For the UK this is under 13). Given our industry we comply with this requirement by permitting parents or guardians to make appointments for children and to provide us with their own contact details to use on behalf of the children. On the appointment confirmation we offer a statement of understanding which confirms that the recipient is indeed a parent or guardian of the child.

Reason for Data collection and processing activities.

Contact information is captured to enable us to contact you through various communication channels on matters directly related to your treatment. This could include appointment reminders, results, check up reminders and any other information which is felt to be crucial to your eye care including offers from us about our services.

Clinical data is collected as an essential means of providing you with the service which you require and without collecting this information our service could not be delivered.

Payment information is collected to facilitate the payment of our services.

Sharing of Personal Data

During the delivery of our service to you, we will share your data with other companies who are critical for the provision of our service to you and will be viewed as Data Processors. They are under contract with us and have provided sufficient guarantees that they will process your data only as per the terms of that contract and throughout processing activities will ensure your data is protected using appropriate technical and organisation measures.

A full list of processors is available from our Data Protection Officer but includes Optix Software Limited (Our business software provider), lens manufacturers, frame manufacturers, contact lens manufacturers and payment processors.

We may also need to share your data with other health care providers, such as the NHS, where this is needed to ensure you receive appropriate treatment and care.

Securing and Processing of your Personal Data

Your data is stored mainly within our software system provided by Optix Business Software Limited. They hold ISO 27001 and as part of our own due diligence our Data Protection Officer has reviewed security processes in place including the results of penetration testing undertaken.

Your data is also stored within local devices secured using passwords and user authentication. All branches offer a high level of physical security and operational rigour to ensure data and the devices on which that data resides, are protected.

In the unlikely event that we lose your data, or a device on which your data resides, or it is accessed by someone unauthorised, we have a duty to inform you immediately. If the loss or unauthorised access of your data has potential to cause you harm, we will also report this to the Information Commissioners Office, who are responsible for regulating data protection legislation in the UK.

https://ico.org.uk/

 

Our legal basis for processing your personal data

We are required to identify one of six possible legal grounds for processing. These are:

As all of our processing activities are crucial to the provision of the service which we enter into a contract with you to provide, we process your data based on that contractual relationship.

We could also process your data under our legitimate interests as all processing activities are essential for the provision of our service to you.

Where special category of data is processed, we do so Article 9 (2) h – processing is necessary for…the provision of health or social care.

How long do we keep your personal data for?

We process three categories of personal data and retain this data for different periods of time.

Contact information is retained for as long as the data subject is a customer of ours. Where the data subject has not used our services recently, and in the absence of a direct data subject request, we hold contact information for a period of 10 years from the last appointment.

Based on the guidance of the AOP the clinical data we process is held for a period of 10 years for Adults or in the case of minors until the patients 25th birthday.

Payment information is held by us only for as long as is necessary to process the payment or to set up the direct debit mandate.

 

Your rights in relation to personal data

Under the GDPR, you have rights to access and control your personal data. These rights include:

You can exercise your rights by emailing our Data Protection Officer on RobertELloydDPO@clinicaldpo.com

If you are unhappy with anything we have done with your data, you have the right to complain to the Information Commissioners Office.

To make a complaint to the Information Commissioners Office use the link below or call their hotline on Tel No.: 0303 123 1113   

https://ico.org.uk/concerns/

Use of cookies and other technologies

A cookie is a small text file containing information that a web site transfers to your computer’s hard disk for record-keeping purposes. A cookie cannot give us access to your computer or to your personal information. Most web browsers automatically accept cookies; consult your browser’s manual or online help if you want information on restricting or disabling the browser’s handling of cookies. If you disable cookies, you can still view the information on our web site, but the functionality of certain areas may be reduced.

Cookies may be either “persistent” cookies or “session” cookies: a persistent cookie will be stored by a web browser and will remain valid until its set expiry date, unless deleted by the user before the expiry date; a session cookie, on the other hand, will expire at the end of the user session, when the web browser is closed. We only use session cookies on this website.

Cookies we use on our website

(a) Authentication
We use cookies to identify admin login via the log in page: Cookies generated include wordpress_sec_*
This handles login for website admins. (Session cookie)

(b) Status 
We use cookies to help us to determine if you are logged into our website
Cookies used for this purpose are: wordpress_logged_in_* (Session cookie)

(c) Security
We use cookies as an element of the security measures used to protect user accounts, including preventing fraudulent use of login credentials, and to protect our website and services generally. (Session cookie)

(d) Analysis
We use cookies to help us to analyse the use and performance of our website and services.
We use Google Analytics to analyse the use of our website. Google Analytics gathers information about website use by means of cookies. The information gathered relating to our website is used to create reports about the use of our website. Our service providers use cookies and those cookies may be stored on your computer when you visit our website.
Google’s privacy policy is available at: https://www.google.com/policies/privacy/. (Session cookie)

 

Managing cookies
Most browsers allow you to refuse to accept cookies and to delete cookies. The methods for doing so vary from browser to browser, and from version to version. You can however obtain up-to-date information about blocking and deleting cookies via these links:
(a) https://support.google.com/chrome/answer/95647?hl=en (Chrome);
(b) https://support.mozilla.org/en-US/kb/enable-and-disable-cookies-website-preferences (Firefox);
(c) http://www.opera.com/help/tutorials/security/cookies/ (Opera);
(d) https://support.microsoft.com/en-gb/help/17442/windows-internet-explorer-delete-manage-cookies (Internet Explorer);
(e) https://support.apple.com/kb/PH21411 (Safari); and
(f) https://privacy.microsoft.com/en-us/windows-10-microsoft-edge-and-privacy (Edge).

Blocking all cookies will have a negative impact upon the usability of many websites.
If you block cookies, you will not be able to use all the features on our website.

How to contact us?

For all data protection matters or questions relating to how we manage your data, you can contact our Data Protection Officer via these means:

Data Protection Officer:                 Clinical DPO.

Phone Number                                 0203 411 2848

Email:                                                    RobertELloydDPO@clinicaldpo.com