Who we are?
We at The Eye Place are registered with the Information Commissioners Office as a Data Controller. We are specialist in Optometry operating from Bakewell, Dore, Towcester and London.
Your privacy matters to us and we are committed to the highest data privacy standards and patient confidentiality. To disclose this to you, our Privacy Notice includes the following:
- What data we collect from you.
- How and why we process it.
- Who we share it with and why.
We adopt the six core principles of data protection which are:
- Lawfulness, fairness and transparency - we process personal data lawfully, fairly and in a transparent manner in relation to you, the data subject.
- Purpose limitation - we only collect personal data for a specific, explicit and legitimate purpose. We clearly state what this purpose is in this Privacy Notice, and we only collect data for as long as necessary to complete that purpose.
- Data minimisation - we ensure that personal data we process is adequate, relevant and limited to what is necessary in relation to the processing purpose.
- Accuracy - we take every reasonable step to update or remove data that is inaccurate or incomplete. You have the right to request that we erase or rectify erroneous data that relates to you, and we will complete this task as soon as possible but guarantee to do so within a month.
- Storage limitation - we delete personal data when we no longer need it. Whilst the timescales in most cases aren't set, we outline our retention strategy within this Privacy Notice.
- Integrity and confidentiality - we keep personal data safe and protected against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
Collection of your Personal Data
The information we collect about you is used to ensure we provide you with the best and most appropriate products and services. In addition to your ongoing eyecare, we will remind you when appointments are due and suggest relevant products or services that we believe would be of interest. We use your contact information to respond to queries from you, and where appropriate your bank details to collect Direct Debit payments as agreed. We may occasionally contact you to ask for your feedback on services we have provided and to offer the opportunity to trial new products.
We collect your personal information via disclosure directly from you or your parent or guardian. This might be via our website, via our booking system, telephone or face to face engagement.
Categories and Type of Personal Data Collected and processed.
We collect contact details from you including:
- Telephone number(s)
- email addresses
- Date of Birth
In addition to this contact information we collect clinical data including:
- Current and past relevant health and medication information.
- Examination results including retinal images.
- Relevant lifestyle information such as pastimes or work impacting on eye care.
- Information received from other healthcare professionals as part of your ongoing care.
Finally, we collect financial information where appropriate including:
- Payment card details via EPOS.
- Banking details for direct debit mandates.
We treat all personal data as sensitive but acknowledge that we also process special category data.
Article 8 of the GDPR and Article 9 of the UK Data Protection Act 2018 specify how we are permitted to process data relating to children under 16 (For the UK this is under 13). Given our industry we comply with this requirement by permitting parents or guardians to make appointments for children and to provide us with their own contact details to use on behalf of the children. On the appointment confirmation we offer a statement of understanding which confirms that the recipient is indeed a parent or guardian of the child.
Reason for Data collection and processing activities.
Contact information is captured to enable us to contact you through various communication channels on matters directly related to your treatment. This could include appointment reminders, results, check up reminders and any other information which is felt to be crucial to your eye care including offers from us about our services.
Clinical data is collected as an essential means of providing you with the service which you require and without collecting this information our service could not be delivered.
Payment information is collected to facilitate the payment of our services.
Sharing of Personal Data
During the delivery of our service to you, we will share your data with other companies who are critical for the provision of our service to you and will be viewed as Data Processors. They are under contract with us and have provided sufficient guarantees that they will process your data only as per the terms of that contract and throughout processing activities will ensure your data is protected using appropriate technical and organisation measures.
A full list of processors is available from our Data Protection Officer but includes:
- Optix Software Limited - Our business software provider
- Shopify - for the integration with the website. Salesforce - for the storage of eyecare records and automation of processes. Zendesk - for interactions with customer service.
- Klaviyo - for sending email marketing.
- Lens manufacturers, frame manufacturers, contact lens manufacturers
- Eyecare payments Ltd – process direct debit payments
We may also need to share your data with other health care providers, such as the NHS, where this is needed to ensure you receive appropriate treatment and care.
Securing and Processing of your Personal Data
Your data is stored mainly within our software system provided by Optix Business Software Limited. They hold ISO 27001 and as part of our own due diligence our Data Protection Officer has reviewed security processes in place including the results of penetration testing undertaken.
Your data is also stored within local devices secured using passwords and user authentication. All branches offer a high level of physical security and operational rigour to ensure data and the devices on which that data resides, are protected.
In the unlikely event that we lose your data, or a device on which your data resides, or it is accessed by someone unauthorised, we have a duty to inform you immediately. If the loss or unauthorised access of your data has potential to cause you harm, we will also report this to the Information Commissioners Office; who are responsible for regulating data protection legislation in the UK.
Our legal basis for processing your personal data?
We are required to identify one of six possible legal grounds for processing. These are:
- legitimate interests
- vital interests
- public task
- legal obligation
As all of our processing activities are crucial to the provision of the service which we enter into a contract with you to provide, we process your data based on that contractual relationship.
We could also process your data under our legitimate interests as all processing activities are essential for the provision of our service to you.
Where special category of data is processed, we do so Article 9 (2) h – processing is necessary for…the provision of health or social care.
How long do we keep your personal data for?
We retain your information for as long as reasonably necessary to provide our products and services and to maintain records to satisfy tax and other legal requirements.
Contact information is retained as long as the data subject is a customer of ours. Where the data subject has not used our services recently, and in the absence of a direct data subject request, we hold contact information for a period of 10 years from the last appointment.
Based on the guidance of the General Optical Council, the clinical data we process is held for a minimum period of 10 years.
Payment information is held by us only as long as is necessary to process the payment or to set up the direct debit mandate.
Your rights in relation to personal data
Under the GDPR, you have rights to access and control your personal data. These rights include:
- access to personal information
- correction and deletion
- withdrawal of consent (if processing data on condition of consent)
- data portability
- restriction of processing and objection
- lodging a complaint with the Information Commissioner’s Office
You can exercise your rights by emailing our Data Protection Officer on TheEyePlaceDPO@clinicaldpo.com
If you are unhappy with anything we have done with your data, you have the right to complain to the Information Commissioners Office.
To make a complaint to the Information Commissioners Office use the link below or call their hotline on Tel No.: 0303 123 1113.
Updating your communication preferences
You may ask that we do not send you communications using any of the contact details we hold on our records, this may include your email, SMS, telephone and postal information. You may also request we restrict our communications to clinically necessary messages. Your personal preferences can be changed at any time by using the link at the end of every email and SMS message we send or by using our contact details below.
Website specific privacy information
This section describes how your personal information is collected, used, and shared when you visit or make a purchase from ocoglasses.co.uk (the “Site”).
When you visit the Site, we automatically collect certain information about your device, including information about your web browser, IP address, time zone, and some of the cookies that are installed on your device. Additionally, as you browse the Site, we collect information about the individual web pages or products that you view, what websites or search terms referred you to the Site, and information about how you interact with the Site. We refer to this automatically-collected information as “Device Information”. We collect Device Information using the following technologies:
- “Cookies” are data files that are placed on your device or computer and often include an anonymous unique identifier. For more information about cookies, and how to disable cookies, visit http://www.allaboutcookies.org.
- “Log files” track actions occurring on the Site, and collect data including your IP address, browser type, Internet service provider, referring/exit pages, and date/time stamps.
- “Web beacons”, “tags”, and “pixels” are electronic files used to record information about how you browse the Site.
Additionally, when you make a purchase or attempt to make a purchase through the Site, we collect certain information from you, including your name, billing address, shipping address, payment information, email address, and phone number. We refer to this information as “Order Information”.
How do we use your personal information?
We use the Order Information that we collect generally to fulfil any orders placed through the Site (including processing your payment information, arranging for shipping, and providing you with invoices and/or order confirmations). Additionally, we use this Order Information to:
- Communicate with you;
- Screen our orders for potential risk or fraud; and
- When in line with the preferences you have shared with us, provide you with information or advertising relating to our products or services.
We use the Device Information that we collect to help us screen for potential risk and fraud (in particular, your IP address), and more generally to improve and optimize our Site (for example, by generating analytics about how our customers browse and interact with the Site, and to assess the success of our marketing and advertising campaigns).
Sharing your personal information
We share your Personal Information with third parties to help us use your Personal Information, as described above. For example, we use Shopify to power our online store--you can read more about how Shopify uses your Personal Information here: https://www.shopify.com/legal/privacy.
We also use Google Analytics to help us understand how our customers use the Site -- you can read more about how Google uses your Personal Information here: https://www.google.com/intl/en/policies/privacy/. You can also opt-out of Google Analytics here: https://tools.google.com/dlpage/gaoptout.
Finally, we may also share your Personal Information to comply with applicable laws and regulations, to respond to a subpoena, search warrant or other lawful requests for information we receive, or to otherwise protect our rights.
As described above, we use your Personal Information to provide you with targeted advertisements or marketing communications we believe may be of interest to you. For more information about how targeted advertising works, you can visit the Network Advertising Initiative’s (“NAI”) educational page at http://www.networkadvertising.org/understanding-online-advertising/how-does-it-work.
You can opt out of targeted advertising by using the links below:
Additionally, you can opt out of some of these services by visiting the Digital Advertising Alliance’s opt-out portal at: http://optout.aboutads.info/.
Do not track
Please note that we do not alter our Site’s data collection and use practices when we see a Do Not Track signal from your browser.
How to contact us?
For all data protection matters or questions relating to how we manage your data, you can contact our Data Protection Officer via these means:
Data Protection Officer: Clinical DPO.
Phone Number: 0203 411 2848