Privacy Statement
Murray Eyecare Limited takes your privacy very seriously. Under the new GDPR we want to inform you of what we do with your personal information, who we share it with and how we keep it secure. It is also important for you to know your rights in relation to how we do this.
The legal basis for using your personal information:
To provide our services we need to collect, use and store personal information.
When using personal information our legal basis is that its use is necessary for:
• the provision of health care or the management of health care in relation to eyes
• the provision of services which you have requested and we are supplying on a contractual basis
We use personal information for persons having an eye examination, contact lens fit, check or aftercare. Anyone placing an order with us which cannot immediately be filled and requires time to be achieved will be asked relevant personal information.
The personal information we collect is:
• current and previous surnames, forenames
• gender
• date of birth
• residential address
• GP name and address
• telephone number
This information will be collected by staff in the practice.
The optometrist may ask you:
• ocular symptoms and history
• medical history including medication
• history in relation to ocular and medical conditions
• occupation
• hobbies
• driver / computer user
• any other information that may aid a clinical diagnosis/decision
How is the information stored?
The information is stored on paper record system and on an IT system. The paper files are stored in secure premises and the staff are trained on data protection. We operate an IT system which is accessed by a third party for administration and technical support. This company adheres to the requirements outlined under GDPR.
Each time you visit the practice we will ask you to verify the details we have for you are correct. At this time any rectifications can be made and the information updated.
Who do we share it with?
To receive remuneration for the NHS services we provide we share your information with Practitioner services. This is the business unit of the NHS service in Scotland.
When you access primary care services for an eye examination you will sign a form which in part is a data protection notice explaining how your data may be lawfully shared. This form is sent to Practitioner services. The information is processed on a statutory legal basis and not on consent.
If you access our services on a private basis this information will not be shared with Practitioner services.
Practitioner services at times conduct practice audits where primary care services are being provided. They may access patient files either in person or ask for them to be posted. Paper delivery is through secure couriers.
Where a supplier is sending a product directly to you (i.e. Contact Lenses), we will share only the necessary information to achieve this.
At times we will contact you in relation to new services we are providing or when we have a sale or promotion. We require your consent to do this and we will ask you for this separately. Before the 25th of May there is an assumed consent for existing patients, however, all new patients will be asked to opt in. We will never send your information out with the UK unless it is at your request. All efforts will be made to ensure this is done securely.
How long do we store it for?
We retain your data for 7 years unless you are a child under 16 in which case the data is stored until you reach the age of 25. After this time record files are securely destroyed and electronic details deleted.
What data systems do we use and are they secure?
The IT system we use is Xeyex which is operated by Xeyex Ltd. They are a Scottish company and adhere to GPDR. The system we use is secured by McAfee antivirus software and username/passwords.
Data access is monitored to ensure only key personnel review it.
Our staff have a legal and contractual duty to keep personal health information secure and confidential. The optometrists within the practice have standards set by their professional governing bodies to adhere to.
Patient privacy/data protection notices are contained in the forms (or their electronic equivalent ) that patients are required to sign when receiving treatment from a primary care provider.
What are your rights?
If at any point you believe the information we have for you is not correct you can request to see it and even have it corrected or deleted (Clinical Information cannot be deleted until after 7years). If you are unhappy with the information we have or our data processes please discuss the matter with Alan Murray, Partner.
If you are not satisfied with the response or believe we are processing your personal data not in accordance with the law you can complain to the Information Commissioner’s Office (ICO).
Information Commissioner’s Office Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Telephone – 0303 123 1113 (local rate)
Website – https://ico.org.uk/concerns
A full list of your rights under GDPR is as follows:
The right to access the personal data we hold on you
You have the right to obtain:
• access to your personal information
• confirmation that your personal information is being held or used by us
• additional information about how we use your personal information
The right to rectification
If the information we have is incorrect you have the right to have it removed and / or rectified. If for any reason we have shared this information with anyone else we will notify them of the changes required to ensure their records are accurate.
If, on consideration of your request, we do not consider the information to be inaccurate we will add a comment to your record stating your concerns about the information. If this is the case we will contact you within 1 month to explain our reasons for this.
The right to object
You have the right to object to our use of personal information about you and to seek that further processing of personal information is restricted.
The right to withdraw consent
we will ask your consent before sending you information relating to sales / promotions. If you no longer wish to receive this information you can withdraw your consent at any time
The right to have personal data erased
If you no longer wish us to provide your eye care you can request that we remove your personal details from the database. The paper file will not be destroyed, however, and will be stored for the 7 year period.
The right to portability
You can request a copy of the personal information we store for you.
The right to lodge a complaint with the ICO
You have the right to lodge a complaint if you are not happy. Details are as above.
Updated 25th May 2018