Privacy Notice 

 

Who we are? 

Dyer and Scott is a private independent Opticians operating from 96 High Street Portishead BS20 6AJ and 120 Whiteladies Road, Bristol BS8 2RP. We are registered with the Information Commissioners Office as a Data Controller, registration number Z9059479. 

 

Your Privacy 

This policy provides detailed information on when and why we collect your personal information, how we use it and the very limited conditions under which we may disclose it to others. 

Your privacy matters to us and we are committed to the highest data privacy standards, patient confidentiality and adherence with the Data Protection Act 2018 and UK GDPR. We adopt the six core principles of data protection. 

 

Collection of your Personal Data 

Where you provide personal data to us, we will become responsible for it as the data controller. 

We will only collect data that is necessary for us to deliver the best possible service and ensure that you are reminded about appointments or information relevant to your ongoing care. 

 

We collect your personal information directly from you, for example, when you visit our practice, get in touch with us by telephone or email, use our booking system or when you visit our website. 

 

We may also collect it from other sources if it is legal to do so. This includes from the NHS or other healthcare providers, institutions or people you have authorised to provide information on your behalf (for example, parents or guardians), third-party service providers, government, tax or law-enforcement agencies, and others. 

 

Main Categories and Type of Personal Data Collected and processed. 

Processing Activity 

Personal Data Required/Held 

Retention Time 

Reason to hold Data 

Optical service and products 

Name, date of birth, telephone numbers, address and email 

Current and past health and medication information, family history, your examination results, and lifestyle information. 

Data received other healthcare professionals as part of your ongoing care 

10 years after last contact or until age 25, whichever is later 

Contract – in order to provide the service or products you have requested 

 

Where health data is processed, we do so for the provision of healthcare. 

Reminders 

Name, email address, address, telephone numbers 

10 years after last contact or until age 25, whichever is later or until asked to stop by you 

Contract – In order to provide the ongoing service appointment reminders are sent 

Marketing 

Name, email address, address, telephone number 

Until asked to stop by you or until consent withdrawn by you 

Legitimate interests – we will provide information which we believe is of genuine interest to you. 

 

Consent – you have given consent to receive information about products or services that are of interest to you  

Credit/Debit card payments 

Cardholder name, card number, security number 

Duration of the transaction 

Contract – you have agreed to provide these details to pay for the service or products ordered 

CCTV footage 

(Where present) 

Images 

30 days 

Legitimate interests – Prevention and detection of crime.  

Protection of our colleagues and visitors. 

Investigation of accidents, incidents, criminal activities and breaches of our policies. 

Collection of online identifiers for analytical purposes (Cookies) 

Cookie information 

IP address 

Device ID 

Session ID 

Interaction history 

Website feedback 

See Cookie Policy 

https://www.dyerandscott 

.co.uk/cookies/ 

 

 

Consent – Ensuring visitors get the best experience. 

 

 

 

We treat all personal data as sensitive but acknowledge that we also process special category data including health data and children’s data. 

 

Sharing of Personal Data 

During the delivery of our service to you, we will share your data with other companies who are essential for the provision of our service to you. They are under contract with us and have provided sufficient guarantees that they will process your data only as per the terms of that contract and throughout processing activities will ensure your data is protected using appropriate technical and organisation measures. 

 

Where necessary we may disclose your information to health care professionals including the NHS where we have a duty of care or to fulfil our legal obligations. We are compliant with the national data opt-out. For more details and to opt out see: https://www.nhs.uk/your-nhs-data-matters/manage-your-choice/ 

It may also be necessary, where the latest technology allows us to do so, to use your information and health data to facilitate digital consultations and diagnoses and we will always do this with your security in mind. 

 

We may also pass information to external agencies and organisations, including the police, for the prevention and detection of fraud and criminal activity. Should any claim be made, we may pass your personal information to our insurers and, if our business is wholly or partially transferred to a third party, your personal information may be one of the transferred assets. 

 

Our operations are based in the UK, and your personal information is generally processed within the UK and countries within the European Economic Area (EEA). In some instances, we may transfer your personal information to third countries, for example, where our suppliers or cloud service providers are situated outside the UK and EEA.  

 

If the recipient is situated in a third country that has not received an adequacy decision from the relevant regulator, we will ensure additional safeguards are in place including the use of applicable standard contractual clauses. 

 

A full list of processors is available from our Data Protection Officer. 

 

Securing and Processing of your Personal Data 

To provide and manage our services your electronic data is stored and processed by Optix Software Ltd within their UK facilities, certified to ISO27001, which has appropriate security processes in place. 

 

Your data is also stored within our own IT systems, which are secured to prevent access or intrusion by anyone who is not authorised to have access to your data. Our practices are operated to ensure that all records and equipment holding your personal data are physically protected.  

 

In the unlikely event that we lose your data, or a device on which your data resides, or it is accessed by someone unauthorised, we will inform you if the loss or unauthorised access of your data has potential to cause you harm. We may report this to the Information Commissioners Office, who are responsible for regulating data protection legislation in the UK.  

https://ico.org.uk/ 

Your rights in relation to personal data 

Under UK data protection law, you have following rights which you can exercise by emailing our Data Protection Officer on dyerandscottdpo@clinicaldpo.com 

 

Right 

Explanation 

Right to be Informed 

This means that we have to be transparent in how we collect and use your personal data 

Right of Access  

You have the right to access your personal data. 

Right to Rectification 

If the information we hold about you is inaccurate or incomplete you can request that we correct this 

Right to Erasure 

You can request that we delete or remove personal data in certain circumstances 

Right to Restrict Processing 

You have the right to request that we cease processing your data if  

  • you consider it inaccurate or incomplete and/or 
  • you object to the reason we’re processing your data 

We will review the validity of your request and respond to you with our decision 

Right to Data Portability 

Where you have consented to our processing your data or where the processing is necessary for us to deliver a contract you can request a copy of that data be provided to a third party 

Right to Object 

You have the right to object to our processing in certain circumstances. For example, you can object to: 

  • direct marketing and  
  • processing for the purposes of scientific/historical and statistics  

Rights relating to Automated Decision-Making including Profiling 

We do not use automated decision-making or profiling 

Where automated decision-making is applied, organisations must  

  • give you information about the processing 
  • introduce simple ways for you to request human intervention or challenge a decision  
  • carry out regular checks to make sure that our systems are working as intended  

 

 

 

How to contact us? 

For all data protection matters or questions relating to how we manage your data, or if you are concerned about how your data is being handled, you can contact our Data Protection Officer: 

 

Data Protection Officer:  Clinical DPO 

Phone Number 0203 411 2848 

Email: dyerandscottdpo@clinicaldpo.com 

 

For complaints, please include the following where possible: 

  • Your name and contact information,
  • A description of your concern or the data protection issue,
  • Any relevant supporting information.

  

Complaints will be acknowledged within 30 days, and we aim to respond fully and resolve the matter without undue delay. If your issue requires more time or clarification, we will keep you informed throughout. 

  

If you are dissatisfied in how we have handled your data, you have the right to complain to the UK Information Commissioner’s Office (ICO): 

  • Website: https://ico.org.uk/make-a-complaint/
  • Phone: 0303 123 1113
  • Address: ICO, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

 

 

National Data Opt Out Statement 

 

Dyer & Scott Opticians is one of many organisations working in the health and care system to improve care for patients and the public.   

 

Whenever you use a health or care service, such as attending Accident & Emergency or using Community Care services, important information about you is collected in a patient record for that service. Collecting this information helps to ensure you get the best possible care and treatment. 

 

The information collected about you when you use these services can also be used and provided to other organisations for purposes beyond your individual care, for instance to help with: 

 

  • improving the quality and standards of care provided
  • research into the development of new treatments 
  • preventing illness and diseases
  • monitoring safety 
  • planning services

 

This may only take place when there is a clear legal basis to use this information. All these uses help to provide better health and care for you, your family and future generations. Confidential patient information about your health and care is only used like this where allowed by law.  

 

Most of the time, anonymised data is used for research and planning so that you cannot be identified in which case your confidential patient information isn’t needed. 

 

You have a choice about whether you want your confidential patient information to be used in this way. If you are happy with this use of information you do not need to do anything. If you do choose to opt out your confidential patient information will still be used to support your individual care. 

 

To find out more or to register your choice to opt out, please visit www.nhs.uk/your-nhs-data-matters.  On this web page you will: 

  • See what is meant by confidential patient information 
  • Find examples of when confidential patient information is used for individual care and examples of when it is used for purposes beyond individual care 
  • Find out more about the benefits of sharing data 
  • Understand more about who uses the data 
  • Find out how your data is protected 
  • Be able to access the system to view, set or change your opt-out setting 
  • Find the contact telephone number if you want to know any more or to set/change your opt-out by phone  
  • See the situations where the opt-out will not apply 

 

You can also find out more about how patient information is used at: 

https://www.hra.nhs.uk/information-about-patients/ (which covers health and care research); and 

https://understandingpatientdata.org.uk/what-you-need-know (which covers how and why patient information is used, the safeguards and how decisions are made) 

 

You can change your mind about your choice at any time. 

 

Data being used or shared for purposes beyond individual care does not include your data being shared with insurance companies or used for marketing purposes and data would only be used in this way with your specific agreement. 

 

Health and care organisations must put systems and processes in place so they can be compliant with the national data opt-out and apply your choice to any confidential patient information they use or share for purposes beyond your individual care. Our organisation is currently compliant with the national data opt-out policy.