Privacy Policy and FOI

 

  

Privacy Notice

 

Who we are?

The Village Optician (North East) Ltd is a private independent Opticians operating from Newton Aycliffe, Darlington, Durham and Coxhoe. We are registered with the Information Commissioners Office as a Data Controller, registration number ZB156238.

 

Your Privacy

This notice provides detailed information on when and why we collect your personal information, how we use it and the very limited conditions under which we may disclose it to others.

Your privacy matters to us and we are committed to the highest data privacy standards, patient confidentiality and adherence with the Data Protection Act 2018 and UK GDPR. We adopt the core principles of data protection.

Collection of your Personal Data

Where you provide personal data to us, we will become responsible for it as the data controller.

We will only collect data that is necessary for us to deliver the best possible service and ensure that you are reminded about appointments or information relevant to your ongoing care.

 

We collect your personal information directly from you, for example, when you visit our practice, get in touch with us by telephone or email, use our booking system or when you visit our website.

 

We may also collect it from other sources if it is legal to do so. This includes from the NHS or other healthcare providers, institutions or people you have authorised to provide information on your behalf (for example, parents or guardians), third-party service providers, government, tax or law-enforcement agencies, and others.

 

 

Main Categories and Type of Personal Data Collected and processed.

Processing Activity	Personal Data Required/Held	Retention Time	Reason to hold Data
Optical service and products	Name, date of birth, telephone numbers, address and email Current and past health and medication information, family history, your examination results, and lifestyle information. Data received other healthcare professionals as part of your ongoing care	10 years after last contact or until age 25, whichever is later	Contract – in order to provide the service or products you have requested   Where health data is processed, we do so for the provision of healthcare.
Reminders	Name, email address, address, telephone numbers	10 years after last contact or until age 25, whichever is later or until asked to stop by you	Contract – In order to provide the ongoing service appointment reminders are sent
Marketing	Name, email address, address, telephone number	Until asked to stop by you or until consent withdrawn by you	Legitimate interests – we will provide information which we believe is of genuine interest to you.   Consent – you have given consent to receive information about products or services that are of interest to you
Credit/Debit card payments	Cardholder name, card number, security number	Duration of the transaction	Contract – you have agreed to provide these details to pay for the service or products ordered
Collection of online identifiers for analytical purposes (Cookies)	Cookie information IP address Device ID Session ID Interaction history Website feedback	See Cookie Policy	Consent – Ensuring visitors get the best experience.

 

We treat all personal data as sensitive but acknowledge that we also process special category data including health data and children’s data.

 

Sharing of Personal Data

During the delivery of our service to you, we will share your data with other companies who are essential for the provision of our service to you. They are under contract with us and have provided sufficient guarantees that they will process your data only as per the terms of that contract. Throughout processing activities, they will ensure your data is protected using appropriate technical and organisation measures.

 

Where necessary we may disclose your information to health care professionals including the NHS where we have a duty of care or to fulfil our legal obligations. We are compliant with the national data opt-out. For more details and to opt out see: https://www.nhs.uk/your-nhs-data-matters/manage-your-choice/

It may also be necessary, where the latest technology allows us to do so, to use your information and health data to facilitate digital consultations and diagnoses. We will always do this with your security in mind.

 

We may also pass information to external agencies and organisations, including the police, for the prevention and detection of fraud and criminal activity. Should any claim be made, we may pass your personal information to our insurers and, if our business is wholly or partially transferred to a third party, your personal information may be one of the transferred assets.

 

Our operations are based in the UK and your personal information is generally processed within the UK and countries within the European Economic Area (EEA). In some instances, we may transfer your personal information to third countries, for example, where our suppliers or cloud service providers are situated outside the UK and EEA.

 

If the recipient is situated in a third country that has not received an adequacy decision from the relevant regulator, we will ensure additional safeguards are in place including the use of applicable standard contractual clauses. To obtain a copy of these safeguards, please contact our Data Protection Officer.

 

A full list of processors is available from our Data Protection Officer.

 

Securing and Processing of your Personal Data

To provide and manage our services your electronic data is stored and processed by Optix Software Ltd within their UK facilities, certified to ISO27001, which has appropriate security processes in place.

 

Your data is also stored within our own IT systems, which are secured to prevent access or intrusion by anyone who is not authorised to have access to your data. Our practices are operated to ensure that all records and equipment holding your personal data are physically protected.

 

In the unlikely event that we lose your data, or a device on which your data resides, or it is accessed by someone unauthorised, we will inform you if the loss or unauthorised access of your data has potential to cause you harm. We may report this to the Information Commissioners Office, who are responsible for regulating data protection legislation in the UK.

https://ico.org.uk/

 

Your rights in relation to personal data

Under UK data protection law, you have following rights which you can exercise by emailing our Data Protection Officer on TheVillageOpticianDPO@clinicaldpo.com

 

Right	Explanation
Right to be Informed	This means that we have to be transparent in how we collect and use your personal data
Right of Access	You have the right to access your personal data.
Right to Rectification	If the information we hold about you is inaccurate or incomplete you can request that we correct this
Right to Erasure	You can request that we delete or remove personal data in certain circumstances
Right to Restrict Processing	You have the right to request that we cease processing your data if ·         you consider it inaccurate or incomplete and/or ·         you object to the reason we're processing your data We will review the validity of your request and respond to you with our decision
Right to Data Portability	Where you have consented to our processing your data or where the processing is necessary for us to deliver a contract you can request a copy of that data be provided to a third party
Right to Object	You have the right to object to our processing in certain circumstances and an absolute right to object to direct marketing.
Rights relating to Automated Decision-Making including Profiling	We do not use automated decision-making or profiling Where automated decision-making is applied, organisations must ·         give you information about the processing ·         introduce simple ways for you to request human intervention or challenge a decision ·         carry out regular checks to make sure that our systems are working as intended

 

 

How to contact us?

For all data protection matters or questions relating to how we manage your data, or if you are concerned about how your data is being handled, you can contact our Data Protection Officer:

 

Data Protection Officer:                 Clinical DPO

Phone Number:                                0203 411 2848

Email:                                                    TheVillageOpticianDPO@clinicaldpo.com

 

For complaints, please include the following where possible:

• Your name and contact information.
• A description of your concern or the data protection issue.
• Any relevant supporting information.

 

Complaints will be acknowledged within 30 days. We aim to fully respond and resolve the matter without undue delay. If your issue requires more time or clarification, we will keep you informed throughout.

 

If you are dissatisfied in how we have handled your data, you have the right to complain to the UK Information Commissioner's Office (ICO):

• Website: https://ico.org.uk/make-a-complaint/
• Phone: 0303 123 1113
• Address: ICO, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

 

 

 

 

FREEDOM OF INFORMATION POLICY AND PROCEDURE

Summary

The Freedom of Information (FOI) Act 2000 demonstrates a commitment to greater openness in the public sector. It enables members of the public to find out more about the activities and the decisions of public authorities and to ensure that services are delivered properly and efficiently. The Act has been in force since 1^st January 2005.

This policy is intended to provide guidance and support all staff who may receive Freedom of Information requests or be required to provide data in response to requests.

Scope

This policy provides a framework for the Organisation to ensure compliance with the Freedom of Information Act 2000, Re-use of Public Sector Information Regulations 2005 and Environmental Information Regulations 2004.

This policy applies to all staff working for or on behalf of the Organisation (including temporary, fixed term, honorary contract staff, prospective employees who are part-way through recruitment, contractors or sub-contractors, agency staff, and Organisation Committee, Sub-Committee and advisory group members).

1. Introduction

The Freedom of Information Act 2000 gives the public the right to request any non-personal information by the NHS, and in particular:

• the right to be told whether the information exists; and
• the right to receive that information.

Requests to re-use company information received under a FOI application in accordance with the Re-use of Public Sector Information Regulations 2005 are also covered by the policy.

Requests for information about identifiable living or deceased individuals must be dealt with in accordance with the Data Protection Act 2018 or Access to Health Records Act 1990, accordingly.

General Rights of Access

The Act gives members of the public a general right of access to recorded information (both paper and electronic) held by the organisation, subject to certain exemptions. This means that any person who makes a written request has the right to:

• Be informed in writing whether the organisation holds the information requested (this is known as the ‘duty to confirm or deny’)
• Have access to that information which the Organisation holds (subject to any exemptions which may apply).

It is a criminal offence to destroy information with the intent of preventing disclosure following a request.

Timescale for responding to requests

The Act requires that the requested information is provided to the applicant within 20 working days following receipt of the request. If the Organisation decides to make use of a qualified exemption to withhold information, then the deadline can be extended only in these circumstances to consider where the balance of the public interest test lies.

The Organisation will issue an acknowledgment of receipt to the applicant within 48 hours of receiving the request.

Publication Scheme

The Organisation already makes a large amount of information available in an open way. Information can be obtained through its website, leaflets, and other relevant publications such as the Annual Report and Accounts.

The Organisation is obliged to maintain a publication scheme (which is based on the Information

Commissioners Model Publication Scheme) under the FOI Act. A publication scheme is a guide to the information which will routinely be made available to the public by the Organisation.

The Organisation has a duty to regularly review its Publication Scheme as part of maintaining to ensure it is up to date. In liaison with the Information Governance Committee and Directors of the Organisation, the Organisation will routinely publish datasets on its website in order to reduce the administrative burden of FOIs.

Information Commissioners Office

The Act is regulated by the Information Commissioner who combines this responsibility with regulating the Data Protection Act (to be succeeded by new Data Protection legislation from May 2018). The Information Commissioner’s Office’s benchmark for good compliance is 90%. The Organisation will publish an annual FOI report setting out its compliance rate for the financial year.

Roles and Responsibilities

Michael Peart has ultimate responsibility for adherence to the Act.

Michael Peart is responsible for:

• Ensure organisational compliance with the Act
• Reviewing the public interest test in cases of qualified exemptions
• Responding to queries and complaints over the organisation’s service in handling FOI applications
• Carrying out internal reviews in liaison with the relevant Director/Chief Executive
• Ensure processes are implemented to maintain currency of this policy and the issue of a current Organisation Publication Scheme
• Act as the Champion for FOI awareness throughout the organisation
• Ensure that the general public and Organisation staff have access to information about their rights under the Act
• Ensure FOI applicants receive acknowledgement within 48 hours of submitting their request
• Ensure that a process is in place to assist with investigations into complaints and appeal
• Ensure that all requests for information are validated, recorded and co-ordinated in accordance with current procedures which allow responses to be sent to the applicant within legal timescales
• Perform a technical check of the managers’ responses for completeness prior to sending to the applicant

ice

• Advise and support staff responding to requests including the possible application of exemptions
• Provide advice and assistance to staff and those who propose to make, or have made, requests for information under the Act
• Devise and maintain standard documentation including response letters
• Create and publish a Disclosure Log
• Development and maintenance of the Organisation Publication Scheme

All Staff

All employees of the Organisation are obliged to adhere to this procedure. They must also ensure

they are aware of the implications of this policy, and of the process for the central handling of FOI requests.

FOI requests received by staff must be forwarded to michael@thevillageoptician.com

Where a request is received by hard copy letter, the date of receipt by the Organisation should be clearly marked on the request letter and this should be scanned and sent to the above email address.

Note the Organisation has only 20 working days to respond to a request for information. Where staff are unsure of whether a request for information needs to be logged as a FOI request they must contact their manager for advice.

All staff should be aware that under section 77 of the FOI Act it is a Criminal Offence to alter, deface, block, erase, destroy or conceal any record held by the public authority, with the intention of preventing the disclosure by that authority of all, or any part, of the information to the communication of which the applicant would have been entitled. To do so can result in a fine of up to £5,000 and up to two years in prison.

Identifying Freedom of Information Requests

To be classed as a FOI request the request must:

• Be made in writing (this includes by electronic means such as e-mail)
• State the applicant’s name and include an address for correspondence (this can be an e-mail address)
• Describe the information being requested to enable the Organisation to clearly identify the information required. Where this is not clear the Organisation must seek clarification from the applicant.

It should be noted that requests do not need to mention the FOI Act or contain a reason for requesting the information.

A distinction must be made between requests for information and routine correspondence.

Requests for information that can be provided without any question (e.g. leaflets, other public / patient material, recruitment brochures, press releases) should be treated as business as usual.

It is also important to point out that the Freedom of Information Act 2000 only covers requests for recorded information and does not cover instances where explanations, opinions, comment, interpretations or unrecorded discussions are requested.

Once a FOI request has been identified and submitted, [insert name/role] will then send an acknowledgement to the applicant to confirm receipt of the request.

FOI Exemptions

The Organisation has a duty to receive all requests in a positive manner with a view to disclosing the required information. However, the Act does contain a number of exemptions from the duty to confirm or deny or to communicate information.

The Organisation can only withhold a document if one or more exemptions as outlined in Part 2 of the FOI Act apply to the information being requested. If information is properly exempt then there is no right of access to it under the Act. All the exemptions operate in different ways and, when applying individual exemptions, the following factors may need to be considered:

• The content of the information
• The effect that disclosure would have (for example, the possible impact on our relations with third parties or on any ongoing investigations/legal proceedings)
• The source of the information
• The purpose for which the information was recorded

There are two categories of exemptions; absolute and qualified.

• absolute – there is no duty to consider the public interest test; the information need not be disclosed and the Organisation is not obliged to comply with the duty to confirm or deny whether it holds the requested information.
• qualified – the Act requires the Organisation to consider first whether or not the exemption applies (taking into account the prejudice test where applicable) and secondly, if the exemption does apply the Organisation must consider the public interest test. Only where the public interest in maintaining the exemption or exclusion from the duty to confirm or deny outweighs the public interest in communicating information, or confirming or denying that the Organisation has such information, can the Organisation rely upon a qualified exemption or exclusion.

The Public Interest Test

Where it is intended to apply a qualified exemption, [insert name/role] will undertake and document a ‘public interest test’. This means balancing the considerations of disclosure and non-disclosure of information. If the public interest in withholding the information outweighs the public interest in disclosing it, it should be withheld. When a decision is made to withhold information the reasoning as to why that decision was made must be recorded e.g. a demonstration of the potential harm in disclosing the information must be made.

The Appropriate Limit

The appropriate limit is the point at which the Organisation can exempt a request due to excessive costs and staff time. The appropriate limit is set at £450 for opticians.

Costs are calculated on the amount of time staff would take in:

• Determining whether the Organisation holds the information requested;
• Locating the information or documents containing the information;
• Retrieving such information or documents, and
• Extracting the information from the documents containing it.

The rate for staff time is calculated at £25 per hour.

In all such cases the Organisation will offer advice and assistance to the applicant to narrow the scope of their request and bring it within the appropriate limit, rather than opt to charge them for their request.

Complaints

Where the applicant wishes to ask for an Internal Review of the information disclosed or the decision is not to disclose some or all of the information, the request should be made in writing to the [insert name/role].

Internal Reviews should be completed within 20 working days from the time the request for the review was received. In exceptional circumstances where the review is deemed complex, this may be extended to 40 days. The applicant should be informed of the timescale within which the review will be undertaken.

The applicant must be informed of the outcome of the review. Where the review overturns an original decision to withhold the information, the information should be disclosed to the applicant as soon as possible after the completion of the review.

To ensure the Internal Review stage is fair and impartial, a review of the decisions made during the original consideration for the release of information will be conducted.

Where the original decision is upheld, the Organisation is not obliged to undertake any further review. However, the applicant must be informed of their right of appeal to the Information Commissioners Office.

Full records of the progress of the review must be kept and any outcomes as a result of the review recorded. This will be subject to review and inspection by the Information Commissioner in any further investigations.

Personal Information and Health Records

Requests made by an applicant to review their own personal information and/or health records will not be disclosed under this procedure. All requests for personal information will be dealt with under the Data Protection Act 2018 (see DSAR Policy for guidance) or Access to Health Records Act 1990 as appropriate.

Organisation information is subject to copyright protection unless stated otherwise. If any person uses the Organisation’s copyright material, the source of the material must be quoted, and copyright status acknowledged. Unless expressly indicated on the material to the contrary, it may be reproduced free of charge for sole use, including for non-commercial research purposes, news reporting, in any format or medium, provided it is reproduced accurately, is not used in a misleading manner and is not used for commercial gain.

For information where the copyright is owned by another person or organisation, applications must be made to the copyright owner to obtain their permission.

Publishing the information or issuing copies may be subject to the provisions of the Re-use of Public Sector Information Regulations 2005 and will require permission of the Organisation and may require a fee.

Duty to Advise and Assist

All public bodies have a duty to assist applicants in requesting information. This could involve assisting applicants in making their requests by suggesting what information is available and/or contacting applicants who have made broad requests in order to specify information required so that it may be identified.

In circumstances where the Organisation does not hold the information requested, where known, applicants should be advised of the organisation that does hold the information and contact details supplied to them or if the applicant prefers, the Organisation can transfer the request to the organisation on the applicant’s behalf.

Dissemination and Implementation

This policy will be available to all staff via the Organisation intranet. Training will be given to all staff as part of mandatory Information Governance training at the Organisation.

Confidentiality

Whilst the purpose of the Act is to ensure that the Organisation is as transparent as possible the Organisation has a duty to maintain confidentiality relating to those who request information and to any request for information that falls under the confines of the Data Protection Act 2018.

Appendix 1 FOI Process Map

• FOI Request sent to Michael Then to Clinical DPO immediately upon receipt
• Clock starts ticking. The Organisation has 20 working days from the moment an FOI request is received to respond (Time limit can be extended where public interest test applies).
• FOI requests must be sent to Michael Peart, michael@thevillageoptician.com and logged on FOI register
• Acknowledgement sent to applicant within 48 hours [who]
• Is the request clear? No - Request clarification from applicant
• Is the request clear? Yes - Will the cost/time limit for processing the request exceed 2 ½ days? Yes Section 12 of the FOI Act (exceeds appropriate limit) applied. Refusal letter sent to applicant outlining grounds of appeal.
• Is the information publicly available? Section 21 of FOI applies. Refusal letter sent to applicant with details as to where in the public domain the information can be located.
• Is the information exempt? Apply one or more of 23 available exemptions. Refusal letter / public interest test sent to [who] for sign off.
• Clear requests, where no exemption exists must be responded to, providing the requested information, within 20 days.

Appendix 2

Section 40 – Personal Information

Definition of ‘Personal data’:

Data which relates to a living individual who can be identified:

1. a) From that data, or
2. b) From that data and other information which is in the possession of, or likely to come into the possession of the data controller, and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual.

Definition of ‘Sensitive Personal Data’:

1. Race or ethnic origin
2. Political opinions
3. Religious or other beliefs of a similar nature
4. Trade union membership
5. Physical or mental health
6. Sex life
7. Commission of offences
8. Criminal proceedings

FOIA Section 40 Exemption:

Under Section 40 of the Freedom of Information Act (FOIA), public authorities are, in general, exempt from the Act’s duty to provide access to personal data as defined above. Where an application for information constituting ‘personal data’ is made by the ‘data subject’ (i.e. the person who is the subject of the data), that information will be covered by the exemption in Section 40(1) and will automatically be channelled through the Subject Access Request (SAR) procedures established under the Data Protection Act 2018.

Subject access requests should be directed to the DPO [insert details].

Where an application for information is made by someone other than the ‘data subject’, disclosure of that information will often constitute a breach of the Data Protection Act and consequently the public authority will usually be exempt from its duties under the Freedom of Information Act as a result of Section 40(2).

Generally the exemptions in both sections 40(1) and 40(2) are absolute exemptions.

 

Please see below an ICO flowchart outlining the process of dealing with such requests:

https://ico.org.uk/media/for-organisations/documents/1167/flowchart_of_request_handling_under_foia.pdf