1. Data Protection
1.1 The principles of data processing
PEG as a body that processes personal information complies with the principles of data processing under the Data Protection Act 2018 (DPA 2018). DPA 2018 reflects the EU Directive General Data
Protection Regulation (GDPR). PEG complies with GDPR that states personal data shall be:
1.2 Meaning of personal data
The definition of personal data has been substantially expanded under the GDPR. Personal data means any information about a living individual which:
It also includes sensitive personal data such as cultural records, sexuality information and health records.
1.3 Data Protection – controlling your personal information
PEG is registered as a Data Controller with the Information Commissioner's Office. Register Entry: Registration No. ZA147281
.
You may choose to restrict the collection or use of your personal information in ways detailed below. You should make requests by email to info@peglos.org.uk . We will require verification of the individual making the request.
Under GDPR you have several rights as below:
Individuals have the right to obtain:
We will respond to Subject Access Requests (SARs) within one month of receipt of the written request. We will extend the period of compliance by a further two months where requests are complex or numerous. There is no cost to you making an SAR unless the request is ‘manifestly unfounded or excessive.’ In this case we will charge a reasonable fee for multiple or complex requests or refuse the request. PEG can withhold disclosing personal data if doing so would adversely affect the rights and freedoms of others. If we refuse a request, we will explain to you within a month why we have refused it. You can appeal this to the ICO.
Upon such a request we will take reasonable steps to satisfy whether the data is accurate or inaccurate. If it is inaccurate we will take reasonable steps to rectify this data within one month. We will also contact other organisations that we have disclosed the data to unless this proves impossible or involves disproportionate effort.
If we are satisfied that the data is accurate we will inform you within one month that we will not be amending the data explaining our decision. If the data is an opinion it may be difficult to say that the data is inaccurate and requires rectification. We can refuse a request for rectification within one month if the request is manifestly unfounded or excessive charging a reasonable fee as necessary. You can raise this to the ICO if necessary.
We can extend the time to respond to a request by a further two months having explained within one month this is what we will be doing.
Where we have disclosed the personal data to others, we will contact each recipient and inform them of the erasure, unless this proves impossible or involves disproportionate effort. If asked to, we will also inform the individuals about these recipients.
Where personal data has been made public in an online environment reasonable steps should be taken to inform other controllers who are processing the personal data to erase links to, copies or replication of that data, taking into account available technology and the cost of implementation.
The right to erasure does not apply if processing is necessary for one of the following reasons:
We have the right to restrict the processing of their personal data in certain circumstances. This means that an individual can limit the way that an organisation uses their data. This is an alternative to requesting the erasure of their data.
Individuals have the right to restrict the processing of their personal data where they have a particular reason for wanting the restriction. This may be because they have issues with the content of the information we hold or how we have processed their data. In most cases we will not be required to restrict an individual’s personal data indefinitely but will need to have the restriction in place for a certain period of time.
Individuals have the right to request we restrict the processing of their personal data in the following circumstances:
If an individual has challenged the accuracy of their data and asked for us to rectify it, they also have a right to request we restrict processing while we consider their rectification request. If an individual exercises their right to object under Article 21(1), they also have a right to request we restrict processing while we consider their objection request.
Therefore, as a matter of good practice we will automatically restrict the processing whilst we are considering its accuracy or the legitimate grounds for processing the personal data in question.
We will not process the restricted data in any way except to store it unless:
If we have disclosed the personal data in question to others, we will contact each recipient and inform them of the restriction of the personal data - unless this proves impossible or involves disproportionate effort. If asked to, we will also inform the individual about these recipients.
In many cases the restriction of processing is only temporary. Once we have made a decision on the accuracy of the data, or whether our legitimate grounds override those of the individual, we may decide to lift the restriction. If we do this, we will inform the individual before we lift the restriction.
You can make a complaint to the ICO or another supervisory authority or you can seek a judicial remedy.
We can refuse to comply with a request for restriction if the request is manifestly unfounded or excessive, taking into account whether the request is repetitive in nature. If we consider that a request is manifestly unfounded or excessive we can:
In either case we will explain our decision.
If we decide to charge a fee we will contact the individual promptly and inform them. We do not need to comply with the
request until we have received the fee.
You can make a request for restriction verbally or in writing.
We will act upon the request without undue delay and at the latest within one month of receipt. We can extend the time to respond by a further two months if the request is complex or you have received a number of requests from the individual. We must let the individual know within one month of receiving their request and explain why the extension is necessary.
You must have an objection on “grounds relating to your particular situation”.
We will stop processing the personal data unless:
We will inform individuals of their right to object at the point of first communication. We will stop processing personal data for direct marketing purposes as soon as we receive an objection.
We will deal with an objection to processing for direct marketing at any time and free of charge.
We will inform individuals of their right to object “at the point of first communication” and in our privacy notice. This must be “explicitly brought to the attention of the data subject and shall be presented clearly and separately from any other information”.
If we process personal data for research purposes individuals have “grounds relating to your particular situation” in order to exercise your right to object to processing for research purposes. If we are conducting research where the processing of personal data is necessary for the performance of a public interest task, we are not required to comply with an objection to the processing.
1.4 Why we collect and process your personal data
We collect information, principally to ensure that performers and contractors and others interested in the development of primary eye care services receive the latest guidance and advice on important
issues relevant to the optical sector, as well as news on extended primary eye care services.
We may use your personal information:
Our legal basis for processing your personal data is legitimate interest.
1.5 What we collect
We may collect the following information:
1.6 How long do we keep your personal information?
We will retain your information while it is required for the purpose it was collected. Your information will be deleted within one month if
1.7 Security of personal data
Personal data is stored electronically. It is not stored in paper format. Sometimes we use third parties to process personal information and it is possible that it will be transferred to
and stored in a location outside of the United Kingdom or the European Economic Area (EEA).Countries to which we transfer information may have different standards for controlling how your information
is used and protected and these standards may not be as strict as those in place in the United Kingdom and EEA. If we transfer your information to a country which does not have data protection laws
which offer an adequate level of protection for your information, we will make sure that the organisation which receives your information applies appropriate safeguards to protect your information,
such as standard contractual clauses as adopted by the European Commission from time to time, or otherwise ensure that we can transfer your information in a way that complies with data protection
law.
PEG shall take appropriate technical and organisational measures to limit the opportunity for unauthorised or unlawful processing of personal data and to guard against accidental loss or destruction of or damage to personal data. Appropriate contractual obligations shall be incorporated into contracts which PEG enters into with third parties.
PEG will ensure that those who undertake PEG’s data processing are aware of their responsibilities in relation to the processing of personal data as it applies to their area of work. Where appropriate, training will be given.
1.8 Sharing of personal data
We may share your information with third parties where we outsource certain functions for our legitimate interests, such as the effective business management of PEG. We also reserve the right to
disclose your information if we are under any legal or regulatory obligation to do so; and in connection with any legal proceedings or prospective legal proceedings, in order to establish, exercise
or defend our legal rights.
1.9 Email privacy
We have created this email privacy policy to demonstrate our firm commitment to your privacy and the protection of your information.
1.9.1 Why did you receive an email from us?
If you received a mailing from us, (a) your email address is either listed with us as someone who has expressly shared this address for the purpose of receiving information in the future ("opt-in"),
or (b) you have an existing relationship with us. We respect your time and attention by controlling the frequency of our mailings.
1.9.2 How can you stop receiving email from us?
If you wish to cease receiving email from us please contact info@peglos.org.uk
2. Website privacy
PEG is committed to ensuring that your privacy is protected.
2.1 Security
We are committed to ensuring that your information is secure. In order to prevent unauthorised access or disclosure, we have put in place suitable physical, electronic and managerial procedures to
safeguard and secure the information we collect online.
2.2 Cookies
A cookie is a small file which asks permission to be placed on your computer's hard drive. Once you agree, the file is added and the cookie helps analyse web traffic or lets you know when you visit a
particular site. Cookies allow web applications to respond to you as an individual. The web application can tailor its operations to your needs, likes and dislikes by gathering and remembering
information about your preferences. All recent versions of popular browsers give users a level of control over cookies. Users can set their browsers to accept or reject all, or certain,
cookies.
2.3 Links to other websites
Our website may contain links to other websites of interest. However, once you have used these links to leave our site, you should note that we do not have any control over that other website.
Therefore, we cannot be responsible for the protection and privacy of any information which you provide whilst visiting such sites and such sites are not governed by this privacy statement. You
should exercise caution and look at the privacy statement applicable to the website in question.
2.4 How we protect your privacy
We use security measures to protect against the loss, misuse and alteration of data used by our system.
3. Changes to this Data Protection and Privacy policy
If we change our privacy policy we will post the changes here. Where changes are significant, we may also choose to email registered users with the new information. Where required by law, will we obtain your consent to make these changes.
Publication of this policy 25th May 2018. Version 1.1