Data Protection and Privacy Policy

 

1. Data Protection

1.1 The principles of data processing
PEG as a body that processes personal information complies with the principles of data processing under the Data Protection Act 2018 (DPA 2018). DPA 2018 reflects the EU Directive General Data Protection Regulation (GDPR). PEG complies with GDPR that states personal data shall be:

  • processed lawfully, fairly and in a transparent manner in relation to individuals
  • collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes
  • adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed
  • accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay
  • kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals.
  • processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

1.2 Meaning of personal data
The definition of personal data has been substantially expanded under the GDPR. Personal data means any information about a living individual which:

  • Identifies that individual (for example, by name, address, qualifications, credit card number, national insurance number);
  • together with other information which is held by, or is likely to come into the possession of the data controller that will identify that individual; or
  • includes any expression of opinion about the individual or indication of the intentions of the data controller or any other person in respect of the individual.

It also includes sensitive personal data such as cultural records, sexuality information and health records.

 

1.3 Data Protection – controlling your personal information
PEG is registered as a Data Controller with the Information Commissioner's Office. Register Entry: Registration No. ZA147281

You may choose to restrict the collection or use of your personal information in ways detailed below. You should make requests by email to info@peglos.org.uk  . We will require verification of the individual making the request.
Under GDPR you have several rights as below:

  • Right to be informed: You have the right to be informed about the collection and use of your personal data. If you make a request of this nature we will provide:
  • our purposes for processing your personal data
  • our retention periods for your personal data
  • whom it will be shared with.
  •  
  • Right of access: Individuals have the right to access their personal data and supplementary information and be aware of and verify the processing of their personal data.

Individuals have the right to obtain:

  • confirmation that their data is being processed
  • access to their personal data
  • other supplementary information as per our privacy notice.

 

We will respond to Subject Access Requests (SARs) within one month of receipt of the written request. We will extend the period of compliance by a further two months where requests are complex or numerous. There is no cost to you making an SAR unless the request is ‘manifestly unfounded or excessive.’ In this case we will charge a reasonable fee for multiple or complex requests or refuse the request. PEG can withhold disclosing personal data if doing so would adversely affect the rights and freedoms of others. If we refuse a request, we will explain to you within a month why we have refused it. You can appeal this to the ICO.

 

  • Right to rectification: you can request that your inaccurate personal data is corrected or completed if it is incomplete. You can make this request verbally or in writing.

 

Upon such a request we will take reasonable steps to satisfy whether the data is accurate or inaccurate. If it is inaccurate we will take reasonable steps to rectify this data within one month. We will also contact other organisations that we have disclosed the data to unless this proves impossible or involves disproportionate effort.

 

If we are satisfied that the data is accurate we will inform you within one month that we will not be amending the data explaining our decision. If the data is an opinion it may be difficult to say that the data is inaccurate and requires rectification. We can refuse a request for rectification within one month if the request is manifestly unfounded or excessive charging a reasonable fee as necessary. You can raise this to the ICO if necessary.

 

We can extend the time to respond to a request by a further two months having explained within one month this is what we will be doing.

 

  • Right to erasure: you have the right to have your personal data erased by PEG where:
     
  • the personal data is no longer necessary for the purpose which we originally collected or processed it for
  • we are relying on consent as our lawful basis for holding the data, and the individual withdraws their consent
  • we are relying on legitimate interests as our basis for processing, the individual objects to the processing of their data, and there is no overriding legitimate interest to continue this processing
  • we are processing the personal data for direct marketing purposes and the individual objects to that processing
  • we have processed the personal data unlawfully
  • we have to do it to comply with a legal obligation
  • we have processed the personal data to offer information society services to a child (not applicable to PEG).

Where we have disclosed the personal data to others, we will contact each recipient and inform them of the erasure, unless this proves impossible or involves disproportionate effort. If asked to, we will also inform the individuals about these recipients.

Where personal data has been made public in an online environment reasonable steps should be taken to inform other controllers who are processing the personal data to erase links to, copies or replication of that data, taking into account available technology and the cost of implementation.

The right to erasure does not apply if processing is necessary for one of the following reasons:

  • to exercise the right of freedom of expression and information
  • to comply with a legal obligation;
  • for the performance of a task carried out in the public interest or in the exercise of official authority;
  • for archiving purposes in the public interest, scientific research historical research or statistical purposes where erasure is likely to render impossible or seriously impair the achievement of that processing; or
  • for the establishment, exercise or defence of legal claims.

 

  • Right to restrict processing: Individuals have the right to request the restriction or suppression of their personal data. This is not an absolute right and only applies in certain circumstances. When processing is restricted, we are permitted to store the personal data, but not use it. An individual can make a request for restriction verbally or in writing.

 

We have the right to restrict the processing of their personal data in certain circumstances. This means that an individual can limit the way that an organisation uses their data. This is an alternative to requesting the erasure of their data.

 

Individuals have the right to restrict the processing of their personal data where they have a particular reason for wanting the restriction. This may be because they have issues with the content of the information we hold or how we have processed their data. In most cases we will not be required to restrict an individual’s personal data indefinitely but will need to have the restriction in place for a certain period of time.

 

Individuals have the right to request we restrict the processing of their personal data in the following circumstances:

 

  • you contest the accuracy of their personal data and we are verifying the accuracy of the data
  • the data has been unlawfully processed and the individual opposes erasure and requests restriction instead
  • we no longer need the personal data but the individual needs us to keep it in order to establish, exercise or defend a legal claim
  • the individual has objected to us processing their data, and we are considering whether our legitimate grounds override those of the individual.

 

If an individual has challenged the accuracy of their data and asked for us to rectify it, they also have a right to request we restrict processing while we consider their rectification request. If an individual exercises their right to object under Article 21(1), they also have a right to request we restrict processing while we consider their objection request.

 

Therefore, as a matter of good practice we will automatically restrict the processing whilst we are considering its accuracy or the legitimate grounds for processing the personal data in question.

 

We will not process the restricted data in any way except to store it unless:

 

  • we have the individual’s consent
  • it is for the establishment, exercise or defence of legal claims
  • it is for the protection of the rights of another person (natural or legal) or
  • it is for reasons of important public interest.

If we have disclosed the personal data in question to others, we will contact each recipient and inform them of the restriction of the personal data - unless this proves impossible or involves disproportionate effort. If asked to, we will also inform the individual about these recipients.

In many cases the restriction of processing is only temporary. Once we have made a decision on the accuracy of the data, or whether our legitimate grounds override those of the individual, we may decide to lift the restriction. If we do this, we will inform the individual before we lift the restriction.

You can make a complaint to the ICO or another supervisory authority or you can seek a judicial remedy.

 

We can refuse to comply with a request for restriction if the request is manifestly unfounded or excessive, taking into account whether the request is repetitive in nature. If we consider that a request is manifestly unfounded or excessive we can:

  • request a "reasonable fee" to deal with the request
  • refuse to deal with the request.

In either case we will explain our decision.

If we decide to charge a fee we will contact the individual promptly and inform them. We do not need to comply with the request until we have received the fee.
 

You can make a request for restriction verbally or in writing.

We will act upon the request without undue delay and at the latest within one month of receipt. We can extend the time to respond by a further two months if the request is complex or you have received a number of requests from the individual. We must let the individual know within one month of receiving their request and explain why the extension is necessary.

  • Right to object: Individuals have the right to object to:

 

  • processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling)
  • direct marketing (PEG does not engage in this)
  • processing for purposes of scientific/historical research and statistics.
     

You must have an objection on “grounds relating to your particular situation”.

 

We will stop processing the personal data unless:

 

  • we can demonstrate compelling legitimate grounds for the processing, which override the interests, rights and freedoms of the individual; or
  • the processing is for the establishment, exercise or defence of legal claims.

 

We will inform individuals of their right to object at the point of first communication. We will stop processing personal data for direct marketing purposes as soon as we receive an objection.

 

We will deal with an objection to processing for direct marketing at any time and free of charge.

 

We will inform individuals of their right to object “at the point of first communication” and in our privacy notice. This must be “explicitly brought to the attention of the data subject and shall be presented clearly and separately from any other information”.

 

If we process personal data for research purposes individuals have “grounds relating to your particular situation” in order to exercise your right to object to processing for research purposes. If we are conducting research where the processing of personal data is necessary for the performance of a public interest task, we are not required to comply with an objection to the processing.

 

1.4 Why we collect and process your personal data  
We collect information, principally to ensure that performers and contractors and others interested in the development of primary eye care services receive the latest guidance and advice on important issues relevant to the optical sector, as well as news on extended primary eye care services. 

 

 

We may use your personal information:

  • to provide you with information you have requested
  • to provide guidance and advice on important issues relevant to contractors and performers on  Gloucestershire ophthalmic list.
  • to invite you to events in which you may be interested.
  • to answer your questions and communicate with you in general.
  • to satisfy legal or regulatory obligations.

Our legal basis for processing your personal data is legitimate interest.

 

1.5 What we collect
We may collect the following information:

  • name, job title, and organisation
  • contact information including email address
  • other information relevant to professional registration
  • photographs from events etc

1.6 How long do we keep your personal information?

We will retain your information while it is required for the purpose it was collected. Your information will be deleted within one month if

  • You notify us that you are leaving the Gloucestershire ophthalmic list and no longer wish to have communication with us.
  • We are no longer lawfully entitled to process your information; or
  • You validly exercise your rights of erasure under GDPR

 

 

1.7 Security of personal data
Personal data is stored electronically.  It is not stored in paper format. Sometimes we use third parties to process personal information and it is possible that it will be transferred to and stored in a location outside of the United Kingdom or the European Economic Area (EEA).Countries to which we transfer information may have different standards for controlling how your information is used and protected and these standards may not be as strict as those in place in the United Kingdom and EEA. If we transfer your information to a country which does not have data protection laws which offer an adequate level of protection for your information, we will make sure that the organisation which receives your information applies appropriate safeguards to protect your information, such as standard contractual clauses as adopted by the European Commission from time to time, or otherwise ensure that we can transfer your information in a way that complies with data protection law.

PEG shall take appropriate technical and organisational measures to limit the opportunity for unauthorised or unlawful processing of personal data and to guard against accidental loss or destruction of or damage to personal data. Appropriate contractual obligations shall be incorporated into contracts which PEG enters into with third parties.

PEG will ensure that those who undertake PEG’s data processing are aware of their responsibilities in relation to the processing of personal data as it applies to their area of work. Where appropriate, training will be given.

 

1.8 Sharing of personal data
We may share your information with third parties where we outsource certain functions for our legitimate interests, such as the effective business management of PEG. We also reserve the right to disclose your information if we are under any legal or regulatory obligation to do so; and in connection with any legal proceedings or prospective legal proceedings, in order to establish, exercise or defend our legal rights.

 

1.9 Email privacy

We have created this email privacy policy to demonstrate our firm commitment to your privacy and the protection of your information. 

1.9.1 Why did you receive an email from us?
If you received a mailing from us, (a) your email address is either listed with us as someone who has expressly shared this address for the purpose of receiving information in the future ("opt-in"), or (b) you have an existing relationship with us. We respect your time and attention by controlling the frequency of our mailings. 

1.9.2 How can you stop receiving email from us?
If you wish to cease receiving email from us please contact info@peglos.org.uk 

 

2. Website privacy

PEG is committed to ensuring that your privacy is protected.

 

2.1 Security
We are committed to ensuring that your information is secure. In order to prevent unauthorised access or disclosure, we have put in place suitable physical, electronic and managerial procedures to safeguard and secure the information we collect online.

 

2.2 Cookies
A cookie is a small file which asks permission to be placed on your computer's hard drive. Once you agree, the file is added and the cookie helps analyse web traffic or lets you know when you visit a particular site. Cookies allow web applications to respond to you as an individual. The web application can tailor its operations to your needs, likes and dislikes by gathering and remembering information about your preferences. All recent versions of popular browsers give users a level of control over cookies. Users can set their browsers to accept or reject all, or certain, cookies.

 

2.3 Links to other websites
Our website may contain links to other websites of interest. However, once you have used these links to leave our site, you should note that we do not have any control over that other website. Therefore, we cannot be responsible for the protection and privacy of any information which you provide whilst visiting such sites and such sites are not governed by this privacy statement. You should exercise caution and look at the privacy statement applicable to the website in question. 

 

2.4 How we protect your privacy
We use security measures to protect against the loss, misuse and alteration of data used by our system.

 

3. Changes to this Data Protection and Privacy policy

If we change our privacy policy we will post the changes here. Where changes are significant, we may also choose to email registered users with the new information. Where required by law, will we obtain your consent to make these changes. 

Publication of this policy 25th May 2018. Version 1.1
 

Print Print | Sitemap
© Primary Eyecare (Gloucestershire) Ltd.
Login

Web ViewMobile View

Logout | Edit page