SUB CONTRACTING PRACTICES AND NHS ORGANISATIONS
1. Data Protection
1.1 The principles of data processing
Primary Eyecare (East London & City) Ltd is a body that processes personal information complies with the principles of data processing under the Data Protection Act 2018 (DPA 2018). DPA 2018 reflects the EU Directive General Data Protection Regulation (GDPR). The Company complies with GDPR that states personal data shall be:
- processed lawfully, fairly and in a transparent manner in relation to individuals
- collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes
- adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed
- accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay
- kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals.
- processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
1.2 Meaning of personal data
The definition of personal data has been substantially expanded under the GDPR. Personal data means any information about a living individual which:
- Identifies that individual (for example, by name, address, qualifications, credit card number, national insurance number);
- together with other information which is held by, or is likely to come into the possession of the data controller that will identify that individual; or
- includes any expression of opinion about the individual or indication of the intentions of the data controller or any other person in respect of the individual.
It also includes sensitive personal data such as cultural records, sexuality information and health records.
1.3 Data Protection – controlling your personal information
Primary Eyecare (East London & City) Ltd is registered as a Data Controller with the Information Commissioner’s Office. Register Entry: ZA104653.
You may choose to restrict the collection or use of your personal information in ways detailed below. You should make requests in writing to Unit 3, 2 Thayers Farm Road, Beckenham, BR3 4LZ or email to [email protected] . We will require verification of the individual making the request. Under GDPR you have several rights as below:
- Right to be informed: You have the right to be informed about the collection and use of your personal data. If you make a request of this nature we will provide:
- our purposes for processing your personal data
- our retention periods for your personal data
- whom it will be shared with.
- Right of access: Individuals have the right to access their personal data and supplementary information and be aware of and verify the processing of their personal data.
Individuals have the right to obtain:
- confirmation that their data is being processed
- access to their personal data
- other supplementary information as per our privacy notice.
We will respond to Subject Access Requests (SARs) within one month of receipt of the written request. We will extend the period of compliance by a further two months where requests are complex or numerous. There is no cost to you making an SAR unless the request is ‘manifestly unfounded or excessive.’ In this case we will charge a reasonable fee for multiple or complex requests or refuse the request. The company can withhold disclosing personal data if doing so would adversely affect the rights and freedoms of others. If we refuse a request, we will explain to you within a month why we have refused it. You can appeal this to the ICO.
- Right to rectification: you can request that your inaccurate personal data is corrected or completed if it is incomplete. You can make this request verbally or in writing.
Upon such a request we will take reasonable steps to satisfy whether the data is accurate or inaccurate. If it is inaccurate we will take reasonable steps to rectify this data within one month. We will also contact other organisations that we have disclosed the data to unless this proves impossible or involves disproportionate effort.
If we are satisfied that the data is accurate we will inform you within one month that we will not be amending the data explaining our decision. If the data is an opinion it may be difficult to say that the data is inaccurate and requires rectification. We can refuse a request for rectification within one month if the request is manifestly unfounded or excessive charging a reasonable fee as necessary. You can raise this to the ICO if necessary.
We can extend the time to respond to a request by a further two months having explained within one month this is what we will be doing.
- Right to erasure: you have the right to have your personal data erased by the company where:
- the personal data is no longer necessary for the purpose which we originally collected or processed it for
- we are relying on consent as our lawful basis for holding the data, and the individual withdraws their consent
- we are relying on legitimate interests as our basis for processing, the individual objects to the processing of their data, and there is no overriding legitimate interest to continue this processing
- we are processing the personal data for direct marketing purposes and the individual objects to that processing
- we have processed the personal data unlawfully
- we have to do it to comply with a legal obligation
- we have processed the personal data to offer information society services to a child
Where we have disclosed the personal data to others, we will contact each recipient and inform them of the erasure, unless this proves impossible or involves disproportionate effort. If asked to, we will also inform the individuals about these recipients.
Where personal data has been made public in an online environment reasonable steps should be taken to inform other controllers who are processing the personal data to erase links to, copies or replication of that data, taking into account available technology and the cost of implementation.
The right to erasure does not apply if processing is necessary for one of the following reasons:
- to exercise the right of freedom of expression and information
- to comply with a legal obligation
- for the performance of a task carried out in the public interest or in the exercise of official authority
- for archiving purposes in the public interest, scientific research historical research or statistical purposes where erasure is likely to render impossible or seriously impair the achievement of that processing; or
- for the establishment, exercise or defence of legal claims.
- Right to restrict processing: Individuals have the right to request the restriction or suppression of their personal data. This is not an absolute right and only applies in certain circumstances. When processing is restricted, we are permitted to store the personal data, but not use it. An individual can make a request for restriction verbally or in writing.
We have the right to restrict the processing of their personal data in certain circumstances. This means that an individual can limit the way that an organisation uses their data. This is an alternative to requesting the erasure of their data.
Individuals have the right to restrict the processing of their personal data where they have a particular reason for wanting the restriction. This may be because they have issues with the content of the information we hold or how we have processed their data. In most cases we will not be required to restrict an individual’s personal data indefinitely but will need to have the restriction in place for a certain period of time.
Individuals have the right to request we restrict the processing of their personal data in the following circumstances:
- you contest the accuracy of their personal data and we are verifying the accuracy of the data
- the data has been unlawfully processed and the individual opposes erasure and requests restriction instead
- we no longer need the personal data but the individual needs us to keep it in order to establish, exercise or defend a legal claim
- the individual has objected to us processing their data, and we are considering whether our legitimate grounds override those of the individual.
If an individual has challenged the accuracy of their data and asked for us to rectify it, they also have a right to request we restrict processing while we consider their rectification request. If an individual exercises their right to object under Article 21(1), they also have a right to request we restrict processing while we consider their objection request.
Therefore, as a matter of good practice we will automatically restrict the processing whilst we are considering its accuracy or the legitimate grounds for processing the personal data in question.
We will not process the restricted data in any way except to store it unless:
- we have the individual’s consent
- it is for the establishment, exercise or defence of legal claims
- it is for the protection of the rights of another person (natural or legal) or
- it is for reasons of important public interest.
If we have disclosed the personal data in question to others, we will contact each recipient and inform them of the restriction of the personal data – unless this proves impossible or involves disproportionate effort. If asked to, we will also inform the individual about these recipients.
In many cases the restriction of processing is only temporary. Once we have made a decision on the accuracy of the data, or whether our legitimate grounds override those of the individual, we may decide to lift the restriction. If we do this, we will inform the individual before we lift the restriction.
You can make a complaint to the ICO or another supervisory authority or you can seek a judicial remedy.
We can refuse to comply with a request for restriction if the request is manifestly unfounded or excessive, taking into account whether the request is repetitive in nature. If we consider that a request is manifestly unfounded or excessive we can:
- request a “reasonable fee” to deal with the request
- refuse to deal with the request.
In either case we will explain our decision.
If we decide to charge a fee we will contact the individual promptly and inform them. We do not need to comply with the request until we have received the fee.
You can make a request for restriction verbally or in writing.
We will act upon the request without undue delay and at the latest within one month of receipt. We can extend the time to respond by a further two months if the request is complex or you have received a number of requests from the individual. We must let the individual know within one month of receiving their request and explain why the extension is necessary.
- Right to object: Individuals have the right to object to:
- processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling)
- direct marketing
- processing for purposes of scientific/historical research and statistics.
You must have an objection on “grounds relating to your particular situation”. We will stop processing the personal data unless:
- we can demonstrate compelling legitimate grounds for the processing, which override the interests, rights and freedoms of the individual; or
- the processing is for the establishment, exercise or defence of legal claims.
We will inform individuals of their right to object at the point of first communication. We will stop processing personal data for direct marketing purposes as soon as we receive an objection.
We will deal with an objection to processing for direct marketing at any time and free of charge.
We will inform individuals of their right to object “at the point of first communication” and in our privacy notice. This must be “explicitly brought to the attention of the data subject and shall be presented clearly and separately from any other information”.
If we process personal data for research purposes individuals have “grounds relating to your particular situation” in order to exercise your right to object to processing for research purposes. If we are conducting research where the processing of personal data is necessary for the performance of a public interest task, we are not required to comply with an objection to the processing.
1.4 Why we collect and process your personal data
We collect and process personal data of local contractors and performers principally to ensure that we can fulfil our obligations in the performance and development of Community Services. We also collect this information to ensure that interested parties are kept informed about the work of XXX Ltd and the range of support available to local contractors and performers. We may check information provided with other information held by us or by others.
We collect this information to understand your needs and provide you with a better service, and in particular for the following reasons:
- We may periodically send emails about events, and the range of support available using the email address which you have provided.
- From time to time, we may also use your information to invite you to participate in a survey. We may contact you by email, phone, fax or mail. We may use the information to customise the website according to your interests.Our legal basis for processing personal data is contract.
1.5 What we collect
We may collect the following information:
- name, job title, and organisation
- contact information including email address
- demographic information such as postcode, preferences and interests
- other information relevant to customer or member surveys and/or offers
- photographs from events etc
1.6. Security of personal data
Personal data is stored electronically on the LOC’s database and within the UK. It is not stored in paper format.
Primary Eyecare (East London & City)) Ltd shall continue to take appropriate technical and organisational measures to limit the opportunity for unauthorised or unlawful processing of personal data and to guard against accidental loss or destruction of or damage to personal data. Appropriate contractual obligations shall be incorporated into contracts which the company enters into with third parties.
Primary Eyecare (East London & City) Ltd will continue to ensure that appropriate staff are employed to undertake the company’s data processing and that they are aware of their responsibilities in relation to the processing of personal data as it applies to their area of work. Where appropriate, training will be given.
1.7 Sharing of personal data
We will not share your information with third parties without your explicit consent.
We may also share your information with third parties where we outsource certain functions, including but not limited to, our finance and logistics functions and other service products that we use. We would do this, for our legitimate interests, such as the effective financial and business management of the company.
1.8 Email privacy
1.8.1 Why did you receive an email from us?
If you received a mailing from us, (a) your email address is either listed with us as someone who has expressly shared this address for the purpose of receiving information in the future (“opt-in”), or (b) you have an existing relationship with us. We respect your time and attention by controlling the frequency of our mailings.
1.8.2 How can you stop receiving email from us?
Each email sent contains an easy, automated way for you to cease receiving email from us, or to change your expressed interests. If you wish to do this, simply follow the instructions at the end of any email.
If you have received unwanted, unsolicited email sent via this system or purporting to be sent via this system, please forward a copy of that email with your comments [email protected] for review.
2. Website privacy
Primary Eyecare (East London & City) Ltd is committed to ensuring that your privacy is protected. Should we ask you to provide certain information by which you can be identified when using this website, you can be assured that it will only be used in accordance with this privacy statement.
We are committed to ensuring that your information is secure. In order to prevent unauthorised access or disclosure, we have put in place suitable physical, electronic and managerial procedures to safeguard and secure the information we collect online.
A cookie is a small file which asks permission to be placed on your computer’s hard drive. Once you agree, the file is added and the cookie helps analyse web traffic or lets you know when you visit a particular site. Cookies allow web applications to respond to you as an individual. The web application can tailor its operations to your needs, likes and dislikes by gathering and remembering information about your preferences. Follow this link to find out more about cookies and how we use them
2.3 Links to other websites
Our website may contain links to other websites of interest. However, once you have used these links to leave our site, you should note that we do not have any control over that other website. Therefore, we cannot be responsible for the protection and privacy of any information which you provide whilst visiting such sites and such sites are not governed by this privacy statement. You should exercise caution and look at the privacy statement applicable to the website in question.
2.4 How we protect your privacy
We use security measures to protect against the loss, misuse and alteration of data used by our system.
Publication of this policy 25th May 2018. Version 1.1