Freedom of Information Act Statement available at https://www.leightons.co.uk/privacy-cookies/freedom-of-information.
PRIVACY NOTICE FOR THE LEIGHTONS GROUP
Last Updated January 2022
You have trusted us to take care of your eye and hearing needs so you can completely trust us with your privacy and personal information. We are committed to the highest level of data privacy standards and patient confidentiality. However you interact with us, we only collect data that is necessary for us to deliver the best care and service possible, to ensure you are reminded about appointments or anything else related to your on-going care. This privacy notice provides information on:
- What data we collect from you.
- How and why we process it.
- Your privacy rights and how the law protects you.
- Who we may share it with and why.
We adopt the six core principles of data protection which are:
- Lawfulness, fairness and transparency - we process personal data lawfully, fairly and in a transparent manner in relation to you, the data subject.
- Purpose limitation - we only collect personal data for a specific, explicit and legitimate purpose. We clearly state what this purpose is in this Privacy Notice, and we only collect data for as long as necessary to complete that purpose.
- Data minimisation - we ensure that personal data we process is adequate, relevant and limited to what is necessary in relation to the processing purpose.
- Accuracy - we take every reasonable step to update or remove data that is inaccurate or incomplete. You have the right to request that we erase or rectify erroneous data that relates to you, and we will complete this task as soon as possible but guarantee to do so within a month.
- Storage limitation - we delete personal data when we no longer need it. Whilst the timescales in most cases aren't set, we outline our retention strategy within this Privacy Notice.
- Integrity and confidentiality - we keep personal data safe and protected against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
Information about the Leightons Group and collection of Personal Data
In this privacy notice any reference to you is the person whose personal information we collect, use and process. This will include anyone who contacts us in connection with the products and services we provide or who interacts with us via our website www.leightons.co.uk, via our on-line booking system, telephone or face to face engagement in practice.
Categories and Type of Personal Data Collected and processed
We collect the following contact details from you:
- Telephone number(s) (including mobile)
- Email addresses
- Personal identifiers (such as date of birth and NHS number)
In addition to this contact information we collect clinical data including:
- Your relevant current and past general, eye and ear health history, your family medical and ocular history, and any relevant signs or symptoms you tell us about
- Details of medicines, spectacles, contact lenses and hearing instruments prescribed for you
- Details of examinations and other healthcare checks and treatments we provide
- Relevant lifestyle information such as employment, hobbies and driving information which may impact on eye or ear care
- Information relevant to your continued care from other people who care for you or know you well, such as other health professionals and relatives
We collect financial information where appropriate including
- Your payment card details via EPOS
- Banking details for Direct Debit mandates
When visiting the Leightons Website
- Information you provide by filling in forms on the Leightons website
- Details of your visit to the website and any transactions you carry out on the website
- Any other information voluntarily provided by you.
This information is generally collected from you as you have voluntarily provided to us. Where lawful to do so we may also collect information from other sources such as the NHS, other health care providers, from individuals authorised to provide information (e.g. parents or legal guardians), financial institutions, government, tax or law enforcement agencies. We may also collect personal information from your use of other Leightons Group websites or services.
Why we collect and process your personal data and how is it used
The information we collect about you is for the purposes of healthcare to ensure we provide you with the very best and appropriate advice, care, products and services you’ve requested and other purposes e.g.:
- to confirm your identity and address
- to respond to queries from you
- to remind you when your next appointments are due and to book them
- occasionally we may contact you to ask your feedback on the products and services we have provided to make continual improvements
- to suggest other relevant products and services we believe would be of interest and benefit you.
- banking, payment and order details to fulfill an order, deal with queries or refunds and collect Direct Debit payments as agreed for MyLeightons Care Plans, Contact Lens products and services, Eye Health Products and Hearing Care products and services
- to notify you about changes to our products and services
- to offer you the opportunity to trial new products and services
- to manage and administer insurance claims
- to maintain records for legal, regulatory, tax and other corporate purposes
- to ensure that content from “the website” is presented in the most effective manner for you and your computer
- to improve our service through survey and feedback requests to you, and to make our services and products more relevant to you
Our legal basis for processing your personal data
- the provision of health care - a special category of data is processed Article 9 (2) h (for examination records and appointment reminders)
- meeting a legitimate interest - to inform you of eye and hearing health products and services which may be relevant to you.
- Contract - carrying out an agreement we have with you
- fulfilling a legal obligation
- having your consent to it
- public task - when we provide services under the NHS for a funded sight test
- to improve the products and services we provide you – via the use of customer surveys, cookies, research and analysis
We use live chat software on our website, this is provided by Click4Assistance, a 3rd party UK based Software Company. Information regarding how the data is processed and stored can be viewed here.
How long is your information kept for?
Your personal information will be retained by the Leightons Group for as long as reasonably necessary (and as defined by health, legal and tax laws and regulations) for us to continue to provide you with products and services. We are also required to maintain records for legitimate purposes e.g. to satisfy tax and other legal requirements, to help us respond to queries or for other reasons e.g. responding to requests from regulators and the NHS and to protect and defend against claims.
How we hold and share your personal data
We process your personal data in strict confidence. We keep your personal data securely in our filing and electronic systems. Patient records are only accessible to the healthcare professionals working at the practice and those under their supervision.
We process three categories of data and retain this for different periods of time.
Contact information is retained as long as the data subject is a customer of ours. Where the data subject has not used our services recently, and in the absence of a direct data subject request, we hold contact information for a period of 8 years from their last engagement with us.
Based on the guidance of the College of Optometrists the clinical data we process is held for a period of ten years after your last appointment with us. Payment information is held by us only as long as is necessary to process the payment, to set up a direct debit mandate and meet all UK Financial Regulations.
If we collected the data when you were aged under 18 we will keep it until your 25th birthday, in line with NHS requirements. In exceptional cases we may need to retain personal data for a longer period, and will explain our reasons for doing so on request.
In the course of processing your personal data we may share it with:
- Healthcare professionals working at our practices and those under their supervision
- Healthcare professionals and those under their supervision at other optical practices, but only if you have specifically asked us to pass your personal data (such as your prescription) to them
- Your GP, ophthalmologists and other healthcare providers and commissioners, and suppliers of optical and hearing appliances or similar products, in connection with your ongoing healthcare treatment
- Software providers for our survey, feedback, patient record and invoicing systems, and financial institutions, so that we can keep patient records up-to-date and arrange credit card or direct debit payment for products and services provided to you
- Adaro Optics, with your agreement, to provide the home delivery and payment facilities by direct debit or card payment for optical and hearing products and services. Payment card processing facilities for this service are provided by Stripe, a US-based company
- The police for the prevention and detection of fraud and criminal activities
- Our insurers in the event a claim is made or could be made against the Leightons Group
- A full list of data processors and sub-processors we use is available from our Data Protection Officer
Transferring your information overseas
The data we collect from you may be electronically transferred to, stored and processed outside the European Economic Area (EEA). It may also be processed by staff operating outside the EEA who works for us or for one of our suppliers. By submitting your personal data, you agree to this transfer, storing or processing. For any personal data transfer outside the EEA, we will ensure that we have a contractual agreement in place with the supplier, which incorporates the EU approved Standard Contractual Clauses and that they are applying adequate Technical and Organisational measures.
We will ensure all reasonable steps are taken so that your data is treated securely and in accordance with this privacy notice and the requirements of The Data Protection Act 2018.
What are cookies?
Cookies are small text files that are used to store small pieces of information. They are stored on your device when the website is loaded on your browser. These cookies help us make the website function properly, make it more secure, provide better user experience, and understand how the website performs and to analyze what works and where it needs improvement.
As most of the online services, our website uses first-party and third-party cookies for several purposes. First-party cookies are mostly necessary for the website to function the right way, and they do not collect any of your personally identifiable data.
The third-party cookies used on our website are mainly for understanding how the website performs, how you interact with our website, keeping our services secure, providing advertisements that are relevant to you, and all in all providing you with a better and improved user experience and help speed up your future interactions with our website.
Types of Cookies we use
Manage cookie preferences
You can change your cookie preferences any time by clicking the above button. This will let you revisit the cookie consent banner and change your preferences or withdraw your consent right away.
In addition to this, different browsers provide different methods to block and delete cookies used by websites. You can change the settings of your browser to block/delete the cookies. Listed below are the links to the support documents on how to manage and delete cookies from the major web browsers.
If you are using any other web browser, please visit your browser’s official support documents.
You have certain legal rights under The Data Protection Act 2018 in respect of the personal data we hold about you. The rights that are most relevant to the way in which we use your personal data include:
- The right to be informed about how we use personal data – this privacy notice gives that information
- The right of access – if you ask us for the personal data we hold about you we will provide it within a month, free of charge (unless we have already provided it to you, in which case we may have to charge you the administrative cost of providing it again).
- The right to rectification – if you ask us to correct personal data about you that is inaccurate or incomplete, where possible we will do so within a month (unless we need longer, in which case we will discuss this with you). It’s important to keep us up-to-date with your latest contact details.
- The right to object – if you object to us processing your data for marketing purposes, or for healthcare purposes or where our legal basis is legitimate interests (see ‘why we collect and process your personal data’, above), we will then stop doing so, unless we are processing the data in respect of a legal claim or can otherwise show that our legitimate interest in processing the data overrides your rights and interests.
- The right to erasure – also known as the ‘right to be forgotten’. If you ask us to delete your personal data, we will do so if there is no compelling reason to continue processing the data. We will not usually delete healthcare data before our usual time limit (see ‘how we hold and share your personal data’ above) where we have a duty to keep accurate records – for example, to comply with a legal obligation, or in connection with a legal claim. If you ask us to delete such data we will discuss this with you.
- Data Portability – allows individuals to obtain and reuse their personal data for their own purposes across different services.
Updating your contact details and preferences:
To ensure we can continue to provide you with excellent eye and hearing healthcare, we are required to send you ‘clinically necessary’ non-marketing material such as appointment reminders, notification when your prescription is due to expire, and when your products are available for collection.
We updated our communication services so that from May 2018 each email and SMS we send, has a link for you to update your contact details and personal preferences for communications from us and via which method. For those patients registered with MySight you can log in and book appointments, amend your contact details and your communication preferences via https://leightons.mysight.uk/.
You can also contact your local Leightons Opticians and Hearing Care practice to update your contact details and preferences for both Optical and Hearing Services.
We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.
Modern physical and electronic security systems are not entirely secure and we cannot guarantee the complete security of our database. The transmission of information through the internet is not completely secure. We will do our best to protect your personal data, but we cannot guarantee the security of your data transmitted to the website through the internet; any such transmission is at your own risk. Once we have received your information, we will use strict procedures and security features to prevent unauthorised access.
We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.
Contacting us and the ICO about your personal data
Please speak to us first if you have any questions or concerns about the way in which we process personal data.
You can contact our Data Protection Officer by emailing [email protected], or by telephone on 0203 411 2848.