Privacy Policy

We are committed to protecting and respecting your privacy when dealing with your personal information.

This privacy policy sets out the basis on which any personal data we collect from you or that you provide to us is used, stored, disclosed and processed by us. Please read the following carefully to understand our views and practices regarding your personal data, how we will treat it and your rights in relation to that data. By providing your personal data to us or by using our services, website or other online or digital platform(s) you are accepting or consenting to the practices as described or referred to in this privacy policy. 

When we refer to ‘we’, ‘us’ and ‘our’, we mean employees of Vision Care Collective Ltd trading as Vision Care Clinic. We are registered in England and Wales under company number 07018262.  

Your Personal Data 

When we refer to personal data in this policy, we mean information that can or has the potential to identify you as an individual. We may hold and use personal data about you as a customer, employee, patient or in any other capacity.  Depending on what services you receive from us, this may include sensitive personal data, such as information relating to your health. 

When do we collect personal data about you?

We may collect personal data about you if you: 

  • Register to be a patient or customer with us or book to receive any of our diagnostic services. 
  • You are referred by a clinician, the NHS or any other organisation when you attend for a scan, outpatient assessment or operation. 
  • Visit one of our websites. 
  • Apply for a job with us and as part of the recruitment process. 
  • Enquire about any of our services. 
  • Use or request to use any of our online services. 
  • Fill in a form or survey for us. 
  • Carry out a transaction on our website. 
  • Participate in a competition, promotion, or marketing activity. 
  • Make online payments 
  • Contact us, for example, by email, telephone or social media. 
  • Participate in interactive features on any of our websites. 
  • Please note in the interests of training and continually improving our services, calls to Vision Care Collective may be monitored or recorded. 

Why do we collect your personal data?

  • To enable us to carry out our obligations to you in connection with the services we provide and/or arising from any contract entered into between you and us, including relating to the provision by us of services to you and related matters such as billing, accounting and audit, credit or other payment card verification, anti-fraud screening 
  • To process job applications, conduct any pre-employment screening and formalise any contracts of employment and/or contracts of service. 
  • Provide you with information, products or services that you request from us. 
  • Allow you to participate in interactive features of our services when you choose to do so 
  • Notify you about changes to our products or services. 
  • Respond to requests where we have a legal or regulatory obligation to do so 
  • Check the accuracy of your information and the quality of your care, including auditing medical and billing information for insurance claims and part of any claims or litigation process. 
  • Support your reporting clinician and other clinical staff. 
  • Assess the quality and/or type of care you have received (including allowing you to complete customer satisfaction surveys) and any concerns or complaints you may raise so that these can be appropriately investigated. 
  • To ensure that content from any of our websites is presented most effectively for you and your computing device. 

Lawful Basis 

To process your information in accordance with the data protection laws, we must establish a lawful basis for doing so which must be at least one of the following: 

  • Performance of a contract 
  • Legal obligation 
  • For the protection of our and your vital interest 
  • Legitimate interest and/or 
  • With your consent 

We process your personal information for several legitimate interests as set out within this privacy policy, having assessed and taken into account your interests, rights and freedoms.  

The security and storage of your personal data 

Your personal data will be kept confidential and secure and will, unless you agree otherwise, only be used for the purpose(s) for which it was collected and in accordance with this Privacy Policy, applicable data protection laws, clinical records retention periods and clinical confidentiality guidelines. 

Sensitive personal data related to your health will only be disclosed to those involved with your treatment or care, following data protection laws and guidelines of professional bodies or for the purpose of clinical audits and research (unless you object). We will only use your sensitive personal data for the purposes for which you have given it to us and where we have a lawful basis under the data protection laws to do so.  

Organisational and Technical Security Measures 

We have appropriate organisational and technical security measures in place to prevent unauthorised access or unlawful processing of personal data and to prevent personal data from being lost, destroyed or damaged. We continually audit our information systems to ensure ongoing security is robust. 

Any personal data you provide will be held for as long as necessary regarding the purpose for which it was collected and in accordance with all applicable data protection laws and/or appropriate guidance. 

Transfers of Personal Data outside the European Economic Area (“EEA”) 

Personal data we collect from you may be transferred to and stored at a destination outside the EEA. It may also be processed by staff operating outside the EEA who work for us or for one of our suppliers. Where we transfer your personal data outside the EEA, we will ensure that there are adequate protections in place for your rights in accordance with data protection laws. By submitting your personal data and providing any personal data to us, you agree to this transfer, storage, or processing. We will take all steps reasonably necessary to ensure that your information is treated securely and in accordance with this Privacy Policy. 

All personal data you provide to us is stored securely. Any payment transactions on our website or through email links will be processed securely by third-party payment processors. Where we have given you (or where you have chosen) a password that enables you to access certain parts of our website and information systems, you are responsible for keeping that password confidential. We ask you not to share a password with anyone.

The transmission of information via the internet cannot be guaranteed as completely secure.  However, we ensure that any information transferred to our websites is via an encrypted connection. Once we have received your information, we will use strict procedures and security features to prevent unauthorised access.  

At your request, we may occasionally transfer personal information to you via email, or you may choose to transfer information to us via email.  Email is not a secure transmission method; if you choose to send or receive such information via email, you do so at your own risk. 

Disclosure of your personal data 

We may disclose your personal data (to the extent necessary) to certain third-party organisations used to support the delivery of our services during our usual course of business. These may include the following: 

  • Business partners, suppliers and sub-contractors for the performance of services we provide to you 
  • Organisations providing IT systems support and hosting concerning the IT systems on which your information is stored. 
  • Third-party debt collectors for debt collection. 
  • Delivery companies for transportation. 
  • Third-party service providers for the purposes of the storage of information and confidential destruction, and third-party marketing companies to send marketing emails, subject to obtaining appropriate consent. 

Where a third-party data processor is used, we make sure that they operate under contractual restrictions with regard to confidentiality and security, in addition to their obligations under data protection laws. 

We may also disclose your personal data to third parties if we sell or buy any business or assets or where we are required by law to do so. 

Health information collected during the provision of treatment or services 

Sensitive personal data (including information relating to your health) will only be disclosed to third parties in accordance with this Privacy Policy. That includes third parties involved with your care or in accordance with data protection laws and guidelines of appropriate professional bodies. Where applicable, it may be disclosed to any person or organisation responsible for meeting your expenses or their agents. It may also be provided to external service providers and regulatory bodies (unless you object) for the purpose of clinical audit to ensure the highest standards of care and record keeping are maintained. 

Clinical professionals working with us:  We share clinical information about you with our clinical professionals as we think necessary for your care.  Clinical professionals working with us might be our employees or independent consultants in private practice.  In the case of independent consultants, the consultant is the data controller of your personal data, either alone or jointly with us and will be required to maintain their own records in accordance with data protection laws and applicable clinical confidential guidelines and retention periods.  In all circumstances, those individual consultants will only process your personal data for the purposes set out in this Privacy Policy or as otherwise notified. 

Your GP:  If the clinician providing your care believes it to be clinically advisable, we may also share information about your care with your GP.  If your GP requests information regarding your care or copies of any relevant records, we may also share it with them.  You can ask us not to do this, in which case we will respect that request if we are legally permitted to do so, but you should be aware that it can be potentially very dangerous and/or detrimental to your health to deny your GP full information about your medical history, and we strongly advise against it. 

Your Insurer:  We share with your medical insurer information about your treatment, its clinical necessity, and its cost, but only if they are paying for all or part of your treatment with us.  We provide only the information to which they are entitled. If you raise a complaint or a claim, we may be required to share personal data with your medical insurer to investigate any complaint/claim.   

The NHS:  If you are referred to us for care by the NHS, we will share the details of your treatment with the part of the NHS that referred you to us, as necessary, to perform, process and report back on that care. 

Healthcare and Clinical regulators:  We may be requested – and in some cases can be required – to share certain information (including personal data and sensitive personal data) about you and your care with healthcare and clinical regulators such as the General Medical Council, the Health and Care Professions Council or the Care Quality Commission.  For example, if you make a complaint, or the conduct of a clinician involved in your treatment is alleged to have fallen below the appropriate standards, and the regulator wishes to conduct an investigation.  We will ensure that we do so within the framework of the law and with due respect for your privacy.  

In an emergency and if you are incapacitated, we may also process your personal data (including sensitive personal data) or make personal data available to third parties based on protecting your ‘vital interest’ (i.e. your life or your health). 

We participate in national audits and initiatives to help ensure patients get the best possible outcomes from their treatment and care.  The highest standards of confidentiality will be applied to your personal data in accordance with data protection laws and confidentiality. Publishing of this data will be in a pseudonymised, statistical format. Anonymous, pseudonymous or aggregated data may be used by us or disclosed to others for research or statistical purposes. 

Diagnostic Imaging Dataset (DIDs) 

Information from your diagnostic test will contribute to the Diagnostic Imaging Dataset (DID).  

The DID database contains information on the imaging tests and scans of NHS patients. This will allow NHS Digital, as England’s national source of health and social care information, to see how different tests are used nationwide. 

Nothing will ever be reported that identifies you.  All information is stored securely. It is only made available to appropriate staff and is kept strictly confidential. However, if you do not want your information to be stored in the DID, please tell the people who are treating you. They will make sure your information is not copied into the DID. You may, at a later date, still decide to opt-out by contacting NHS Digital directly, 

National Ophthalmic Database (NOD) 

Information about clinical outcomes may be shared with the National Ophthalmic Database (NOD).   

The National Ophthalmology Database (NOD) was established under the auspices of the Royal College of Ophthalmologists (RCOphth) in 2010 to collate pseudonymised data collected as a by-product of routine clinical care using electronic medical record (EMR) systems for the purposes of national audit, research and establishing meaningful measures for revalidation. The NOD audit collects data on cataract surgery performed in England and Wales and provides individual surgeons, healthcare providers and the public with benchmarked reports on performance to improve the care provided to patients. 

Nothing will ever be reported that identifies you. All information is stored securely. It is only made available to appropriate staff and is kept strictly confidential. 

CCTV 

CCTV surveys many of our premises for security and safe provision of care.  Images and videos are retained for a limited period. 

Your Rights 

You have the following rights concerning your personal data:

  • Right of access: the right to make a written request for details of your personal information and a copy of that personal information 
  • Right to rectification: the right to have inaccurate information about you corrected or removed. 
  • Right to erasure (‘right to be forgotten’): the right to have certain personal information about you erased 
  • Right to restriction of processing: the right to request that your personal information is only used for restricted purposes 
  • Right to object to processing your personal information in cases where our processing is based on the performance of a task carried out in the public interest, or we have let you know the processing is necessary for our or a third party’s legitimate interests. 
  • Right to data portability: the right to ask for the personal information you have made available to us to be transferred to you or a third party in machine-readable formats 
  • Right to withdraw consent: the right to withdraw any consent you previously gave us to handle your personal information. If you withdraw your consent, this will not affect the lawfulness of our use of your personal information before the withdrawal of your consent, and we will let you know if we will no longer be able to provide you with your chosen product or service. 
  • Right to automated decisions: you have the right not to be subject to a decision based solely on automated processing which produces legal effects concerning you or similarly significantly affects you unless it is necessary for entering into a contract with you; it is authorised by law, or you have given your explicit consent. We will let you know when such decisions are made, the lawful grounds we rely on and the rights you have. 

Please note: Your rights are not absolute; they do not always apply in all cases, and we will let you know in our correspondence with you how and whether we will be able to comply with your request. 

If you want to exercise your rights in respect of your personal data, the best way to do so is to contact us by email at dataprotectionofficer@visioncarecollective.com or to write to us for the attention of the data protection officer at the address below. In order to protect your privacy, we may ask you to prove your identity before we take any steps in response to such a request. 

Vision Care Collective Limited (trading as Vision Care Clinic)
157 Redland Road
Bristol BS6 6YE 

If you are unsatisfied with how we handle your request, you can contact the Information Commissioner’s Office on 0303 123 1113 or visit their website (http://www.ico.org.uk). 

Changes to our Privacy Policy 

We keep our Privacy Policy under regular review and as a result it may be amended from time to time without notice. As a result, we encourage you to review this Privacy Policy regularly.