Alexander Opticians Compliance Document – GDPR

Alexander Opticians
97 London Road
East Grinstead
West Sussex
RH19 1EQ

ICO = Information Commissioners Office

OC = Optical Confederation

Opening Statement:  We have familiarised ourselves with the GDPR via ICO, OC and Optical Press sources.  We have prepared for its introduction and believe we are compliant.  Our staff have been trained and are familiar with our obligations.  Alexander Opticians promises to respect any personal data shared with us and keep it safe.

  1. Awareness
    Our  staff are aware that the law is changing on 25 May 2018 and we have had discussions regarding its impact on our business.  These statements will be circulated amongst all our staff.
  2. Information We Hold
    See Annex A. We hold personal data on:-

    • A) Patients-which includes name, DOB, address, phone number(s), email address (sometimes), GP name and/or surgery, and clinical records which include retinal photographs, field results, referral letters etc.
    • B) Customers-we keep some customer bank records for payment of contact lenses on a standing order.
    • C) Staff Records-include name, DOB, address, phone number(s), bank details and NI number.

    All the above data is given to us by the person or their representative concerned.  See Annex A  for who this is shared with.

  3. Communicating Privacy Information
    We are very careful with the information we hold due to its private and sensitive nature.  See “Privacy Notice” which explains this in further detail.
  4. Individual Rights
    GDPR includes the following rights for individuals:  see Annex C

    • the right to be informed
    • the right of access
    • the right to rectification
    • the right to erasure
    • the right to restrict processing
    • the right to data portability
    • the right to object
    • the right not to be subject to automated decision-making including profiling

    In the case of a patient or customer requiring their personal data to be deleted, provided this complies with NHS time limits for erasure this would be done. However we are contracted to the NHS and obliged to comply with the NHS rules about time limits for erasure-see Annex A.

    In the case of a staff member we would be constrained by tax office requirements.

    Paper records are shredded, computer records are securely deleted.   The decision to do this rests with the partners of Alexander Opticians.

    In the case of the right to data portability, this will be possible free of charge.  It applies to:

    • personal data an individual has provided to a controller
    • where the processing is based on the individual’s consent or for the performance of a contract and
    • when processing is carried out by automated means
  5. Subject Access Requests
    Requests for data will be:

    • In most cases free of charge
    • Will be provided within a month
    • Can be refused or charged for if unfounded or excessive (and if refused we will explain why within 1 month and advise of the right to complain to the ICO)
  6. Lawful Basis For Processing Data
    See Annex A

    This outlines our legal basis for processing personal data for patients, customers and staff and as such we comply with GDPR accountability requirements.

  7. Consent
    Generally we do not rely on “consent” as our basis for processing data.

    (See point 6  and Annex B)

    The only exception to this is the voluntary opt-in on our website which is explained in our Privacy Notice.  We would delete this data if required.

  8. Children
    Child patients are treated with the same care and respect as our adult patients.  We rely on parents or a person holding “parental responsibility “, to provide information such as name, address, DOB, GP and phone contact details.

    We do not engage in online services which target children.

    Verification of age, so far, does not seem to be a requirement by the NHS on their sight testing forms (information provided by parents or guardians is acceptable).

  9. Data Breaches
    We take the safe-keeping of our data very seriously.  We ensure software and ant-virus software is kept up-to-date and our computers are protected with strong passwords.  All staff understand the practice policy on data protection and are appropriately trained.  We are compliant with the GOS Contract Sections:

    • 1 Cover in cases of Clinical Negligence
    • 2 Employer’s Liability Cover
    • 3 Public Liability Cover
    • 4 MHRA registration  ( Medicines and Healthcare products Regulatory Agency)

    Our staff are skilled in the use of computers and in the event of a Data Breach would not hesitate in acting quickly.  If necessary we would employ experts to resolve such an issue.  We would report to, and seek advice from the ICO (within 72 hours) if such a breach resulted in a high risk to the rights and freedoms of an individual   (ie if a breach could lead to discrimination, damage to reputation, financial loss, loss of confidentiality or significant economic or social disadvantage).

    A breach can be reported to the ICO at:

    We would report the following:

    • Nature of the breach
    • Numbers of individuals affected
    • Actions being taken to rectify the breach
    • Data Controller’s or Reporter’s name and contact details
    • Affected individuals would be informed
  10. Data Protection by Design and Data Protection Impact Assessments (DPIA)
    We concur with good practice in adopting a Privacy by Design approach and have carried out a Privacy Impact Assessment (PIA) as part of this (see below).

    However we believe a full DPIA is unnecessary in our business because we believe that the risk is low:

    • We are not deploying a new technology
    • We do not undertake profiling
    • We do not process on a large scale any special categories of data

    Privacy Impact Assessment (PIA)

    • “Privacy by Design” applies to us as we hold paper records which are kept in areas away from the general public (in filing cabinets behind reception desk and in back office)
    • Our computers are also kept in staff only areas and are password protected
    • Overnight our premises are protected by shutters operated by key
    • We shred all sensitive paper forms/records no longer required and delete permanently computer records no longer required
    • All staff are trained and experienced in the handling of personal data as part of the NHS culture of confidentiality
    • Customer records are kept in a private cupboard
    • Staff records are kept in a private filing cabinet and information is only shared with our Accountants: JF Francis Ltd,  Francis House,  2 Park Road,  Barnet,  ,  EN5 5RN
    • We therefore believe we are a “low” risk Data Controller
  11. Data Protection Officer
    Data Controller—Lead Controller

    As our business, Alexander Opticians, has four partners it falls to them the collective responsibility for Data Protection compliance.  They take this role very seriously.  Overall Heather Marcou has undertaken the lead role but assisted by Alexander Marcou for his computer expertise and Chris Marcou and Helen Woods for their input.  We have appointed Mrs Ann Forbes to be our Data Protection Officer (DPO) as we are regarded as:

    • A public authority
    • An organisation that carries out regular monitoring of individuals on a large scale
    • An organisation that carries out large scale processing of special categories of data

    Therefore, Heather Marcou confirms that she has taken proper responsibility for our Data Protection compliance, supported by, and authorised by the other partners and our DPO. In good faith she has read, researched and gained knowledge in order to produce this document.

  12. International
    We are an independent practice.  We do not operate outside the UK so this does not apply to us.

Please view in conjunction with the above document:

  • Annex A—Record Keeping in our Practice
  • Annex B—Lawful Bases for Processing Personal Data
  • Annex C—Individual Rights


ICO “Preparing for the General Data Protection Regulation (GDPR) 12 Steps to take now”

ICO Privacy notices code of practice
ICO Guidance the ICO has produced on PIAs
ICO Health sector webinar on the GDPR
ICO Myth Busting Blog
ICO Helpline

Optical Confederation—“Preparing for changes to Data Protection Law” Initial Guidance—published 15 December 2017, also Final Guidance (the same, but includes Annex A and B and C)
Optical Confederation—LOC Support Unit—February 2018—2017-2019 Data Security and Protection Requirements
ABDO website:  business hub


This notice will be included on the back of reminder letters and a copy displayed at reception:-

Notice For Patients: Your Data Is Protected With Us

New legislation has come into effect as of May 25th 2018 regarding General Data Protection Regulations (GDPR). We promise to respect, and keep safe, all personal data you have shared with us. We are obliged by the NHS to store this information for 7 years, or in the case of children under 18, until their 25th birthday. College of Optometrist Guidance says that it is best practice for records to be kept for 10 years.

The legal basis for retaining your personal data is to fulfil our duty to care for your eyes, which falls under the category of “legitimate interest”. Our Privacy Notice expands on the above and is available at the Practice.

Occasionally we may include offers with our reminder letters. If you wish to opt out of being informed of these offers please let us know.

Alexander Opticians Privacy Notice

Alexander Opticians

97 London Road

East Grinstead

West Sussex

RH19 1EQ

Tel  01342 323115

Fax 01342 326797



Patient, Customer and Staff personal data is very important to us.  We aim to respect it and keep it safe.

This applies to adults and children.  This Privacy Notice aims to be concise and transparent, easy to understand and is provided free of charge.

Data Controller—Alexander Opticians is a Partnership of 4 people:  Christos Marcou, Heather Marcou, Alexander Marcou and Helen Woods.  Lead name on these issues would be Heather Marcou but the other partners would be happy to help.

We refer you to the accompanying annexes to accurately explain the situation.

Annex A –Record Keeping in Our Practice

Please see Notes.  This document covers Patient, Customer and Staff categories of personal data,  the Legal basis for processing their personal data,  Who these personal data are shared with,  Time limits of erasure and Technical/organisational security measures to ensure the level of security appropriate to risks.

Annex B—Lawful Bases for Processing Personal Data

This category outlines the 16 Legal Bases for processing personal data and relevant notes.

Annex C—Individual Rights

This category outlines the 8 rights individuals have under the new law (GDPR) and what this means in our practice.

We keep paper and computer Patient , Customer  and Staff records.  In addition, on our Website we receive enquiries.  We aim to be clear that that we retain personal data freely given which is only accessible by us, the Partners and staff of Alexander Opticians.  The system is password protected, kept up to date with ant-virus software in place.  We do not share this information with anyone else.

Complaints in the first instance should be directed to the Partners of Alexander Opticians at the above address in writing or by e-mail.

If the Complaint remains unresolved then it should be directed to the Information Commissioner’s Office at