This Privacy Notice will explain how Gower Opticians uses your personal data.
Gower Opticians is the data controller for personal information processed. We are committed to protecting your personal information and respecting your privacy. We have a legal duty to explain how we use personal information about you at our organisation.
What Information do we collect about you?
We will collect information about you to provide you with care and treatment as well as to enable effective management of the practice. We collect sensitive personal information about you (also known as special category data) which includes information relating to your health, this includes details of medications and appliances dispensed as well as significant advice given, referrals made to other health professionals and any other relevant information. We will also collect your personal information to fulfil services and provide goods which you commission from us.
Personal information we may collect includes:
- Your name, address, date of birth, and gender
- Contact details
- NHS number
- GP details
- Ethnicity (for the identification of eye health risk factors)
- Your relevant health details such as:
- Current and past eye health conditions and other related health information;
- The reason for any consultation and presenting condition;
- Details and findings of any assessment or examination conducted;
- Details of any treatment, referral or advice you provided, including any drugs or appliance prescribed;
- Glasses, contact lens, appliance or medication prescriptions issued or provided to us;
- Communications between your optometrist and your GP, ophthalmologist, or other relevant healthcare providers.
- Information about your employment, lifestyle and whether you drive
- Billing, payment and insurance/claim information
- Your personal image on CCTV when you attend our premises
- Any other information you have chosen to give us.
How is your personal data collected?
The information we hold is collected through various routes, these may include:
- Direct interactions with you (or your representative) as our patient or service user, when you receive care and treatment from us, during consultations with optometry staff or on the telephone;
- Indirectly from other healthcare providers, when you attend other organisations providing health services, for example your GP or another optometry practice may share information with us to refer you to our services;
- When your image is captured on the optometry practice’s CCTV Cameras
How do we use your information?
The information we collect about you is primarily used for your direct care and treatment, and to fulfil services you commission, it may also be used for:
- The management of healthcare services;
- Legal requirements;
- Security and safety of our staff and premises.
The Optometry practice must keep your personal information and records private. The use and sharing of your information will be in line with the following laws and guidelines:
- UK General Data Protection Regulation (UK GDPR) 2016
- Data Protection Act 2018
- Human Rights Act 1998
- Common Law Duty of Confidentiality
- NHS (Wales) Act 2006
- Health & Social Care (Wales) Act 2016
- Public Health (Wales) 2017
We deploy appropriate organisational and technical measures to ensure the security of your personal information. Access is strictly controlled and every member of staff at the optometry practice must sign a confidentiality agreement and complete regular training.
Partners we may share your information with
We may share your information, subject to agreement on how it will be used, with the following organisations:
- Local Health Board
- Your GP
- Other local healthcare contractors to whom we refer you to receive care
- Local services for social prescribing
- Digital Health and Care Wales (DHCW)
- NHS Wales Shared Services Partnership (NWSSP)
- Legal and Risk Services
- The police and other statutory enforcement authorities such as HMRC
- Public Health Wales (PHW)
- Driver and Vehicle Licensing Agency (DVLA)
- NHS Counter-Fraud Authority
- The General Optical Council (GOC).
We may also use external third-party companies (data processors) to process your personal information. Any third-party company will be bound by contractual agreements to ensure information is kept confidential and secure. This means that they cannot do anything with your personal information unless we have instructed them to do it. They will not share your personal information with any organisation apart from us. They will hold it securely and retain it for the period we instruct.
We will not share your information with any third parties for the purposes of direct marketing.
The optometry practice will only use and share your information where there is a legal basis to do so.
A full list of how your data may be used and shared can be found in ANNEX 1.
Our legal basis for processing your personal data
The legal bases for most of our processing relates to your direct care and treatment:
Article 6(1)(e) – processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
Where we have a specific legal obligation that requires the processing of personal data, the legal basis is:
Article 6(1)(c) – processing is necessary for compliance with a legal obligation to which the controller is subject.
Where we are processing personal data to fulfil services or provide you with goods you commission from us, for example to process orders, transactions and payments, our legal basis is:
Article 6(1)(b) – processing is necessary for the performance of a contract.
Where the optometry practice relies on your consent for the processing (for example, if you have consented to receive marketing materials), you have the right to withdraw consent at any time.
Where we process special category data, for example data concerning health, racial or ethnic origin or sexual orientation, we need to meet an additional condition in the UK General Data Protection Regulation (UK GDPR). Where we are processing special category data for purposes related to the commissioning and provision of health services, the condition is:
Article 9(2)(h) – processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and service; or
Article 9(2)(i) – processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices.
The optometry practice may also process personal data for the purpose of, or in connection with, legal proceedings (including prospective legal proceedings), for the purpose of obtaining legal advice, or for the purpose of establishing, exercising or defending legal rights. Where we process personal data for these purposes, the legal basis for doing so is:
Article 6(1)(e) – processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; or
Article 6(1)(c) – processing is necessary for compliance with a legal obligation to which the controller is subject
Where we process special category data for these purposes, the legal basis for doing so is:
Article 9(2)(f) – processing is necessary for the establishment, exercise or defence of legal claims; or
Article 9(2)(g) – processing is necessary for reasons of substantial public interest.
In rare circumstances, we may need to share information with law enforcement agencies or to protect the wellbeing of others, for example to safeguard children or vulnerable adults. In such circumstances our legal basis for sharing information is:
Article 6(1)(c) – processing is necessary for compliance with a legal obligation to which the controller is subject; or
Article 6(1)(d) – processing is necessary to protect the vital interest of the data subject or another natural person; or
Article 6(1)(e) – processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
Where we share special category data for the purposes of safeguarding, the legal basis for doing so is:
Article 9(2)(g) – processing is necessary for reasons of substantial public interest; Data Protection Act 2018 S10 and Schedule 1, Paragraph 18 ‘Safeguarding of children and individuals at risk’
Retention of your Personal Information / Storing your Information
We are required by UK law to keep your information and data for a defined period, often referred to as a retention period. The optometry practice will keep your information in line with the organisation’s records management policy, which can be foundhere: www.goweropticians.uk In line with The Terms of Service for the Wales General Ophthalmic Service, we retain patient records:
- For adults, for 10 years after your last visit.
- For children and young people, for 10 years after your last visit, or until you turn 25, whichever later.
How to Contact us
Please contact the optometry practice if you have any questions about our privacy notice or information, we hold about you, via the below methods:
ORGANISATION NAME: Gower Opticians
TEL: 01792 930665
EMAIL: info@goweropticians.uk
Contact Details of our Data Protection Officer
The optometry practice is required to appoint a Data Protection Officer (DPO). This is an essential role in facilitating our organisation’s accountability and compliance with UK Data Protection Law.
Our Data Protection Officer is:
Digital Health and Care Wales,
Information Governance, Data Protection Officer Support Service
6th Floor, Tŷ Glan-yr-Afon
21 Cowbridge Road East
Cardiff
CF11 9AD
Email: DPOService@wales.nhs.uk
Your Rights
The UK GDPR includes several rights. We must generally respond to requests in relation to your rights within one month, although there are some exceptions to this.
The availability of some of these rights depends on the legal basis that applies in relation to the processing of your personal data, there are some circumstances in which we may not uphold a request to exercise a right.
Your rights and how they apply are described below:
Right to be Informed
Your right to be informed is met by the provision of this privacy notice, and similar information when we communicate with you directly – at the point of contact.
Right of Access
You have the right to obtain a copy of personal data that we hold about you and other information specified in the UK GDPR, although there are exceptions to what we are obliged to disclose.
The optometry practice may not provide information where an appropriate health professional has determined that disclosure would be likely cause serious harm to the physical or mental health of you or others.
Right to Rectification
You have the right to ask us to rectify any inaccurate data that we hold about you.
Right to Erasure (right to be forgotten)
You have the right to request that we erase personal data about you that we hold. This is not an absolute right, and depending on the legal basis that applies, we may have overriding legitimate grounds to continue to process the data.
Right to Restriction of Processing
You have the right to request that we restrict the processing of the personal data about you that we hold. You can ask us to do this for example where you contest the accuracy of the data.
Right to Data Portability
This right is only available where the legal basis for processing under the UK GDPR is consent, or for the purposes of a contract between you and the organisation. For this to apply the data must be held in electronic form. The right is to be provided with the data in a commonly used electronic format.
Right to Object
You have the right to object to processing of personal data about you at any time. The right is not absolute, and we may continue to use the data if we can demonstrate compelling legitimate grounds, unless your objection relates to marketing.
Rights in relation to automated individual decision-making including profiling
You have the right to object to being subject to a decision based solely on automated processing, including profiling. Should we perform any automated decision-making, we will record this in our privacy notice and ensure that you have an opportunity to request that the decision involves personal consideration.
Right to complain to the Information Commissioner
You have the right to complain to the Information Commissioner if you are not happy with any aspect of the organisation’s processing of personal data or believe that we are not meeting our responsibilities as a data controller. The contact details for the Information Commissioner are:
Information Commissioner’s Office
Wycliffe House
Water Lane,
Wilmslow SK9 5AF
Website: www.ico.org.uk
Tel: 0303 123 1113
Email: wales@ico.org.uk
ANNEX 1
| Invoice Validation – If you have received treatment funded by the NHS, your personal information may be shared within a secure environment, to ensure the correct Health Board covers the cost of your care and treatment. | ||
| Purpose of the Processing | Recipients | Legal Basis |
| To ensure the correct Health Board is charged for the cost of your care and treatment. | Details of the services provided will be shared for charging purposes with Health Boards and NWSSP as part of payment and auditing requirements. | Article 6(1)(e) ‘…. necessary for the performance of a task carried out in the public interest or in the exercise of official authority…’ Article 9(2)(h)’…necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services. |
| Registering for NHS Health Care – Everyone who receives NHS care will be registered on a national database, which holds your name, address, date of birth and NHS number. No medical Information is held. This database is held within Digital Health and Care Wales (DHCW) who have the legal responsibilities to collect NHS Data | ||
| Purpose of the Processing | Recipients | Legal Basis |
| Centralised national database of all patients who receive NHS care in Wales. This is held within DHCW who have a legal responsibility for collecting this data. | NHS Wales – Information is shared with Welsh Government in an anonymised form for statistical analysis. | Article 6(1)(e) ‘…. necessary for the performance of a task carried out in the public interest or in the exercise of official authority…’ Article 9(2)(h)’…necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services. |
| Direct Care – The Optometry practice will share your information with other services to provide you with direct care and treatment for example referring you to received specialist treatment or support, your GP, or secondary care. | ||
| Purpose of the Processing | Recipients | Legal Basis |
| To give direct health or social care to individual patients through working with other health and care professionals to plan and provide specialist services in a hospital setting. | Local Health Boards, GP Practice, other local Optometry Practices who can provide specialist services, local services for social prescribing. | Article 6(1)(e) ‘…. necessary for the performance of a task carried out in the public interest or in the exercise of official authority…’ Article 9(2)(h)’…necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services. |
| Safeguarding – There may be rare situations where we need to share information to protect people with safeguarding needs such as children, staff or even you from harm. No consent of permission is needed for the Optometry Practice to do this. | ||
| Purpose of the Processing | Recipients | Legal Basis |
| To protect children, staff or vulnerable adults from harm. | Your information may be shared with Social Services, the Police or other law enforcement bodies where the law allows. or Your information must be shared if a court orders us to do. | Article 6(1)(c) ‘…. necessary for the compliance with a legal obligation to which the controller is subject’ and/or Article 6(1)(d) ‘…. Necessary to protect the vital interests of the data subject or another natural person’. and/or Art 6(1)(e) ‘…. necessary for the performance of a task carried out in the public interest or in the exercise of official authority…’ Art 9(2)(g) ‘… necessary for reasons of substantial public interests.’ Data Protection Act 2018, S10 and Schedule 1 Para 18 ‘Safeguarding of children and individuals at risk’ |
| Driver and Vehicle Licensing Agency (DVLA)– There may be rare situations where we need to share information with the DVLA regarding your fitness to drive | ||
| Purpose of the Processing | Recipients | Legal Basis |
| Where we have assessed that you may not be safe to drive; and we consider that you will not or cannot inform the DVLA yourself; and we have a concern for road safety in relation to yourself and/or the wider public. | DVLA. If you are a train driver, pilot or seafarer and we have concerns regarding your vision means you may not be able to do their job safely, and we believe you will not or cannot inform your employer or the relevant body, we may share information with the Office of Rail and Road, the UK Civil Aviation Authority or the Maritime and Coastguard Agency. | Article 6(1)(c) ‘…. necessary for the compliance with a legal obligation to which the controller is subject’ and/or Article 6(1)(d) ‘…. Necessary to protect the vital interests of the data subject or another natural person’. and/or Art 6(1)(e) ‘…. necessary for the performance of a task carried out in the public interest or in the exercise of official authority…’ Art 9(2)(g) ‘… necessary for reasons of substantial public interests.’ |
| Health Care Inspectorate Wales (HIW) and General Optical Council (GOC) – Healthcare Inspectorate Wales and the General Optical Council are independent inspectorate and regulatory bodies of health and care in Wales. They may work independently or in conjunction to regulate and inspect NHS services and independent healthcare providers to ensure that safe care is provided and to identify areas for improvement. It is compulsory and a legal requirement for the Optometry Practice to inform HIW and GOC of any serious incidents that may occur such as when a patient safety has been put at risk. Further information can be found at: http://hiw.org.uk/?lang=en | ||
| Purpose of the Processing | Recipients | Legal Basis |
| The law requires information to be shared with the Healthcare Inspectorate Wales and General Optical Council so they can perform their regulatory functions. This means you are unable to object. | Health Care Inspectorate Wales (HIW) and General Optical Council staff as directed | Article 6(1)(c) ‘…. necessary for compliance with a legal obligation to which the controller is subject’ Article 9(2)(h)’ necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services. and/or Article 9(2)(j) – ‘processing is necessary for…scientific or historical research purposes or statistical purposes in accordance with Article 89(1) based on Union or Member States law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and interests of the data subject’ |
| General Optical Council (GOC) – General Optical Council is the statutory regulator for the optical professions in England, Wales and Scotland. GOC role is to maintain the professional register for optometrists, dispensing opticians, optical students and optical businesses. They ensure public protection by investigating complaints and acting on fitness-to-practice issues as well as enforcing compliance with the Opticians Act 1989 and related regulations. Further information can be found at: https://optical.org/ | ||
| Purpose of the Processing | Recipients | Legal Basis |
| The law requires information to be shared with the General Optical Council so they can perform their regulatory functions. This means you are unable to object. | General Optical Council (GOC) staff as directed. | Article 6(1)(c) ‘…. necessary for compliance with a legal obligation to which the controller is subject’ Article 9(2)(h)’ necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services. and/or Article 9(2)(j) – ‘processing is necessary for scientific or historical research purposes or statistical purposes in accordance with Article 89(1) based on Union or Member States law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and interests of the data subject’ |
| Legal Advice/ Claims – There may be rare situations where individuals make claims against the optometry practice, when this occurs, we may share all relevant claim and relative medical records/ information to enable the organisation to obtain legal advice, establish the facts of the case and defend such instances. | ||
| Purpose of the Processing | Recipients | Legal Basis |
| To obtain legal advice, or for the purpose of establishing, exercising or defending legal rights (including prospective legal proceedings) | Your information may be shared with solicitors or legal representatives | Article 6(1)(c) ‘…. necessary for compliance with a legal obligation to which the controller is subject’ and/or Article 6(1)(e) ‘…. necessary for the performance of a task carried out in the public interest or in the exercise of official authority…’ Article 9(2)(f) ‘…necessary for the establishment, exercise of defence of legal claims…’ and/or Article 9(2)(g) ‘… is necessary for reasons of substantial public interest’ |
| Disclosure of Video Surveillance to the police – the Optometry Practice may make voluntary disclosures of any form of video surveillance for incidents that require police intervention to support ongoing investigations | ||
| Purpose of the Processing | Recipients | Legal Basis |
| Where the purpose of the surveillance system is for the prevention and detection of crime, voluntary disclosure(s) of footage/images may be provided to the police, where there is a reporting of an incident to the police for investigation. | Relevant imaged may be shared with the police. | Art 6(1)(e) ‘…. necessary for the performance of a task carried out in the public interest or in the exercise of official authority…’ Art 9(2)(g) ‘…necessary for reasons of substantial public interests.’ Data Protection Act 2018, Schedule 2 (1)(a) the prevention or detection of crime and Data Protection Act 2018 – Schedule 2 (1)(b) the apprehension or prosecution of offenders |
| FOI Publication Scheme |
Introduction
Your Rights to Information
The Freedom of Information Act (FOI) 2000 provides members of the public with the right access information held by public authorities.
Public authorities are required to routinely publish certain information to the public as part of its normal business activities. This is known as a publication scheme.
The Gower Opticians Publication Scheme is designed to signpost individuals to information we proactively release as and when it becomes available. The aim of this is to explain what information the organisation makes available to the public and where possible to provide an easy method of accessing it.
The Publication Scheme contains seven classes of information, as follows, and information falling into each of these classes is published on our website:
- Who we are and what we do
- What we spend and how we spend it
- What our priorities are and how we are doing
- How we make decisions
- Our policies and procedures
- Lists and registers
- Services we offer
All the information we proactively release is available free of charge on our website. Our publication scheme is a useful place to start if you’re looking for information about Gower Opticians before making a Freedom of Information request.
Information that is not published under the FOI Publication Scheme can be requested in writing and the release of such information will be considered in accordance with the provisions of the Freedom of Information Act 2000.
To make a Freedom of Information request, please contact info@goweropticians.uk or write to:
Gower Opticians
Unit 3 Cks supermarket
Penclawdd
Swansea
SA43XT
Who we are and what we do
- Gower Opticians was formed in 2017. We are commissioned by Swansea Bay Health Board for the provision of NHS Services.
- Our opening times, contact details and details of locations are published on our website, this information can be accessed via www.goweropticians.uk.
- Visit our website at www.goweropticians.uk for roles of responsibility within the organisation
What we spend and how we spend it
- Gower Opticians receives money from NHS Wales according to the Wales General Ophthalmic Services (WGOS)
- For every sight test performed on behalf of the NHS, we receive a set fee, which is fixed nationally.
- The current fees paid by the NHS for each service are available online. The most recent publication can be found at: Statement of general ophthalmic services remuneration and fee directions
What our priorities are and how we are doing
- We were last inspected by Healthcare Inspectorate Wales in 2017.
- Our priorities for the development and provision of our NHS Services include:
- WGOS 1,2,3,4 and 5.
Our policies and procedures
1) Our Policies and Procedures
General policies and procedures in use within the Gower Opticians include, but are not limited to:
- Information Governance
- Records Management
- Safeguarding
- Equality and Diversity
- Health and Safety
2) All policies and procedures are available for viewing upon request in writing, please contact the Optometry Practice Manager info@goweropticians.uk
3) If you have a complaint or concerns about the service you have received from Gower Opticians or any of the staff working in the organisation, please let us know. We operate a complaints procedure as part of the NHS system. Our complaints system meets national criteria.
4) A copy of our complaint’s procedure is available here www.goweropticians.uk This will give you all the information and contact details needed to lodge a complaint.
Lists and registers
- Gower Opticians operates two CCTV cameras covering waiting area of the optometry practice.
The services we offer
- We provide the following NHS-funded services: please visit our website.
1 Records Retention Policy
This policy has been developed for use by in line with the Welsh Records Management Code of Practice for Health and Social Care 2022 andthe current regulatory and legal framework. Compliance with this policy will help to ensure the organisation is compliant with the UK General Data Protection Regulation (UK GDPR), Data Protection Act 2018 and the Code of Practice on the management of records issued under S46 of the Freedom of Information Act 2000.
Records management is a vital asset, both in terms of the clinical management of individual patients and the efficient management of services and resources of the organisation. It is of paramount importance to ensure that records are efficiently managed, this policy sets out the way that the organisation will retain, process, and dispose of records.
The organisation recognises the need for an appropriate balance between openness and confidentiality in the management and use of information. The organisation is committed to ensuring accurate, timely and relevant records management, as is essential to deliver the highest quality healthcare. As such, it is the responsibility of all organisation staff to ensure that the record keeping standards outlined in this policy, and the subsequent retention periods of records are adhered to.
2 Scope
This policy applies to all staff of Gower Opticians.
The term ‘staff’ includes all health professionals, partners, staff members, locums, students, trainees, secondees, volunteers, contracted third parties and any persons undertaking duties on behalf of Gower Opticians.
This policy applies to all records created, received, maintained, and held, in all formats, by staff of the organisation in the course of carrying out their functions. Records are defined as documents, regardless of format, which facilitate the operations and business of the organisation, and which are thereafter retained for a set period to provide evidence of its activities and transactions, as detailed within the Retention Schedule.
This policy applies to all employees of the organisation, including associates, contractors, temporary staff and any students who are carrying out work on behalf of the organisation.
This policy should be read in conjunction and reviewed in-line with the following: all policies and procedures.
Breaches of this policy will be reported via the organisation’s incident reporting processes and dealt with in line with the organisation’s Disciplinary Policy where appropriate.
3.1 Legislative Compliance
The management of records held by the organisation is regulated by the following regulatory frameworks:
- Data Protection Act 2018 & UK General Data Protection Regulation (UK GDPR)
- Freedom of Information Act 2000
- Health and Social Care Act 2008
- Caldicott Principles
- Limitation Act 1980
- Consumer Protection Act 1987
- Public Records Act 1958
- Local Government (Wales) Act 1994
- Code of Practice on the management of records issued under S46 of the Freedom of Information Act 2000.
3 Policy Objectives
This policy:
• Sets the standard for the management of records to meet the business needs at Gower Opticians.
• Ensures compliance with legislation, regulations, and standards
• Outlines accountability and responsibilities
4 Roles and Responsibilities
4.1 Senior Responsible Person
The Senior Responsible Person within the organisation is responsible for ensuring the highest level of organisational commitment to this policy and the availability of resources to support its implementation. Where appropriate, the Senior Responsible Person may delegate specific responsibilities to other individuals who have responsibility for information governance within the organisation.
The Senior Responsible Person will ensure that all staff are aware of this policy, understand their responsibilities in complying with the requirements of this policy and are up to date with mandatory information governance training.
Additionally, the Senior Responsible Person will ensure the key roles outlined below are established within the organisation’s management structure.
The Senior Responsible Person within Gower Opticians is Luke Davies.
4.2 Information Governance Lead
The Information Governance (IG) Lead isresponsible for liaising with and supporting the Data Protection Officer and Caldicott Guardian in coordinating and implementing the confidentiality and data protection work programme within the organisation.
Where necessary, the IG Lead will supervise and direct the work of others to aid the organisation in meeting its information governance responsibilities.
The IG Lead will act as the first point of contact for information governance queries within the organisation.
The Information Governance Lead within Gower Opticians is Luke Davies.
4.3 Data Protection Officer
The Data Protection Officer (DPO) provides independent risk-based advice to support the organisation in its decision making in the appropriateness of processing personal and special categories of data within the Principles and Data Subject Rights laid down in the UK General Data Protection Regulation (UK GDPR).
The DPO role is to ‘inform and advise’ and not ‘to do’, they are a trusted advisor whom the organisation should actively seek advice from.
The Data Protection Officer for Gower Opticians is the Digital Health and Care Wales (DHCW) Data Protection Officer Support Service.
The DPO can be contacted by emailing DPOService@wales.nhs.uk.
4.4 Caldicott Guardian
The Caldicott Guardian has responsibility for ensuring that patient information is used legally, ethically, and appropriately, and that confidentiality is always maintained. Caldicott Guardians should be able to provide leadership and informed guidance on complex matters involving confidentiality and information sharing.
The Caldicott Guardian will apply the eight principles and act as “the conscience of the organisation” regarding information sharing.
The Caldicott Guardian within Gower Opticians is Luke Davies.
4.5 All Staff
All staff have a responsibility for information governance and maintaining appropriate security for their own work area.
All staff must familiarise themselves with the policy content and ensure the policy requirements are implemented and followed within their own work area. Mandatory information governance training must be undertaken at least every two years.
5 Policy Framework
6.1 What is a record?
The ISO standard; ISO 15489-1:2016 Information and documentation – Records management, defines a record as ‘information created, received, and maintained as evidence and information by an organisation or person, in pursuance of legal obligations or in the transaction of business.’
Examples of records that should be managed using the guidelines in this policy are listed below. This list gives examples of functional areas as well as the format of the records:
Function:
- Patient health records (electronic or paper based, including those concerning all specialties and GP records)
- Pharmacy prescription records
- Records of private patients seen on NHS premises
- Accident & emergency, birth, controlled drugs and all other registers
- Theatre registers and minor operations (and other related) registers
- Administrative records (including, for example, personnel, estates, financial and accounting records, notes associated with complaint-handling)
- X-ray and imaging reports, output and images
- Integrated health and social care records
- Data processed for secondary use purposes. Secondary use is any use of person level or aggregate level data that is not for direct care purposes. This can include data for service management, research or for supporting commissioning decisions.
Format:
- Photographs, slides, and other images
- Microform (i.e. microfiche/microfilm)
- Audio and video tapes, cassettes, CD-ROM etc
- E-mails
- Digital records
- Scanned records
- Text messages (SMS) and social media (both outgoing from the NHS and incoming responses from the patient)
- Websites and intranet sites that provide key information to patients and staff.
6.2 Standards
The following standards need to be maintained at all times:
- Records must be managed in a manner complying fully with legislative and regulatory requirements affecting their use and retention.
- Records must have relevant content, context and format, and must be accurate authentic, useable, reliable, timely and well managed.
- Records must directly relate to and support a service, function or activity delivered by the organisation and be able to support decision making.
- Records must serve the interests of the organisation, its staff, patients and other stakeholders by maintaining high quality documentation for appropriate lengths of time.
- Records must be managed via systems and processes ensuring efficiency and consistency throughout their lifecycle of creation, distribution, use, maintenance and disposal.
- Records must be managed and stored in a suitable format to retain quality, relevance, accessibility, durability and reliability. Any transfer to another format must have due regard to retaining these qualities.
- Records must be kept securely to ensure the confidentiality and importance of the content, being protected from unauthorised or unlawful disclosure.
- Records must be accessible and retrievable to support the continuity of organisation business and the efficiency of the provided services.
- Records must be retained and disposed of in compliance with the organisation’s retention schedule.
- Records must undergo a review at the end of their retention period and, if no longer required, be securely destroyed in an efficient, timely and confidential manner.
6.3 Creating Records
All records must be accurate and complete, so that it is possible to establish what has been done and why. The quality of all records must be sufficient to allow staff to carry out their work efficiently, demonstrate compliance with statutory and regulatory requirements, and ensure accountability and transparency expectations are met.
Where appropriate, templates should be used so that documents are produced consistently and can be stored in a cohesive manner. In addition to this, version control procedures should be used for drafting and revising documents, so that staff can easily differentiate between versions and readily identify the latest copy.
Both paper and electronic record systems should contain metadata to enable the records to be understood and stored/accessed easier.
6.4 Organising Records
Records should be organised and described in a uniform, logical manner that facilitates fast, accurate and comprehensive retrieval so that they are easily accessible when they are required.
Classifying records and holding them in an appropriate filing structure will enable suitable retention periods to be assigned. Keeping diverse records together in a less structured format will make it difficult to identify and retrieve records when they are needed and make it difficult to assign retention periods.
Digital storage of records enables records to be tagged and introduces a searching functionality which can be used to locate records quickly.
Any duplicate records that are retained increases the risk regarding the management use and alteration of the record. There may be need to keep a local version of a record centrally, however, it should be avoided where possible and a system enabling the use of a single central version implemented.
Where possible, to reduce the need for duplication of documents, records should be stored in central folders that are accessible to relevant staff. Digital records should be stored in a shared workspace whenever possible. Titles of these digital records should be easily identifiable and agreed naming conventions used.
6.5 Information Asset Register (IAR)
The organisation must identify and appoint an individual to fulfil the role of an Information Asset Owner (IAO) to take responsibility of individual records or record sets.
The organisation will maintain an up to date Information Asset Register (IAR) that records assets, systems and applications used for processing or storing personal data across the organisation.
The IAR will support information access, ensuring that the organisation can locate information about past activities in a timely manner and enabling the more effective use of resources.
The IAR holds information such as asset location and retention periods relating to personal information and corporate information which is reviewed periodically to ensure it remains up to date and accurate.
6.6 Security and Access
Appropriate levels of security must be in place to prevent the unauthorised or unlawful use and disclosure of information. All records in any format must be held in accordance with the organisation’s Information Governance policy. Records must be stored in safe and secure physical and digital environments, taking account of the need to preserve important information in a useable format enabling ease of access in correlation to the frequency of use.
Records should be stored in a centralised storage or filing system or on a shared drive, so that departments can operate efficiently when individual members of staff are absent. Where appropriate, access to central records should be appropriately available across the organisation in order to avoid recreating information that already exists and storing duplicate data unnecessarily.
Records that would be vital to the continued functioning of the organisation in the event of a disaster must be identified and protected. These include records that would recreate the organisation’s legal and financial status, preserve its rights, and ensure that it continues to fulfil its obligations to its stakeholders. All critical business data must be protected by appropriate preservation, backup and disaster recovery policies. Where vital records are only available in paper format it is best practice that they are duplicated, and the originals and copies stored in separate locations. If duplication is either impracticable or legally unacceptable, fireproof safes should be used to protect vital documents.
6.8 Retention
Records must only be kept for as long as is required to meet operational, business and legal needs. It is a legal requirement established by the DPA to only retain records containing personal data for as long as strictly necessary, and organisations can be subject to enforcement action by regulatory bodies, such as the ICO, for failing to comply.
The organisation has adopted the retention schedule set out in Appendix II of the Records Management Code of Practice for Health and Social Care 2022.
The retention schedule is intended to provide guidance to all areas of the organisation regarding appropriate retention periods for the different categories of records held by the organisation. It applies to all formats of records and is intended to promote consistency and the retention of the minimum volume of records while accounting for requirements imposed by legislation and regulation.
Retention can be complicated if records of a dissimilar nature, with different retention requirements, are filed together. The organisation should consider retention periods when designing their records storage systems and practices to avoid this issue. Files should be reviewed regularly to ensure records are not kept for too long. If there is no alternative, the entire file should be retained for the longest relevant retention period.
The retention schedule includes the following information:
- Record type – The type of record or information asset, applying to all formats of record
- Retention period – The recommended length of time for which the records should be kept by the organisation
- Disposal action – This is the action that should be taken once the retention period has reached its end
- Notes – Any additional information unrelated to the three prior fields
6.9 Disposal
When a record reaches the end of its retention period, a review must be taken on the documents future. The outcomes of this review can be any of the following:
- Reappraisal
- Permanent preservation
- Destruction
6.10 Reappraisal
Before action is taken to permanently preserve or destroy a record at the end of its retention period, a reappraisal of any need to retain it for present functions should be undertaken, it should only be necessary to revise the retention period on rare occasions.
In some circumstances it may be necessary to retain a record for longer than its defined retention period. A new operational function requiring its retention may have arisen, or it may be required for investigation or litigation purposes, or because it is needed in order to respond to an access request received under data protection or freedom of information legislation. If a record needs to be retained for longer, then a new retention timescale should be assigned to it. It is recommended that this date should not be too far in the future, enabling regular review of the decision while taking circumstances into account. A period of one year is recommended.
The DPA and FOI Act contain provisions relating to the destruction or alteration of information or records after a legal access request has been received. Such destruction or alteration will be considered a disciplinary offence. FOI Act also creates a criminal offence in relation to these actions.
Examples of when information may be required to be held for longer periods are where:
- The information is subject to a request for information under access to information legislation such as a Subject Access Request under the Data Protection Act or a request under the Freedom of Information Act
- The organisation is subject to ongoing legal action in which the information relates
- The information is subject to an investigation, for example the Infected Blood Inquiry
- There is a greater public interest in an issue requiring long term preservation of the information.
6.11 Permanent Preservation
Some of the organisation’s records may be retained permanently as they have long term evidential or historical value. The organisation’s retention schedule should help to identify records that have archival value. The following records are examples of items that may be worthy of permanent preservation:
- Records that document policy formation
- Records that show the development of the organisation and its infrastructure
- Records that show evidence of important decisions or precedent
- Records showing the development of the relationship between the organisation’s staff and the organisation’s corporate functions
- Records documenting the organisation’s relationship with external parties and stakeholders, and the organisation’s place in the local, national and international community.
Where records are considered to be of historical value the organisation should contact a local place of deposit who will assess and transfer the appropriate records for preservation.
6.12 Destruction
The destruction of records is an irreversible act which must be clearly documented and carefully considered. All records identified for disposal will be destroyed under confidential conditions in accordance with the organisation’s retention schedule.
A decision for destruction must be made by Luke Davies. Measures such as certificates of destruction are to be requested by the organisation to ensure personal data is destroyed confidentially and a trusted suppliers is used with appropriate agreements in place outlining their responsibilities. A destruction log should be maintained.
When disposing of digital records, the organisation will ensure that all traces of the record are deleted securely, and are not duplicated on other systems, hard drives, servers or removable storage devices.
6.13 Information not listed on the Records Retention Schedule
Occasionally documents and information held by the organisation may not be specifically listed on the retention schedule. In such cases information should be held for the time of appropriate equivalent records, for example petty cash records should be retained in line with financial transaction records.
6 Review
This policy will be reviewed every 12 months or more frequently where the contents are affected by major internal or external changes such as:
- Changes in legislation;
- Organisation change or change in system/technology; or
- Changing methodology.