Our Data Protection Policy
Oxford Hearing Centre Ltd controls and processes personal information about its patients, customers and staff. The UK’s data protection approach will be amended following the adoption of the General Data Protection Regulation (GDPR) in May 2018. The principles of the new GRPR build on the existing Data Protection Act 1998 (DPA) but the obligations are more extensive.
The Data Protection Act 1998 (the ‘Act’) covers all personal information that relates to living individuals. These individuals are given rights by the Act. We will not share this information with other organisations without the consent of the individual concerned unless we are required by law to do so.
This Policy will set out what Oxford Hearing Centre will do to comply with the GDPR and the existing eight principles in the DPA.
- Personal data shall be processed fairly and lawfully.
- Personal data shall only be obtained and further processed for specified and lawful purposes.
- Personal data shall be adequate, relevant and not excessive in relation to the purpose that they are processed.
- Personal data shall be accurate and kept up to date.
- Personal data shall not be kept longer than necessary.
- Personal data shall be processed in line with the rights of the data subject.
- Personal data must be kept secure.
- Personal data must not be transferred to a country without adequate protection.
Being fair and understanding our contacts needs
We recognise that communities are made up of people with different needs and values and that those differences are important. We will promote equality of access for everyone and value their diversity. We will work to eliminate discrimination and, in line with the law, we will treat everyone fairly, regardless of age, disability, gender, reassignment, marital status including civil partnerships, pregnancy and maternity, race, religion or belief or sexual orientation. We will ensure that members of all these groups are treated in ways that meet their needs, and that they have equal access to services and/or activities wherever possible. We will promote their inclusion and challenge discrimination against them.
This policy applies to all employees, board members and others who may be involved in the collection of and processing of personal information on behalf of Oxford Hearing Centre and extends to data whether it is held on paper or by electronic means.
Statement of commitment
Oxford Hearing Centre Ltd is committed to maintaining high standards of security and confidentiality for information in our custody and control. Safeguarding this information is critical to the successful operation of Oxford Hearing Centre. We will treat all information in our care and control with the same degree of security and confidentiality.
The objectives of this Data Protection Policy are:
- To comply with the Data Protection Act 1998.
- To comply with the European General Data Protection Regulation, May 2018
- To outline, guide and monitor the coordination of the information, security and data handling procedures in force within Oxford Hearing Centre.
- To promote confidence in the company’s information, security and data handling procedures.
- To provide assurances for third parties dealing with Oxford Hearing Centre.
- To provide a benchmark for employees on information, security, confidentiality and data protection issues.
GDPR provides the following rights for individuals (Article 5):
- The right to be informed
- The right of access
- The right of rectification
- The right to erase
- he right to restrict processing
- The right to data portability
- The right to object
- Rights in relation to automated decision making and profiling
In order to support these objectives, Oxford Hearing Centre will:
- Delegate the responsibility of gathering and disseminating and dealing with issues relating to information, security, the DPA, GDPR and other legislation.
- Ensure that all activities that relate to the processing of personal data have appropriate safeguards and controls in place to ensure information, security and compliance with GDPR and DPA.
- Ensure that all contracts with external third parties (including contract staff), where personal data is processed, make reference to the Act where appropriate.
- Ensure that third parties acting on behalf of Oxford Hearing Centre are given access to personal information that is appropriate to the duties they are undertaking and no more.
- Ensure that all staff (including contract staff) understand their responsibilities regarding data protection and information security under the Act.
3. What personal information is collected?
We may collect and process information about you including:
- your name
- your date of birth
- your contact telephone numbers (including mobile)
- your email and postal address
- your relevant health details including
- current and past hearing health conditions, general health conditions
- current medication details
- your hearing assessment results
- your employment and lifestyle details
- any other information voluntarily provided to us by you from time to time
This information will primarily be collected from you as voluntarily provided to us, but we may also collect it from other sources where it is lawful to do so, including but not limited to your GP or other healthcare providers.
4. How is that information used?
Oxford Hearing Centre may use your personal information for the purposes of:
- healthcare treatment
- providing our services to you
- letting you know when your next appointment is due and reminding you to book an appointment
- marketing services to you
- notifying you about changes to our services
- responding to queries from you
- using cookies and traffic data as set out below
If you do not register as a customer by phone but contact us through the website (and/or by email at [email protected]) you will be providing us with personal information about yourself, including your email address, name and contact details. This may also include medical information, where volunteered by you.
If you are simply browsing our website we will not collect any information which will identify you by name. However, we will collect information using cookies and/or traffic data which uses IP addresses or other numeric identifiers, which analyse navigation and use of the website.
5. Data Sharing
There are a few occasions where it will be necessary for Oxford Hearing Centre to share personal data collected. All contacts are told the nature of the data sharing including what will be shared and the reason for sharing it.
This policy ensures our processes for sharing is legal, how the accuracy of the data will be maintained and what security measures are in place prior to any sharing of information. It also provides the correct parameters of when it is appropriate to share and/ or disclose data. Oxford Hearing Centre has appropriate data sharing agreements (DSA) or similar with all parties which are reviewed on a regular basis and recorded on a central DSA log. All decisions to share data are well founded, reflect the current needs of the company and compliant under the requirements of the Regulations. The contract confirms that the third party organisation acts a Data Processor for personal data to perform the service or any other obligation. Oxford Hearing Centre Ltd remain the data controller throughout the contract to deliver the services and have overall control over the purpose for which, and the manner in which, personal data is processed and carry out data protection responsibility for it.
In some circumstances, it may be appropriate to disclose information held by Oxford Hearing Centre to specific third parties for example to prevent a criminal offence from being committed, or to prevent the continuation of a criminal offence.
6. Data Retention
Personal data will only be kept for the length of time necessary to perform the process for which it was collected (or as defined under applicable healthcare laws and regulations) i.e. to provide products and services, including aftercare services.
Under GDPR a new requirement is the right to be forgotten. Individuals can request deletion of certain types of information about them deleted where one of a number of circumstances apply:
- Where the personal data is no longer necessary in relation to the purpose for which it was originally collected/processed.
- When the individual withdraws consent.
- When the individual objects to the processing and there is no overriding legitimate interest for continuing the processing.
- The personal data was unlawfully processed (i.e. otherwise in breach of the GDPR).
- The personal data has to be erased in order to comply with a legal obligation.
Where personal and confidential information is no longer required, it will be destroyed.
A privacy notice is published on the Oxford Hearing Centre website outlining how we use information collected and a contacts rights to request access to their personal information.
7. Individuals’ rights of access to data (Subject Access Requests (SARs))
Individuals have a right of access to personal information held by Oxford Hearing Centre if they are the “data subject” of that information. Requests must be made in writing, signed by the data subject and addressed to Mr Johnson. The person requesting the data must complete the Access Request Form providing details of the information required as well as their current address and some form of identification. There is no charge for responding to the request (other than a reasonable administrative fee for providing additional copies of information, unless the request can be said to be “manifestly unfounded or excessive”, for example where repetitive requests are made. In those rare cases a data controller may choose to refuse the request entirely, or comply subject to reasonable administrative fee being paid. Timescales for responding to a SAR should be without undue delay or within one month.
Where a SAR is made electronically, the information should also be provided electronically unless the individual requests otherwise. As well as providing copies of the relevant data, the company will provide further explanatory information about the way in which the information is used, who it will be shared with, how long it will be kept, and information on the rights to rectification, erasure, and to complain to the ICO.
If a SAR is received directly or indirectly the responsibility for responding will be assigned to Mr Johnson who will ensure the SARs are processed efficiently and in accordance with GDPR; and ensure the documented process has been approved by senior management and made readily available to personnel.
Oxford Hearing Centre Ltd has appropriate procedures to ensure personal data breaches are detected, reported and investigated effectively. The company has mechanisms in place to assess and then report relevant breaches to the ICO where the individual is likely to suffer some form of damage e.g. through identity theft or confidentiality breach. There are also appropriate mechanisms in place to notify affected individuals where the breach is likely to result in a high risk to their rights and freedoms.
Any wilful disregard or intentional breach of the Data Protection Policy by employees shall be regarded as a disciplinary offence and handled within the company’s Disciplinary Procedures. Any wilful disregard or intentional breach of the Data Protection Policy by data processors (and identified data controllers in their own right) acting on the company’s under contract shall be regarded as a breach of contract and treated as such.
9. Policy promotion and training
The Policy will be made available within the company as part of the induction process to all new and contract employees.
The Policy will be promoted to current employees by requiring acknowledgement and acceptance of its aims and objectives. There will be a continuing series of awareness raising initiatives relating to security and privacy issues in order to ensure that all staff understand their responsibilities under GDPR.
All employees will be provided with education and training where appropriate and will be expected to comply with data protection legislation and adhere to the policies and procedures used to meet the objectives of the Oxford Hearing Centre Data Protection Policy.
10 Monitoring and feedback
This policy will be monitored by Mr Johnson. It will be reviewed periodically as set out above capturing best practice, customer feedback and any legislative changes.
Mr Johnson is responsible for all data compliance and monitors the company’s approach to Data Protection.
11 . Internal Personal Data
Oxford Hearing Centre maintains appropriate technical and organisational processes and procedures to safeguard against any unauthorised or unlawful processing of personal data. Data audits are carried out annually to monitor the information we hold on employees, including former employees. For the purposes of HMRC compliance, financial information is held for 6 years and then destroyed. All HR files relating to former employees are kept for a period of 3 years after leaving the employment of the company.
Glossary of terms
Personal Information – any information that relates to a living individual who can be identified by this data.
Data subject – the living individual that the personal data is about.
Data Controller – the company that decides the purpose for and the way in which any personal data is processed. Oxford Hearing Centre Ltd is a data controller.
Data Processor – any company that carries out activities with personal data on behalf of the data controller. Sensitive Personal Data means personal data consisting of:
- The racial or ethnic origin of the data subject
- Their political opinions
- heir religious or other beliefs
- Whether they are a trade union member
- Their health including physical or mental condition
- Their sexual life
- Criminal proceedings or convictions
Confidential information includes but is not limited to:
- Financial information
- Pricing information
- Administration and information systems