Privacy Policy
Who are we?
We at Optix Software Ltd are registered with the Information Commissioners Office as a Data Controller registration number ZB028970. We are specialist in optical business management software and operate from Poppleton House, Rose Avenue, York, YO26 6RU.
Your Privacy
Your privacy matters to us and we are committed to the highest data privacy standards, confidentiality and compliance with UK data protection laws. To disclose this to you, our Privacy Notice includes the following:
• What data we collect from you.
• How and why we process it.
• Who we share it with and why.
We adopt the six core principles of data protection, as required by UK GDPR and Data Protection Act 2018:
1. Lawfulness, fairness and transparency – we process personal data lawfully, fairly and in a transparent manner in relation to you, the data subject.
2. Purpose limitation – we only collect personal data for a specific, explicit and legitimate purpose. We clearly state what this purpose is in this Privacy Notice, and we only collect data for as long as necessary to complete that purpose.
3. Data minimisation – we ensure that personal data we process is adequate, relevant and limited to what is necessary in relation to the processing purpose.
4. Accuracy – we take every reasonable step to update or remove data that is inaccurate or incomplete. You have the right to request that we erase or rectify erroneous data that relates to you, and we will complete this task as soon as possible but guarantee to do so within a month.
5. Storage limitation – we delete personal data when we no longer need it. Whilst the timescales in most cases aren’t set, we outline our retention strategy within this Privacy Notice.
6. Integrity and confidentiality – we keep personal data safe and protected against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
Collection of Personal Data for which we are responsible as a Data Controller
We collect the personal information of our business clients, prospective clients, suppliers or contractors and other interested parties via disclosure directly from them. This might be via our website, E mail, telephone, face to face engagement or through contractual agreements.
Categories and Type of Personal Data collected and processed as Data Controller
We collect contact details from you including:
• Name
• Telephone number(s)
• Work email addresses
• Work addresses
• CV’s from job applicants with relevant personal data
Collection of Personal Data for which we are a Data Processor
We provide business management software solutions to our clients in the Optical and Audiology sectors, who will use our systems to store and manage their client (Patient) personal data. We are responsible for this information as a Data Processor for our clients; who have responsibility as the Data Controller for this information. In providing our services as a Data Processor, we work under the instruction of our clients and have Data Processing Agreements in place with them. We are able to access the personal data which our clients store in our solutions but will do so purely for the purposes of maintaining those solutions and supporting our clients use of them.
Categories and Type of Personal Data collected and processed as Data Processor
Our clients store the following types of data within our solutions:
• Name
• Telephone number(s)
• E mail addresses
• Home addresses
• Date of Birth
In addition to this contact information clinical data including:
• Current and past relevant health and medication information.
• Examination results including images.
• Relevant lifestyle information such as pastimes or work impacting on health care.
Also, financial information where appropriate including:
• Payment card details
• Banking details for direct debit mandates.
We treat all personal data as sensitive but recognise that special category data.
Data processed by our clients will also include that of Children and processed by them in accordance with the requirements of UK GDPR and Data Protection Act 2018.
Reason for Data collection and processing activities
Contact information is captured to enable us to contact you through various communication channels on matters directly related to the services we are providing or those provided to us by you. Contact information is also used in the administration of our business operations.
All other information stored within the optical and audiology management systems we provide, has been collected by our clients and is only processed by us under their instruction.
Sharing of Personal Data
During the delivery of our services, we will share your data with other companies who are critical for the provision of our service and will be viewed as our Data Processors. They are under contract with us and have provided sufficient guarantees that they will process your data only as per the terms of that contract and throughout processing activities will ensure that data is protected using appropriate technical and organisation measures.
A full list of processors is available from our Data Protection Officer.
We will not share data for which we are responsible as a Data Processor, without the prior approval and agreement of the relevant data controller (Our clients). We are not responsible for data held within our solutions, which our clients share with other parties.
Securing and Processing of your Personal Data
The personal data that we process is stored within our own internal severs and back up servers, for which we have put in place appropriate security measures. We have in place a formal Information Security Management System which has been independently certified against the requirements of the internationally recognised ISO27001 standard and employ the organisational and technical measures that this standard advocates.
In the unlikely event that we lose personal data, or a device on which personal data resides, or it is accessed by someone unauthorised, we have a duty to inform those individuals affected immediately. If the loss or unauthorised access of personal data has potential to cause harm or impact the data rights of individuals, we will also report this to the Information Commissioners Office, who are responsible for regulating data protection legislation in the UK.
Our legal basis for processing your personal data?
We are required to identify one of six possible legal grounds for processing. These are:
• consent
• contract
• legitimate interests
• vital interests
• public task
• legal obligation
As all of our processing activities are crucial to the provision of the services we provide, we enter into a contract and therefore process personal data based on that contractual relationship.
We could also process this data under our legitimate interests, as all processing activities are essential for the provision of our service to you or in support of requests made by individuals.
How long do we keep personal data for?
We process personal data for the duration needed to provide our services as contracted or in support of requests by individuals.
We will retain some personal data following expiry of any contractual agreement, in order to meet legal requirements, such as Financial accounting.
Personal data which we process for our clients will be transferred back to the client (securely) on expiry of contract and erased from our systems.
Your rights in relation to personal data
Under the GDPR, you have rights to access and control your personal data. These rights include:
• access to personal information
• correction and deletion
• withdrawal of consent (if processing data on condition of consent)
• data portability
• restriction of processing and objection
• lodging a complaint with the Information Commissioner’s Office
You can exercise your rights by emailing our Data Protection Officer on: optixdpo@clinicaldpo.com
If you are unhappy with anything we have done with your data, you have the right to complain to the Information Commissioners Office.
To make a complaint to the Information Commissioners Office use the link below or call their hotline on Tel No.: 0303 123 1113.
How to contact us?
For all data protection matters or questions relating to how we manage your data, you can contact our Data Protection Officer via these means:
Data Protection Officer: Clinical DPO.
Phone Number: 0203 411 2848
Email: optixdpo@clinicaldpo.com
Privacy Notice v1.2 – January 2024.