1. Introduction

We recognise that data security and protection is essential for modern optical practices delivering private and NHS services. We take the security and protection of our patients’ data extremely seriously. All data is processed in full accordance with the Data Protection Act 2018 incorporating GDPR. This policy includes the requirements of the national Data Security Standards applicable to an optical practice.

The Practice’s Senior Information Risk Officer (SIRO) is responsible for implementing this policy in conjunction with Practice management. The SIRO works alongside the Practice’s Data Protection Officer (DPO) and the Practice’s Caldicott Guardian.

The Practice has an up-to-date Freedom of Information Act statement which is available to patients, and a separate Privacy Policy which explains individuals’ rights under GDPR. This Data Security and Protection Policy, including the list of all systems and information assets holding personal information, is reviewed annually or more frequently as required.

2. Purpose

The purpose of this policy is to demonstrate the measures we take to ensure data security and protection. It describes the data we hold about patients, how we hold it, how we protect it, how we use and process it (including what patients need to be provided with) and how we transfer it.

3. Audience

The audience of this policy is:

• Our staff
• NHS England and other commissioners
• Patients
• Other stakeholders

3.1. Distribution plan

The policy is provided to all staff. It is used to demonstrate contract compliance to NHS England, and is available to view on request to any other interested party.

3.2. Training plan and support

The Practice’s SIRO conducts a data security and protection Learning Needs Analysis (LNA) for current and new staff. This identifies overall skills and knowledge gaps for the whole team and for specific individuals, using a combination of questionnaires, staff discussion groups, job analysis, evaluation and desktop reviews.

Findings from the LNA are used by the SIRO to develop group and individual training programmes suitable to role, with clear learning priorities. A data protection and security induction is in place for new members of staff. All staff pass the data security Level 1 test. Training is held at regular intervals to ensure all staff are familiar with this policy’s contents and practical applications, and staff with specialist roles receive training suitable to those roles. The SIRO is responsible for ensuring management is suitably trained. Training outcomes ensure users know what constitutes a breach incident, how to spot one, and where to report it.

4. Roles and responsibilities

The Practice maintains a current record of staff and their roles, and understands which members of staff have access to particular systems. We audit account users regularly. In the event of a mismatch between user role and system access granted, we record the incident and rectify each situation.

All staff understand their responsibility to handle information appropriately and their personal accountability for deliberate or avoidable data breaches. Staff are aware that IT systems are logged and of their duty to use IT responsibly; where staff act inappropriately, action may be taken against them. We display an acceptable-usage banner on our systems, including a personal accountability reminder, liaising with our service providers as necessary.

All systems administrators have signed an agreement holding them accountable to the highest standards of use. Systems administrator activities are logged, and these logs are only accessible to appropriate personnel. Where our systems do not support individual login, making user audits difficult, we hold a list of these systems.

We operate role-based access to ensure information is used only by those with a need to use it, and we implement physical controls in areas of our systems where full access is not appropriate.

5. Process and procedure

The Practice has a number of processes in place to ensure patient data security and protection, and holds patient records in a variety of formats:

• Paper records for sight test and contact lens clinical records.
• Paper records for spectacle prescription and dispensing information.
• Clinical records held electronically on computer with up-to-date virus protection. We record incidents picked up by virus protection, the number of spam emails blocked per month, and the number of emails filtered per month.
• Spectacle prescription and dispensing information in the practice management software.
• Recall dates held in the practice management software.
• Photographic information (retinal and anterior segment) held in the imaging software.
• Visual Field records held either as paper, as data in the VF software, or as images within the imaging software.
• Appendices to this policy set out minimum retention periods for types of records and the action taken when records are securely destroyed or archived. We hold a separate records retention schedule.

How this information is protected

• All practice staff have a confidentiality clause within their contracts.
• There is a clear understanding of what personal confidential / sensitive personal data is held.
• All personal information on practice records, whether paper or electronic, is considered confidential.
• We do not discuss personal information with anyone other than the patient or, if under 16 and not Gillick competent, the patient’s parent or guardian, without their permission.
• Care is taken that records are not seen by other people in the practice.
• All staff are aware of the importance of maintaining the confidentiality of patients’ personal data, which must be processed and stored securely. There is approved staff guidance on confidentiality and data protection.
• All electronic data is protected by suitable back-up procedures; any online backup uses a service that encrypts the data securely before transmitting it from the practice PC.
• When computers are replaced, old hard drives are securely erased or physically destroyed.
• Records are retained for periods agreed by the optical bodies.
• Confidential paper information requiring destruction is shredded, as are records due for destruction.
• If information needs to be transferred, our procedures include consent and secure transfer.
• Any suspected breaches of security or loss of information are reported immediately and dealt with appropriately by the SIRO.
• Paper records are kept secure and away from public access.
• Patient-identifiable information is not removed from the optical practice.

Discharging our legal and contractual duties

• When patients have a sight test, they are given a copy of their spectacle prescription as soon as the test is completed.
• We give patients a written statement when they are being referred, with the reason for the referral (e.g. “cataract”) written on the GOS2 or similar private form.
• If patients are fitted with contact lenses, they are given a copy of their contact lens specification once the fitting process is complete.
• We ensure staff who help provide GOS are appropriately trained and supervised for the tasks they undertake.
• We may use the information we hold to remind patients when they are due for check-ups and to send eye care and eyewear information. Patients can opt out of this.
• In addition to the Data Protection Act 2018 / GDPR, we comply with the Accessible Information Standard (AIS), and staff implement the Optical Confederation’s AIS guidance.

Secure transfer of patient data (information flows)

• We normally ask patients’ permission before transferring personal information about them to someone else.
• We may not ask permission when transferring information to another healthcare professional responsible for the patient’s care who needs that information to help care for them.
• We may not ask permission where we are ordered by law to transfer the information — for example, if a court requests it.
• We hold a record detailing each use or sharing of personal information, including the legal basis for the processing. These information flows are approved by the SIRO and Practice management, and we hold a list of all systems and information assets holding or sharing personal information.

Breach reporting

An internal data security and protection breach reporting system is in place. Staff report data breaches to the SIRO, who in turn reports to management. Breaches are logged and root cause analysis is undertaken to investigate the incident, with training conducted as necessary to mitigate future occurrences.

Incident reporting and business continuity

We hold a Business Continuity Plan, approved by the SIRO, which includes provision for data security incidents; staff understand how to implement it. We test and review this plan annually, recording attendees’ signatures and roles, and we plan for all risks potentially impacting business continuity, documenting issues and recording which staff members are responsible for which actions. All emergency contacts are kept securely in hard copy and kept up to date, and staff know where to locate them. In the event of a cyber-attack, we document lessons learned and integrate these into our Business Continuity Plan.

Software

All software used is surveyed to ensure it is supported and up to date, working with our software providers as necessary. Connected systems are kept up to date with the latest security patches. We do not use unsupported software; should that change in future, we will categorise and document it to identify and manage security risks. If patches are not applied for a period greater than two months, the SIRO is notified with an explanation.

IT networking

All networked systems have had their default passwords changed. We risk-assess our networking protocols to confirm that penetration tests are not required given the size of our organisation, and feedback is presented to the SIRO to devise a data improvement plan. Our management evidences discussion of the top three data security and protection risks arising from network testing.

Reviews

As part of our annual review of this policy, we review all processes above. As an optical practice, we include clinicians (optometrists and dispensing opticians) in this comprehensive review, and we take action to address problem processes.

6. Monitoring of compliance and effectiveness of implementation

The SIRO has operational responsibility for monitoring compliance and effectiveness of implementation; however, ultimate responsibility sits with Practice management. Staff have explicitly acknowledged that their activity on systems can be monitored.

The SIRO conducts regular compliance monitoring and staff spot checks to ensure this policy and associated guidance are being followed, with results followed up by the SIRO and management as necessary. Monitoring of access to systems that users and administrators can reach is carried out by the SIRO and listed.

7. Individuals’ rights under GDPR

The Practice is aware of its responsibilities under GDPR. Individuals’ rights are respected and supported as per GDPR Articles 12–22. All data is processed in full accordance with the Data Protection Act 2018 incorporating GDPR. We ensure that personal data is:

• Processed lawfully, fairly and in a transparent manner in relation to individuals.
• Collected for specified, explicit and legitimate purposes and not further processed in a manner incompatible with those purposes; further processing for archiving in the public interest, scientific or historical research, or statistical purposes is not considered incompatible with the initial purposes.
• Adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed.
• Accurate and, where necessary, kept up to date; every reasonable step is taken to ensure that inaccurate personal data is erased or rectified without delay.
• Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data is processed (with permitted exceptions for archiving, research and statistical purposes, subject to appropriate safeguards).
• Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

All transparency information required by GDPR (Articles 13 and 14) is published by the Practice within its Privacy Policy and is therefore available to patients and the public. We hold a staff procedure on providing information about processing and individuals’ rights, including meeting subject access requests within the GDPR timescales, and we hold details of how information requests have been complied with in the last twelve months in the format below:

Data Protection Impact Assessments (DPIA)

We conduct Data Protection Impact Assessments that follow relevant ICO guidance. DPIA guidance has been agreed by management in consultation with the DPO, and our DPIA approach is published in the interests of transparency.

8. Suppliers and due diligence

The Practice can name its suppliers, the products and services they deliver, and contract durations. Any contracts we hold with third parties that handle personal information are compliant with GDPR, and we have secured statements from suppliers confirming their compliance. We have also conducted basic due diligence against suppliers as per ICO and NHS Digital guidance.

In the event of any disputes between us and our suppliers, we record these and note any risks to data security. Where we cannot comply with data security standards because of supplier-related issues, we record these and discuss them at management level. Suppliers required to do so have completed the Data Security and Protection Toolkit at a level appropriate for their profile.

9. Appendices

Appendix 1 — Privacy Policy

The Practice holds its own Privacy Policy, which explains individuals’ rights under GDPR.

Appendix 2 — Record retention

This applies to spectacle records, contact lens records, appointment diaries, and telephone and/or tele-health consultations.

• All records are retained for 10 years from the date the patient was last seen.
• Records of children are retained until they are 25 and it is 10 years since they were last seen.
• Records of the deceased are kept for 10 years.
• Records are destroyed by shredding.

Appendix 3 — Recording of telephone calls and/or consultations

Telephone calls between patients and providers are not recorded or monitored, due to the complexity of obtaining consent and subsequently storing patient-sensitive data. Should calls ever be monitored or recorded, a specific policy would be required taking into account the Regulation of Investigatory Powers Act 2000 (RIPA); the Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000; the Data Protection Act 2018; the Employment Practices Data Protection Code; the Human Rights Act 1998; relevant codes of practice (including the FSA Handbook Code of Business and the Direct Marketing Association’s Code of Practice, PCI DSS); and Telecoms Licence obligations under the Service Provision Licence.

Appendix 4 — Disclosure of data to commissioners

The Practice (provider) agrees to provide anonymised, pseudonymised or aggregated data as may be requested by the co-ordinating commissioner or LOC Company / Primary Eyecare Company. Personal data will not be disclosed without written consent or a lawful reason for disclosure.

Exceptions are covered by Section 251 of the NHS Act 2006 (originally enacted under Section 60 of the Health and Social Care Act 2001), which allows the common law duty of confidentiality to be set aside in specific circumstances where anonymised information is not sufficient and where patient consent is not practicable.

Under the data protection principles, personal data must be processed fairly and lawfully, and processed for specified purposes.