Privacy Information

Optometry Privacy Notice (Patients and Service Users)

This notice explains how R N Roberts (North Road) Ltd uses your personal data.

Approved by Louise Rymon-Welsh

Version V1.0

Last updated 29/01/2026

Review date 29/01/2027

Introduction

This Privacy Notice will explain how R N Roberts (North Road) Ltd uses your personal data.

R N Roberts (North Road) Ltd is the data controller for personal information processed. We are committed to protecting your personal information and respecting your privacy. We have a legal duty to explain how we use personal information about you at our organisation.

Document history (Revision History)

Date	Version	Author	Revision Summary
29/01/2026	V1.0	LRW & MJM	This Privacy Notice has been based upon Version 1.0 of the DPO Support Service Template.

Authorisation

Approver’s Name
Louise Rymon-Welsh & Mark Medcraft

Role
Directors

Signatures
LRW
MJM

Date
29/01/2026

What information do we collect about you?

We will collect information about you to provide you with care and treatment as well as to enable effective management of the practice. We collect sensitive personal information about you (also known as special category data) which includes information relating to your health, including details of medications and appliances dispensed, advice given, referrals made to other health professionals and any other relevant information.

Personal information we may collect includes:

Your name, address, date of birth, and gender
Contact details
NHS number
GP details
Ethnicity (for the identification of eye health risk factors)
Your relevant health details such as:
- Current and past eye health conditions and other related health information
- The reason for any consultation and presenting condition
- Details and findings of any assessment or examination conducted
- Details of any treatment, referral or advice provided, including any drugs or appliance prescribed
- Glasses, contact lens, appliance or medication prescriptions issued or provided to us
- Communications between your optometrist and your GP, ophthalmologist, or other relevant healthcare providers
Information about your employment, lifestyle and whether you drive
Billing, payment and insurance/claim information
Information you provide by completing forms on our website
Details of your visit to the website and any online transactions you carry out
Call recordings if you call us
Your personal image on CCTV when you attend our premises
Any other information you have chosen to give us

How is your personal data collected?

The information we hold is collected through various routes, including:

Direct interactions with you (or your representative) during consultations or by telephone
Indirectly from other healthcare providers (for example your GP or another optometry practice)
When your image is captured on the optometry practice’s CCTV cameras
Automated technologies when you interact with our website (for example cookies). See our cookie policy: www.rnroberts.co.uk/cookiepolicy

How do we use your information?

The information we collect about you is primarily used for your direct care and treatment, and to fulfil services you commission. It may also be used for:

The management of healthcare services
Legal requirements
Security and safety of our staff and premises

We deploy appropriate organisational and technical measures to ensure the security of your personal information. Access is strictly controlled and every member of staff must sign a confidentiality agreement and complete regular training.

We follow these laws and guidelines:

UK General Data Protection Regulation (UK GDPR) 2016
Data Protection Act 2018
Human Rights Act 1998
Common Law Duty of Confidentiality
NHS (Wales) Act 2006
Health & Social Care (Wales) Act 2016
Public Health (Wales) 2017

Our legal basis for processing your personal data

Direct care and treatment:
Article 6(1)(e) – processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

Legal obligation:
Article 6(1)(c) – processing is necessary for compliance with a legal obligation to which the controller is subject.

Contract (services/goods commissioned):
Article 6(1)(b) – processing is necessary for the performance of a contract.

Consent:
Where we rely on your consent (e.g. marketing materials), you can withdraw consent at any time.

Special category data conditions (health / public health):

Article 9(2)(h)
Article 9(2)(i)

Legal proceedings / advice / claims:

Article 6(1)(e) and/or Article 6(1)(c)
Article 9(2)(f) and/or Article 9(2)(g)

Safeguarding:

Article 6(1)(c), 6(1)(d) and/or 6(1)(e)
Article 9(2)(g) – Data Protection Act 2018 S10 and Schedule 1, Paragraph 18

Retention of your personal information

We are required by UK law to keep your information for a defined period (a retention period). The optometry practice will keep your information in line with the organisation’s records management policy: www.rnroberts.co.uk/terms-and-conditions

In line with the Terms of Service for the Wales General Ophthalmic Service, we retain patient records:

For adults: for 10 years after your last visit.
For children and young people: for 10 years after your last visit, or until you turn 25, whichever later.

How to contact us

If you have any questions about this privacy notice or the information we hold about you:

Organisation: R N Roberts (North Road) Ltd
Tel: 02920619990
Email: This email address is being protected from spambots. You need JavaScript enabled to view it.

Data Protection Officer (DPO)

Digital Health and Care Wales,
Information Governance, Data Protection Officer Support Service
6th Floor, Tŷ Glan-yr-Afon
21 Cowbridge Road East
Cardiff
CF11 9AD
Email: This email address is being protected from spambots. You need JavaScript enabled to view it.

Your rights

The UK GDPR includes several rights. We must generally respond to requests within one month (with some exceptions). The availability of some rights depends on the legal basis that applies.

View your rights

Right to be informed – met by this privacy notice and similar information at the point of contact.
Right of access – obtain a copy of your personal data (with some exceptions).
Right to rectification – correct inaccurate data we hold about you.
Right to erasure – request deletion (not absolute).
Right to restrict processing – e.g. while accuracy is contested.
Right to data portability – applies where processing is consent/contract and data is electronic.
Right to object – not absolute; stronger where objection relates to marketing.
Rights re automated decision-making – object to decisions based solely on automated processing.
Right to complain – to the Information Commissioner’s Office (ICO).

Information Commissioner’s Office (ICO)

Information Commissioner’s Office
Wycliffe House, Water Lane, Wilmslow SK9 5AF
Tel: 0303 123 1113
Email: This email address is being protected from spambots. You need JavaScript enabled to view it.
Website: www.ico.org.uk

Annex 1

Below is a structured summary of the Annex 1 items (purpose, recipients, legal basis). If you’d like, I can format each Annex entry as its own collapsible block.

Invoice Validation

Purpose: Ensure the correct Health Board is charged for the cost of care and treatment.

Recipients: Health Boards and NWSSP (for charging, payment and auditing requirements).

Legal basis: Article 6(1)(e); Article 9(2)(h).

Registering for NHS Health Care

Purpose: Centralised national database of all patients who receive NHS care in Wales (held within DHCW).

Recipients: NHS Wales; Welsh Government (in anonymised form for statistical analysis).

Legal basis: Article 6(1)(e); Article 9(2)(h).

Direct Care

Purpose: Provide direct care / specialist services and referrals.

Recipients: Local Health Boards, GP practice, other optometry practices, social prescribing services.

Legal basis: Article 6(1)(e); Article 9(2)(h).

Safeguarding

Purpose: Protect children, staff, vulnerable adults from harm.

Recipients: Social Services, Police / law enforcement (as permitted/required by law).

Legal basis: Article 6(1)(c) and/or 6(1)(d) and/or 6(1)(e); Article 9(2)(g) + DPA 2018 Schedule 1 Para 18.

DVLA (Fitness to drive)

Purpose: Share information where there are serious concerns about safety to drive and the patient cannot/will not inform DVLA.

Recipients: DVLA (and for specific professions, relevant regulators such as Office of Rail and Road, UK Civil Aviation Authority, Maritime and Coastguard Agency).

Legal basis: Article 6(1)(c) and/or 6(1)(d) and/or 6(1)(e); Article 9(2)(g).

HIW & GOC (Regulatory functions)

Purpose: Regulatory inspection and reporting obligations (including serious incidents).

Recipients: Healthcare Inspectorate Wales (HIW) and General Optical Council (GOC).

Legal basis: Article 6(1)(c); Article 9(2)(h) and/or Article 9(2)(j).

Legal Advice / Claims

Purpose: Obtain legal advice, establish facts, defend legal claims.

Recipients: Solicitors / legal representatives.

Legal basis: Article 6(1)(c) and/or 6(1)(e); Article 9(2)(f) and/or 9(2)(g).

Disclosure of Video Surveillance to Police

Purpose: Support investigations where incidents require police intervention.

Recipients: Police.

Legal basis: Article 6(1)(e); Article 9(2)(g); DPA 2018 Schedule 2 (1)(a) and (1)(b).

Cookie Policy

Introduction

What information do we collect about you?

How is your personal data collected?

How do we use your information?

Partners we may share your information with

Our legal basis for processing your personal data

Retention of your personal information

How to contact us

Data Protection Officer (DPO)

Your rights

Information Commissioner’s Office (ICO)

Annex 1