Privacy and Cookies
PRIVACY AND COOKIES
Gillian Whitby Associates Limited trading as ‘Whitby & Co’ understands that your privacy is important to you and that you care about how your personal data is used. We are committed to protecting your privacy when dealing with personal information and will only collect and use personal data in ways that are described here and which are consistent with our obligations and your rights under the law. This policy supplements other policies, notices and consents (including ‘opt-ins’ or ‘opt-outs’) and is not intended to override them.
1. INFORMATION ABOUT US
Gillian Whitby Associates Limited is a limited company providing optometry services and is registered in England under company number 02981087.
Registered address: 29 Fleet Street, London EC4Y 1AA
Data Protection Officer: Martin Hughes
Email address: CLICK HERE
Telephone number: 0207 353 4455
Postal Address: 29 Fleet Street, London EC4Y 1AA
Registered with the Information Commissioner’s Office under reference number ZB330614
We are regulated by The General Optical Council (GOC).
2. WHAT DOES THIS NOTICE COVER?
3. WHAT IS PERSONAL DATA?
Personal data is “information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier”. Put simply, this is any information about you that enables you to be identified. It covers obvious information such as your name and contact details, but also less obvious information such as identification numbers, electronic location data, and other online identifiers.
The personal data that we use is set out in part 5, below.
4. WHAT ARE MY RIGHTS?
We will always work to uphold your rights as follows:
2. The right to access the personal data we hold about you. Part 10 will tell you how to do this.
3. The right to have your personal data rectified if any of your personal data held by us is inaccurate or incomplete. Please contact us using the details in Part 11 to find out more.
4. The right to be forgotten, i.e. the right to ask us to delete or otherwise dispose of certain personal data that we have. Please contact us using the details in Part 11 to find out more. Please note that this may be constrained by our own statutory obligation to retain medical, financial and professional records.
5. The right to restrict (i.e. prevent) the processing of your personal data.
6. The right to object to us using your personal data for a particular purpose or purposes.
7. The right to data portability: to ask for the personal information you have made available to us to be transferred to you or a third party.
8. Rights relating to automated decision-making and profiling. We do not use your personal data in this way.
For more information about our use of your personal data or exercising your rights as outlined above, please contact us using the details provided in Part 11.
If you have any cause for complaint about our use of your personal data or require further information about your rights, you can contact the Information Commissioner’s Office.
5. WHAT PERSONAL DATA DO YOU COLLECT?
We may collect some or all of the following personal data through your contact with us including by phone, by email, through our websites, by post, by filling in application or other forms, through social media or in person (for example, in medical consultations, diagnosis and treatment). This may vary according to your relationship with us and the purposes for which you engage our services or purchase our products:
1. Standard personal information: for example, information we use to contact you, identify you or manage our relationship with you such as name; date of birth; and/or age; gender; address; email address; contact telephone number; business name, employment or profession; job title; payment information.
2. Special category information: Information about your health such as medical history and laboratory test results.
Your personal data may also be collected from third parties (anyone acting on your behalf) such as:
- Your parent or guardian, if you are under 18 years’ old
- Your employer, if you are covered by a contract for services your employer has taken out or if we are providing occupational health services
- Your health insurance provider
- Laboratories and imaging centres processing your test results
- Your NHS GP, other doctors, clinicians, healthcare professionals and providers (for example specialist medical professionals pursuant to a referral made at your request)
6. HOW DO YOU USE MY PERSONAL DATA?
We must always have a lawful basis for using your personal data. This may be because the data is necessary for our performance of a contract with you, because you have consented to our use of your personal data, or because it is in our legitimate business interests to use it.
We process your personal information for a number of legitimate reasons, including managing all aspects of our relationship with you, to help us improve our services and products, for marketing and in order to exercise our rights, for example, in dealing with any complaints. We can only use your personal information to send you marketing material if we have your permission or a legitimate interest as described below.
Legitimate interest is one of the legal reasons why we may process your personal information. Taking into account your interests and rights, legitimate interests which allow us to process your personal information include:
- To manage our relationship with you, our business and third parties who provide services or products for us
- To provide optometry services on behalf of a third party, for example your employer or health insurance provider
- To maintain up-to-date records and providing you with relevant health advice as allowed by law
- for statistical research and analysis so that we can monitor and improve our services, websites, or develop new ones
- To develop and carry out health advisory activities so we can show you information that is of interest to you, based on our understanding of your medical history or preferences
- To monitor our clinical and non-clinical performance
Your personal data may therefore be used for one of the following purposes:
- Providing and managing your account.
- Supplying our medical and healthcare services and products to you. Your personal data is required in order for us to enter into a contract with you for the provision of our services and products as requested by you.
- To meet your healthcare needs: personalising and tailoring our services and products for you, for example providing services that are age-appropriate or for specific age groups only.
- Communicating with you. This may include responding to emails or calls from you; at your request sending you reports and results from recent consultations; sending you reminder and recall appointment letters when products have expired or been replaced and/or services are next due
- Supplying you with information by email and/or post. With your permission and/or where permitted by law, we may use your personal data to contact you by email and/or post with health information, news, and offers on our products and/or services. You will not be sent any unlawful marketing or spam. We will always work to fully protect your rights and comply with our obligations under the UK GDPR and the Privacy and Electronic Communications (EC Directive) Regulations 2003, and you will always have the opportunity to opt-out by emailing email@example.com or writing to Whitby & Co, 29 Fleet Street, London EC4Y 1AA.
7. HOW LONG WILL YOU KEEP MY PERSONAL DATA?
We will not keep your personal data for any longer than is necessary in light of the reason(s) for which it was first collected. Your personal data will therefore be kept for the following periods (or, where there is no fixed period, the following factors will be used to determine how long it is kept):
- Your medical and healthcare data will usually be retained for a minimum period of 10 years as part of our duty of care and good medical practice as defined by the GOC to retain such records and not destroy them.
- Payment information will not be retained for longer than 6 months for accounting purposes. Credit card security numbers will be deleted as soon as payment is made and confirmed as received.
8. SECURITY: HOW AND WHERE DO YOU STORE OR TRANSFER MY PERSONAL DATA?
We use specific contracts with external third parties that are approved by the European Commission for the transfer of personal data to third countries. These contracts ensure the same levels of personal data protection that would apply under the EU GDPR.
Where we transfer your data to a third party based in the US, this may be protected where that third party provides data protection to standards similar to those in Europe. More information is available from the European Commission.
9. DO YOU SHARE MY PERSONAL DATA?
We will never sell, copy or generally distribute your personal data. We do sometimes need to share your information with other people or organisations such as:
- doctors, specialist clinicians, other healthcare professionals or providers
- your employer
- your health insurance provider
- Public Health England (regarding certain infectious diseases and viruses)
During your consultation we will discuss with you whether or not you would like us to inform your NHS GP of your particular health matter.
We will keep your information confidential, save for where in some very limited circumstances we may be legally required to share certain personal data, which might include yours, if we are involved in legal proceedings or complying with legal obligations, a court order, or the instructions of a government authority. If we must share your personal information, we will ensure appropriate safeguards are in place to protect your personal information in line with data-protection laws.
10. HOW CAN I ACCESS MY PERSONAL DATA?
If you want to know what personal data we have about you, you can ask us for details of that personal data and for a copy of it (where any such personal data is held). This is known as a “subject access request”.
All subject access requests should be made in writing and sent to the email or postal addresses shown in Part 11. To make this easier for you, a Subject Access Request Form is available for you to use. You do not have to use this form, but it is a quick way to tell us everything we need to know to respond to your request.
There is normally no charge for a subject access request. If, however your request is “manifestly unfounded or excessive” (for example, if you make repetitive requests) a fee may be charged to cover our administrative costs in responding.
We will respond to your subject access request within one month of receiving it. Normally, we aim to provide a complete response, including a copy of your personal data within that time. In some cases, particularly if your request is more complex, more time may be required up to a maximum of three months from the date we receive your request. You will be kept fully informed of our progress.
11. HOW DO I CONTACT YOU?
To contact us about anything to do with your personal data and data protection, including to make a subject access request please use the contact details in part 1 above.
It is important that the personal data we hold about you is current and accurate. Please keep us informed if your personal data changes whilst you are a patient with us.
COOKIE USE POLICY
By law, website operators are required to ask for a website user’s permission when placing certain kinds of cookie on their devices for the first time.
Where consent is required, the law states that it should be “informed consent”, which means we must ensure that you understand what cookies are and why we want to use them.
12. WHAT IS A “COOKIE”?
Cookies are text files containing small amounts of information which are downloaded to your device when you visit a website. Cookies are then sent back to the originating website on each subsequent visit, or to another website that recognises that cookie. Cookies are useful because they allow a website to recognise a user’s device.
Cookies do lots of different jobs, like letting you navigate between pages efficiently, remembering your preferences, and generally improve the user experience. They can also help to ensure that adverts you see online are more relevant to you and your interests.
The cookies on our website are categorised based on the guidelines found in the ICC UK Cookie guide. We do/do not use the following:
CATEGORY 1 – STRICTLY NECESSARY COOKIES
These cookies are essential to enable you to move around our websites and use their features. Without these cookies, services like online appointment booking cannot be provided.
We do use category 1 cookies.
CATEGORY 2 – PERFORMANCE COOKIES / ANALYTICS COOKIES
These cookies collect information about how visitors use a website, for instance which pages visitors go to most often, and if they get error messages from web pages. These cookies don’t collect information that identifies a visitor. All information these cookies collect is aggregated and therefore anonymous. It is only used to improve how a website works
We do use category 2 cookies.
CATEGORY 3 – FUNCTIONALITY COOKIES
These cookies allow the website to remember choices you make (such as your user name, language or the region you are in) and provide enhanced, more personal features. For instance, a website may be able to provide you with local weather reports or traffic news by storing in a cookie the region in which you are currently located. These cookies can also be used to remember changes you have made to text size, fonts and other parts of web pages that you can customise. They may also be used to provide services you have asked for such as watching a video or commenting on a blog. The information these cookies collect may be anonymised and they cannot track your browsing activity on other websites.
We do use not use category 3 cookies.
CATEGORY 4 – TARGETING COOKIES / ADVERTISING
These cookies are used to deliver adverts more relevant to you and your interests They are also used to limit the number of times you see an advertisement as well as help measure the effectiveness of the advertising campaigns. They are usually placed by advertising networks with the website operator’s permission. They remember that you have visited a website and this information is shared with other organisations such as advertisers. Quite often targeting or advertising cookies will be linked to site functionality provided by the other organisation.
We do not use category 4 cookies.
13. WHAT ARE ‘FIRST PARTY’ & THIRD PARTY COOKIES?
Cookies are set and controlled by the operator of the website which the user is browsing such as whitbyonline.com (first party cookie). A third-party cookie is one that is placed on a user’s hard disk or device by a website other than the one the user is visiting (for example Google Analytics).
We use ‘session’ and ‘persistent cookies’. Session cookies are erased when the user closes the browser window. Persistent cookies are stored on a user’s device until expiry or the user deletes it.
We use ‘strictly necessary’ and ‘performance/analytics cookies’ to track user sessions, basic visitor information and to understand for statistical and research purposes with the intention of better improving our website content and services. Session cookies expire at the end of the user’s browsing session.
By using our websites you agree that we can place these types of cookies on your device.
15. WHO ARE OUR THIRD PARTY SUPPLIERS?
We work with Filemaker Webdirect who use ‘session cookies’ and ‘Google Analytics’ who use ‘persistent cookies’ on your device and report on “web analytics” information. Where such information is made available to us, we have listed these cookies below.
|Used to distinguish users and sessions
|Used to determine new sessions / visits
|Used to mark the end of the browser session
|Used to store visitor-level data
|Stores the traffic source or campaign that explains how someone arrived at the site
|_ga & _gat
|These cookies enable Universal Analytics (part of Google Analytics) to activate
All data collected by Google Analytics is anonymous and cannot be used to identify user behaviour. By using our website, you agree that we can place these types of cookies on your device.
FileMaker WebDirect uses ‘strictly necessary’, ‘session’ cookies. These cookies hold no personal data and are deleted once the session is terminated. These types of cookies are exempted from the obligation to inform and obtain consent.
16. SHARING OF DATA FROM COOKIES
We may disclose data collected from cookies, such as user visiting trends, to third parties, in an anonymous form, for research and statistical purposes, to help us enhance our websites.
By using our website, you agree that we can place these types of cookies on your computer or device.
By enabling Google analytics cookies, we are able to understand how you use our website which allows us to continually improve your browsing experience. Accepting cookies allow some of the essential features of our websites to work.
We recommend that if you do not want to set cookies on your computer or other device you should either; not use the site and delete cookies that may have been stored on your computer or your device or change the settings in your website browser to disable cookies.
To learn more or opt-out of Google Analytics, please visit:
To opt out of Filemaker Webdirect:
Any changes will be made available on our website www.whitbyonline.com and available at our front reception area at 29 Fleet Street, London, EC4Y 1AA
Last Updated: May 2022