Data Protection Policy

Data Protection Policy: SW Home Healthcare Ltd

1. Introduction & Purpose

SW Home Healthcare Ltd is committed to protecting the privacy of our patients and staff. As a healthcare provider, we process sensitive health data. This policy ensures we comply with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

2. Lawful Basis for Processing

We process personal data under the following lawful bases:

  • Contract: To provide optometric services and products (e.g., spectacles/lenses).
  • Legal Obligation: To comply with health and safety and WGOS (Wales General Ophthalmic Services) regulations.
  • Legitimate Interests: For practice management and internal auditing.
  • Special Category Data (Health): We process clinical data under Article 9(2)(h) of the UK GDPR (the provision of health or social care or treatment).

3. Data Protection Principles

We adhere to the six core principles of the GDPR:

  1. Lawfulness, fairness, and transparency: We inform patients why we need their data via our Privacy Notice.
  2. Purpose limitation: Data is only collected for specific healthcare and business purposes.
  3. Data minimisation: We only collect the information necessary for the patient’s care.
  4. Accuracy: We take reasonable steps to ensure clinical and contact data is kept up to date.
  5. Storage limitation: Data is not kept longer than necessary (see Retention Schedule).
  6. Integrity and confidentiality: We use technical and organisational measures to prevent unauthorised access or loss.

4. Patient Rights

Under the UK GDPR, our patients have the right to:

  • Access: Request a copy of their records via a Subject Access Request (SAR). We will respond within one month and do not charge a fee unless the request is “manifestly unfounded or excessive.”
  • Rectification: Have inaccurate clinical or personal data corrected.
  • Erasure (Right to be Forgotten): Note that clinical records are generally exempt from erasure due to legal retention obligations.
  • Object: To stop their data being used for direct marketing.

5. Security Measures

To protect patient data, SW Home Healthcare Ltd implements:

  • Encryption: All clinical systems and emails containing patient data are encrypted.
  • Access Control: Staff only have access to the data required for their specific role (e.g., receptionists cannot access full clinical exam histories unless necessary).
  • Physical Security: Paper records are stored in locked cabinets; the premises are alarmed.
  • Training: All staff undergo annual Data Protection and Confidentiality training.

6. Data Retention (UK Standards)

In line with NHS and College of Optometrists guidance, we apply the following retention periods:

Record TypeRetention Period
Adult Records10 years after the last encounter.
Children’s RecordsUntil the patient’s 25th birthday (or 26th if they were 17 at the last visit).
Deceased Patients10 years after death.
WGOS Forms7 years (NHS requirement).

7. Data Breach Notification

In the event of a personal data breach that poses a risk to individuals (e.g., loss of an unencrypted laptop), we will:

  1. Notify the Information Commissioner’s Office (ICO) within 72 hours.
  2. Inform the affected individuals without undue delay if the breach is likely to result in a high risk to their rights and freedoms.

8. Data Protection Officer (DPO)

While small practices may not be legally required to appoint a formal DPO, the Russell Ham acts as our “Data Lead” for all compliance queries. office@swhomehealthcare.co.uk