PECs have a responsibility to ensure that its data protection is in line with current legislation and expectation. Data protection allows the company to be confident that it shares information correctly.
The Data Protection Act 2018 (DPA 2018) modernises data protection laws in the UK to make them fit-for-purpose for our increasingly digital economy and society. The DPA 2018 is the UK’s implementation of the General Data Protection Regulation (GDPR).
Everyone responsible for using personal data has to follow strict rules called ‘data protection principles’. They must make sure the information is:
- used fairly, lawfully and transparently
- used for specified, explicit purposes
- used in a way that is adequate, relevant and limited to only what is necessary
- accurate and, where necessary, kept up to date
- kept for no longer than is necessary
- handled in a way that ensures appropriate security, including protection against unlawful or unauthorised processing, access, loss, destruction or damage.
There is stronger legal protection for more sensitive information, such as:
- ethnic background
- political opinions
- religious beliefs
- trade union membership
- biometrics (where used for identification)
- sex life or orientation.
LOCSU have written guidance and templates on GDPR for Local Optical Committees (LOCs) to help them understand the changes and actions that they need to take.
- General Data Protection Regulation (GDPR) Guidance for Primary Eyecare Companies
- GDPR Data Audit Template (Apr 2018)
Practices should refer to the guidance from the Optical Confederation issued in July 2018: http://www.opticalconfederation.org.uk/downloads/data-protection-and-gdpr-updated-guidance—july-2018.pdf
Registration with the Information Commissioner’s Office (ICO)
The Information Commissioner’s Office (ICO) is the independent supervisory authority set up to promote and oversee compliance with data protection legislation in the UK. Under the 2018 Regulations, organisations that determine the purpose for which personal data is processed (data controllers) must pay the ICO a data protection fee unless they are exempt.
Data protection licences must be renewed annually. The company will be sent a reminder six weeks before the renewal fee is due, and it must then contact the ICO to pay the DPA licence fee.
Privacy and Electronic Communications Regulations (PECR)
The Privacy and Electronic Communications Regulations (PECR) sit alongside the Data Protection Act. They give people specific privacy rights in relation to electronic communications.
There are specific rules on:
- marketing calls, emails, texts and faxes;
- cookies (and similar technologies);
- keeping communications services secure; and
- customer privacy as regards traffic and location data, itemised billing, line identification, and directory listings.
Electronic and Telephone Marketing
PECR restrict unsolicited marketing by phone, fax, email, text, or other electronic message. There are different rules for different types of communication. The rules are generally stricter for marketing to individuals than for marketing to companies.
The company will often need specific consent to send unsolicited direct marketing. The best way to obtain valid consent is to ask customers to tick opt-in boxes confirming they are happy to receive marketing calls, texts or emails from the company.
Cookies and Similar Technologies
The company must tell people if it sets cookies, and clearly explain what the cookies do and why. The company must also get the user’s consent. Consent can be implied but must be knowingly given.
The same rules also apply if it uses any other type of technology to store or gain access to information on someone’s device.