Privacy Policy

Midland Eye are committed to protecting your privacy and meeting the requirements of data protection legislation. We are registered with the ICO at Midland Eye This privacy notice explains:

• what personal data we collect about you;
• why we collect that personal data;
• who we share your personal data with;
• why we might contact you and how you can change that;
• how long we retain your personal data;
• how we keep your personal data secure; and
• what rights you have in relation to your personal data.

When we talk about “personal data” in this notice, we mean any information which could be used to identify you, either directly or indirectly when combined with any other information we may hold about you.

In this privacy notice, when we refer to “we”, “us” or “our”, we mean Eye-Docs Limited, registration number 04414314, registered address 50 Lode Lane, Solihull, West Midlands, B91 2AW. We are the data controller under the Information Commissioner’s Office registration number Z9279567.

If you need to contact us about this privacy notice or further details on how we use your personal information please contact the Group Data Protection Officer by post at our address above or by emailing DPO@midlandeye.com.

Personal data collected by us

The doctors, nurses and team of healthcare professionals caring for you keep records about your health and any treatment and care you receive from us. These records help to ensure that you receive the best possible care.

They may be written down in paper records or held on computer. These records may include:

• Basic details about you such as name, address, date of birth, next of kin, etc.
• Contact we have had with you such as appointments or clinic visits
• Notes and reports about your health, treatment and care
• Results of x-rays, scans and laboratory tests
• Relevant information from people who care for you and know you well such as health professionals and relatives
• Relevant financial and insurance information where there is payment to be made for treatment.

It is essential that your details which we hold are accurate and up to date. Always check that your personal details are correct when you visit us and please inform us of any changes as soon as possible.

Reasons for collecting that personal data

Your records are used to direct, manage and deliver the care you receive to ensure that:

• The doctors, nurses and other healthcare professionals involved in your care have accurate and up to date information to assess your health and decide on the most appropriate care for you
• Healthcare professionals have the information they need to be able to assess and improve the quality and type of care you receive
• Your concerns can be properly investigated if a complaint or any concerns are raised
• Appropriate information is available if you see another doctor, or are referred to a specialist or another part of the healthcare system to ensure you receive continuity of care
• Payments and accounts are appropriately managed and settled where appropriate.

Your information will also be used to help us manage and protect the health of the public by being used to:

• Review the care we provide to ensure it is of the highest standard and quality
• Ensure our services can meet patient needs in the future
• Investigate patient queries, complaints and legal claims
• Ensure the hospital/clinic receives payment for the care you receive
• Prepare statistics on our performance
• Audit our accounts and services
• Undertaking health research and development (with your explicit consent – you may choose whether or not to be involved)
• Helping to train and educate healthcare professionals

We have a number of lawful bases for using this information under data protection legislation.

• In some cases it will be necessary for us to use information in order to fulfil our contract with you to provide you with healthcare services, such as using your health data for the purposes of diagnosis and assessment by a healthcare professional.
• We are required to use information to treat NHS patients based on our official authority which is vested in us by NHS England.
• In exceptional circumstances, we may be required to use your information to protect your vital interests or those of another person for example, in the case of an epidemic or extreme event.
• We may also need to use your information for the purposes of establishing, exercising or defending our legal rights, for example in the event of a complaint.
• Where we do not have a contractual or legal obligation to handle your data in a particular way, or your explicit consent to use your information for a specific purpose, we have a legitimate interest to conduct general business processes and improve our services. When relying on our legitimate interests we conduct an assessment to ensure that this use of your data is fair, proportionate and in no way detrimental.

Who we share your personal data with

Everyone working within healthcare has a legal duty to keep information about you confidential. Similarly, anyone who receives information from us has a legal duty to keep it confidential.

We will share information with the following main partner organisations:

• NHS Trusts and hospitals that are involved in your care
• Private insurers that are involved in your care
• Clinical Commissioning Groups, NHS Commissioning Support Units, NHS England Local Area Teams and other NHS bodies
• Your General Practitioner (GP)
• Ambulance Services
• PHIN (Private Healthcare Information Network) who are the government’s recognised body for processing private patient’s data

You may be receiving care from other people as well as us, for example Social Care Services or District Nursing Services. We may need to share some information about you with them so we can all work together for your benefit if they have a genuine need for it or we have your permission.

Therefore, we may also share your information, subject to strict agreement about how it will be used, with:

• Social Care Services
• Education Services
• Local Authorities
• Voluntary and private sector providers working with us

We will not disclose your information to any other third parties without your permission unless there are exceptional circumstances, such as if the health and safety of others is at risk or if the law requires us to pass on information.

You have the right to restrict how and with whom we share the personal information in your records that identifies you. This must be noted explicitly within your records in order that all healthcare professionals and staff treating and involved with you are aware of your decision.

By choosing this option, you should be mindful that it may make the provision of treatment or care more difficult or unavailable. You can also change your mind at any time about a disclosure decision.

National Data Opt-Out

If you receive publicly funded health or adult social care services in England, you may have a choice about whether your confidential patient information is used for purposes beyond your individual care and treatment. This is called the National Data Opt-Out. It applies to certain uses of identifiable information for health and care research and for planning and improving services.

Your opt-out choice will not affect the care you receive. We will still use and share relevant information for your individual care, including for appointment management, referrals and providing safe treatment. Where possible, information used for planning and research is anonymised so that you cannot be identified.

• The National Data Opt-Out applies to confidential patient information about publicly funded health and adult social care services in England, where it is used for research and planning beyond your individual care.
• It does not apply to information used for your direct care and treatment.
• It does not apply to anonymous information (where you cannot be identified).
• There are limited situations where the opt-out may not apply where use of information is required by law (for example, where there is a statutory requirement to share information).

You can view, set or change your National Data Opt-Out choice at any time using the NHS App, online via the NHS ‘Your NHS data matters’ pages (search: “Your NHS data matters”), or by calling the National Data Opt-Out contact centre on 0300 303 5678. If you would like help understanding your choices, please ask a member of staff or contact our Group Data Protection Officer.

Receiving communications and updating your preferences

When attending our facilities for an outpatient appointment or a procedure you may be asked to confirm that we have an accurate email address, contact number and/or mobile telephone number for you. This can be used to provide appointment details via email, SMS text messages and automated calls to advise you of appointment times, with your consent.

Using the ‘soft opt-in’ for marketing

In some circumstances, data protection and e-privacy law (the Privacy and Electronic Communications Regulations – PECR) allows organisations to send marketing by email, text or other electronic messages to patients without asking for a separate marketing tick-box. This is often called the ‘soft opt-in’.

• we obtained your contact details in the course of a providing you with patient care;
• we only use your details to market our own similar services (for example, information about related eye care services, follow-up care or service updates);
• we gave you a clear opportunity to opt out of marketing at the point we collected your details; and
• we include a simple way to opt out in every marketing message we send (for example, an unsubscribe option or instructions to stop messages).

If you opt out, we will stop sending you marketing messages by that method. Choosing not to receive marketing will not affect your clinical care or appointment communications.

You can update your communications preferences at any time by informing a member of staff or by contacting the Data Protection Officer dpo@midlandeye.com.

Retention of personal data

We retain personal data for no longer than required and in line with Midland Eye’s retention schedule. This is based on statutory requirements and legal obligations, as well as our business requirements.  Treatment data is held in line with the NHS retention guidelines.  Financial information relating to payments is held for 7 years for accounting purposes.  

Security of personal data

We take our duty to protect your personal information and confidentiality very seriously and we are committed to taking all reasonable measures to ensure the confidentiality and security of personal data for which we are responsible, whether computerised or on paper. All data held by Midland Eye is stored in the UK or EU.  Where we have a need to transfer data outside of the European Economic Area (EEA) we do so with appropriate safeguards in place.

Personal data and your rights

Data protection legislation gives you the right to:

• Correct any data we hold about you that is not correct (Rectification)
• Request that we delete your personal data (Erasure)
• Block or suppress the further processing of your personal data in certain circumstances (Restriction)
• Request access to personal data that we hold about you (Subject Access)
• In some circumstances, receive the personal data which you have provided to us, in a structured, commonly used and machine-readable format and have this transmitted to another data controller (Data Portability)
• Withdraw consent where this is the legal basis for us processing your information
• Object to processing where Midland Eye is relying on its legitimate interests as the legal ground for processing
• Not be subject to automatic decisions (i.e. decisions that are made about you by computer alone) that have a legal or other significant effect on you.

Please contact the Data Protection Officer using the details above if you wish to exercise your rights in relation to personal data. Our policy is to verify the authenticity of all requests made, and requests may be refused if we are unable to verify the identity of the requester.

If you have concerns about the way we have handled your personal data please contact the Data Protection Officer in the first instance. 

Data protection complaints procedure (Data (Use and Access) Act 2025)

The Data (Use and Access) Act 2025 introduces a formal right for individuals to make a complaint directly to the organisation using their personal data if they believe there has been an infringement of UK data protection law. If you have a concern about how we have used your personal data, you can raise it with us in the first instance so that we can investigate and respond.

• How to submit a complaint: please contact our Group Data Protection Officer using the details above and include enough information for us to understand your concern (for example, what happened, when, and what outcome you are seeking).
• Acknowledgement: we will acknowledge your complaint within 30 days.
• Investigation and updates: we will take appropriate steps to investigate your complaint without undue delay. This may include making enquiries into the subject matter of your complaint and keeping you informed about our progress where appropriate.
• Outcome: we will tell you the outcome of our investigation and our decision, in clear language, and explain any steps we have taken or will take.

If you are not satisfied with our response, or you believe we have not dealt with your complaint appropriately, you can escalate your concern to the Information Commissioner’s Office (ICO).

If you remain unsatisfied you can contact the Information Commissioner’s Office (ICO) on 0303 123 1113, at Make a complaint | ICO, or by post to ICO, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF.