We are a Data Controller (registered with the Information Commissioner’s Office, number Z5718812) and are responsible for determining the purpose of data that is collected and the means by which it is processed.
The DPA has two aims:
To protect the individuals’ fundamental rights and freedoms, notably privacy rights, in respect of personal data processing; and
To enable organisations to process personal information in the course of legitimate business
The DPA stipulates how we collect and process personal data in a lawful way, which is fair to the individuals the information is about (the data subjects) and meets their reasonable expectations. Processing includes virtually anything that can be done to information, including acquisition, storage and destruction.
We are committed to complying with the eight Data Protection Principles. These Principles (which are set out in Schedule 1 of the Act) require that personal information is handled as follows:
Principle 1 – It shall be processed fairly and lawfully and, in particular, shall not be processed unless specific conditions are met.
Principle 2 – It shall be obtained only for one or more specified and lawful purpose, and shall not be further processed in any manner incompatible with that purpose or those purposes
Principle 3 – It shall be adequate, relevant and not excessive in relation to the purpose or purposes for which it is processed.
Principle 4 – It shall be accurate, and where relevant, kept up to date
Principle 5 – It shall not be kept longer than necessary for that purpose or those purposes
Principle 6 – It shall be processed in accordance with the rights of the data subjects under the Act
Principle 7 – Appropriate technical and organisational measures shall be taken against unauthorised loss or destruction of, or damage to personal data.
Principle 8 – It shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
Your rights under the DPA
Individuals have the right, upon written request, to be informed:
Whether or not information about them is being processed by us
To be given a description of the information
The purpose of our processing and to whom it may be disclosed, and
To be provided with the information we hold in an intelligible form
Individuals may request:
That we stop processing their personal data if the processing would cause them or anyone else any unjustifiable damage or substantial distress.
That we stop using data for direct marketing purposes
Compensation if they have suffered damage and distress as a result of us failing to comply with the Act.
That the ICO investigate and assess whether we have breached the Act.
Subject Access Requests (SAR)
If you want to make a request to see your personal data this is called a subject access request and we are allowed to charge you a fee of up to £10 before providing the information to you.
There are a number of exemptions under the DPA which may mean we are unable to disclose some of the information you want. Some examples of these exemptions are:
Personal data about somebody else or information that would identify somebody else
Information that may prejudice the way we carry out our regulatory activities
Information that attracts legal professional privilege
Crime and Taxation (if disclosure could prejudice matters such as the prevention or detection of crime)
If your personal data has other information amongst it that would not be appropriate to release to you (for example, other people’s information), we will blank out or “redact” this. This means that you might receive documents that have blanked-out sections.
If we are unable to give you your personal data we will tell you why it has been withheld unless the DPA also exempts us from having to confirm or deny its existence.
Please send your request in writing to us together with the £10 fee (cheque or postal order) describing the information you want. It would be helpful if you could clearly mark your mail “Subject Access Request”.
Requests should be sent to:
General Optical Council
10 Old Bailey
or by email to: firstname.lastname@example.org
We will deal with your request as quickly as possible, normally within the 40 calendar days limit set by the DPA. The 40 days will start after payment of the fee. You may also be asked to supply proof of your identity.
Information Governance Framework and Policies - Handbook