For Patients
For Commissioners

PRIVACY NOTICE

This Website is operated by Medical Imaging UK Limited and MIDRSS Limited (together “NEC Care”, “we”, “us”, “our”). This privacy notice is for this website and also covers how the How the Diabetic Eye Screening Programme (DESP) will use your information. 

Purpose of this privacy notice

This privacy notice aims to give you information on how NEC Care collects and processes your personal data (a) through your use of our website, including any data you may provide through the website when you contact us or a member of our team using it, and (b) How the Diabetic Eye Screening Programme (DESP) will use your information.

It is important that you read this privacy notice together with any other privacy notice or fair processing notice we may provide on specific occasions when we are collecting or processing personal data about you so that you are fully aware of how and why we are using your data. This privacy notice supplements the other notices and is not intended to override them.

Controller

NEC Care is the controller and responsible for your personal data.

We have appointed a data protection officer (DPO) who is responsible for overseeing questions in relation to this privacy notice. If you have any questions about this privacy notice, including any requests to exercise your legal rights, please contact the DPO using the details set out below.

Contact details

Our full details are:

Medical Imaging UK Limited is registered in England and Wales under company number 04416975, whose registered office is at 1st Floor, iMex Centre, 575-599 Maxted Rd, Hemel Hempstead HP2 7DX.

MIDRSS Limited is registered in Ireland under company number 535367, whose registered office is at The Care Centre, Unit 3 Enterprise House, 36 Mary Street, Cork City.

Email address of the Data Protection Officer: dpo@necsws.com

You have the right to make a complaint at any time to the relevant Supervisory Authority. The Information Commissioner’s Office (ICO) is the UK supervisory authority for data protection issues (www.ico.org.uk). The Data Protection Commission (DPC) is the supervisory authority in Ireland (www.dataprotection.ie/). We would, however, appreciate the chance to deal with your concerns before you approach the Supervisory Authority, so please contact us in the first instance.

Changes to our privacy notice

We will keep this privacy notice and we may update it from time to time (for example, to reflect changes we might make to our services or to reflect changes in the law or best practice). Any changes we may make to our privacy notice in the future will be posted on this page. We encourage you to visit this page periodically so that you are aware of any changes which have been made. In addition changes may be notified to you when you next attend a clinic.

This version was last updated on 1st July 2021 

A: This Website

A1 Third-party links

Our website or communications that we send to you may include links to third-party websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy statements. We encourage you to read the privacy notice of every website you visit.

A2 The data we collect about you

Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).

We may collect, use, store and transfer different kinds of personal data about you which we have grouped together as follows:

  • Identity Data includes first name, last name, job title, company details.
  • Contact Data includes company address, email address and telephone numbers.
  • Technical Data includes internet protocol (IP) address, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access our website.
  • Usage Data includes information about how you use our website, products and services.
  • Marketing and Communications Data includes your preferences in receiving marketing from us and your communication preferences.

 

We also collect, use and share Aggregated Data such as statistical or demographic data.

Aggregated Data may be derived from your personal data but is not considered personal data in law as this data does not directly or indirectly reveal your identity. For example, we may aggregate your Usage Data to calculate the percentage of users accessing a specific website feature. However, if we combine or connect Aggregated Data with your personal data so that it can directly or indirectly identify you, we treat the combined data as personal data which will be used in accordance with this privacy notice.

We do not collect any Special Categories of Personal Data about you (this includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health and genetic and biometric data). Nor do we collect any information about criminal convictions and offences.

A3 How is your personal data collected?

We use different methods to collect data from and about you including through:

  • Direct interactions. You may give us your Identity and Contact Data by filling in forms or by corresponding with us by post, phone, email or otherwise. This includes personal data you provide when you:

o             give us some feedback;

o             download something from our website;

o             ask us a question; or

o             request further information from us.

  • Automated technologies or interactions. As you interact with our website, we may automatically collect Usage Data and Technical Data about your equipment, browsing actions and patterns. We collect this personal data by using cookies, server logs and other similar technologies. We may also receive Technical Data about you if you visit other websites employing our cookies. Please see our cookie policy here for further details. If you are on one of our marketing lists we will be able to identify you when you use our website.
  • Third parties or publicly available sources. We may receive Technical Data from analytics providers such as Google, Oracle and others.
  1. How we use your personal data

We will only use your personal data when the law allows us to. Most commonly, we will use your personal data in the following circumstances:

  • Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests.
  • Where we need to comply with a legal or regulatory obligation.
  • In certain circumstances, where you consent to the processing.

Where we are processing on the basis of your consent you have the right to withdraw that consent at any time by contacting us.

A4 Purposes for which we will use your personal data

We have set out below, in a table format, a description of all the ways we plan to use your personal data, and which of the legal bases we rely on to do so. We have also identified what our legitimate interests are where appropriate.

Note that we may process your personal data for more than one lawful ground depending on the specific purpose for which we are using your data.

Please contact us if you need details about the specific legal ground we are relying on to process your personal data where more than one ground has been set out in the table below.

 

Purpose/Activity Type of data Lawful basis for processing including basis of legitimate interest
To use data analytics to improve our website, products/services, marketing, customer relationships and experiences (a) Technical
(b) Usage
Necessary for our legitimate interests (to define types of customers for our products and services, to keep our website updated and relevant, to develop our business and to inform our marketing strategy)
To respond to any questions or queries you submit (a) Identity
(b) Contact
Your consent
To administer and protect our business and website (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data) (a) Identity
(b) Contact
(c) Technical
(a) Necessary for our legitimate interests (for running our business, provision of administration and IT services, network security, to prevent fraud and in the context of a business reorganisation or group restructuring exercise)
(b) Necessary to comply with a legal obligation

A5 Cookies

For information about the cookies we use and how, please see our cookie policy .

A5 Change of purpose

We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose.

If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.

Please note that we may process your personal data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.

 A7 Disclosures of your personal data

We may have to share your personal data with the parties set out below for the purposes set out in the table above.

  • We may need to transfer your personal data to other companies within the NECSWS group of companies. If that happens, the relevant other member of the NECSWS group of companies will process data in the same manner as set out in this privacy notice,
  • We may transfer your personal data to other companies within the wider NEC Group (NECSWS is owned by the NEC Corporation).
  • We may need to transfer your personal data to external third party companies (for example, to the company that manages our website from time to time, or a company that we engage to print hard copy marketing material).
  • Third parties to whom we may choose to sell, transfer, or merge parts of our business or our assets. Alternatively, we may seek to acquire other businesses or merge with them. If a change happens to our business, then the new owners may use your personal data in the same way as set out in this privacy notice.

We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.

A8 International transfers

In some circumstances we may need to share your personal data within the NECSWS Group. This may involve transferring your data outside the UK or the European Economic Area (EEA).

Whenever we transfer your personal data out of the UK or EEA, we ensure a similar degree of protection is afforded to it and that the transfer is in accordance with legislation. For example, we may use specific contracts approved by the UK Supervisory Authority or the European Commission which give personal data the same protection it has in Europe.

A9 Data security

We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.

We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.

A10 Data retention

We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.

To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.

A11 Your legal rights

Under certain circumstances, by law you have the right to:

  • Request access to your personal information (commonly known as a “data subject access request”). This enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it.
  • Request correction of the personal information that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected.
  • Request erasure of your personal information. This enables you to ask us to delete or remove personal information where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal information where you have exercised your right to object to processing (see below).
  • Object to the processing of your personal information where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground. You also have the right to object where we are processing your personal information for direct marketing purposes.
  • Request the restriction of processing of your personal information. This enables you to ask us to suspend the processing of personal information about you, for example if you want us to establish its accuracy or the reason for processing it.
  • Request the transfer of your personal information to another party.

If you want to review, verify, correct or request erasure of your personal information, object to the processing of your personal data, or request that we transfer a copy of your personal information to another party, please contact our Data Protection Officer (DPO) in writing.

If you wish to exercise any of the rights set out above, please

 No fee usually required

You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances.

What we may need from you

We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.

Time limit to respond

We try to respond to all legitimate requests within 28 days. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.

B: The Diabetic Eye Screening Programme (DESP)

B1 What is DESP?

Diabetic Eye Screening Programme (DESP) is a free NHS / HSE service for patients with Type 1 or Type 2 diabetes who are aged 12 years or over.

The DESP will use the information provided to them by your GP to invite you for annual screening

If you require a referral to the hospital eye service the DESP will pass your details to the relevant personnel, so they can offer you an appointment.

The appointment booking and screening elements of the service are delivered by qualified local optometrists and NEC Care.

NEC Care adheres to all the same guidelines as the NHS in the UK or HSE in Ireland,  with your data.

B2 What information about me will be held by the DESP?

  • Name
  • Date of birth
  • Contact details
  • NHS number
  • Details of your GP
  • Preferred language
  • Preferred contact method
  • Any other specific requirements
  • If you have been diagnosed as having Type 1 or Type 2 diabetes

B3 What other information will the DESP Need?

Once you agree to have your eyes screened it will be necessary for the Programme to access previous screening results.

Further information may be required about your medical history relating to diabetes such as your blood sugar levels, blood pressure, foot checks, smoking history, etc.

If you do not wish this information to be passed to the programme then you should let the DESP staff know when confirming/attending your appointment for screening.

This will not prevent you from being screened but does mean staff are less able to assess your case as carefully.

B4 Where does the DESP get my information from?

To ensure every diabetic patient receives eye screening, the DESP will routinely receive data from GPs. The information may be provided to us via the GP2DRS IT system.

GP2DRS is a system for automating the sharing of patient information between general practices and local diabetic eye screening programmes. GPs are responsible for referring eligible patients with diabetes for diabetic eye screening, by communicating each patient’s contact details to their local programme.

GP2DRS uses the General Practice Extraction Service (GPES) provided by NHS Digital to obtain the information of eligible patients from computer systems used by GPs. You can learn more information about this service from the primary NHS privacy notice in respect of the national DESP programme

If you do not want your GP to provide information about you to your local diabetic eye screening programme you should contact your GP to opt out of the service.

B5 Who are we?

The DESP service is provided by Medical Imaging (UK) Limited and MIDRSS Limited (T/A NEC Care). We are committed to protecting and respecting your privacy. We are contracted by the NHS in the UK and HSE in Ireland to deliver the DESP programme.

B6 Who will see information about me?

As part of delivering the DESP programme we may need from time to time to share elements of your personal data with certain entities, including:

Administration Team – Those involved in making, changing and booking your appointments.

Screening Team/ Local Optometrists contracted by the DESP – Those who carry out the screening process including putting in the eye drops, checking vision, taking your history, taking photographs of your eyes and grading the photographs. Staff involved in your screening are employed by an NHS body or an NHS partner company commissioned to provide services. All those involved in your diabetic eye screening follow the same NHS standards of confidentiality.

Your General Practitioner – Your results and screening information will be sent to your GP.

Local Hospital’s Eye Department – If your case is referred to the hospital for further assessment the information about you will be forwarded to the hospital so that those who will be looking after your case have as much information about your history as possible.

Software Suppliers – Occasionally problems may occur in the software used by the programme. Normally the software supplier will not need to see information that is identifiable. However it may become necessary to supply basic information to ensure that the correct information is maintained by the programme securely. All NHS software providers are bound by requirements of confidentiality.

Clinical Auditors – In order to make sure the DESP operates effectively it is assessed by those involved in national quality assurance. They may require access to your data.

Incoming Suppliers – If there is a change in diabetic eye screening provider, patient data will be shared between the incoming and outgoing providers so that service can continue to run. This is done under the supervision of NHS England and the HSE in Ireland using a standard data sharing agreement. No data is shared without direction from NHS England or the HSE.

Service Providers – To a contractor appointed by us to deliver elements of the DESP service on our behalf (and under our control), for example, a third party contracted to send out notifications that your next appointment is due. Any access we might grant to a contractor will be limited to such information as is required for them to deliver the relevant service (and will be subject to a contract which includes appropriate obligations of confidence and compliance with applicable law).

B7 How is my information used?

We will use the personal data which we hold about you in order to deliver services under the DESP programme to you.

During your screening, you may be asked to provide consent for us to use your data for research purposes. We periodically undertake clinical research studies to improve the quality of the service we provide within NEC Care or with carefully selected partners. Examples may include research on predicting the risk of developing diabetic eye disease and using image recognition to improve the quality of the grading of your retinal images. The quality of care we provide you will not be affected if you do not agree to research.

In addition, efforts will be made nationally by the NHS or HSE to carry out research using fully anonymised data to try to identify as precisely as possible how best diabetes should be managed in the long term.

B8 Basis on which we process your personal data

We may rely on a range of legal grounds in accordance with the applicable privacy laws in order to ensure that our use your personal data is lawful, including:

  • where it is necessary for us to deliver healthcare services to you;
  • where it is in our legitimate interests to do so (provided this is not overridden by considerations regarding your rights and interests), such as:
  • delivering the DESP service;
  • sharing your personal data with service providers in order to deliver any element of the Service;
  • managing the Service, updating your records, contacting you about the Service (where appropriate);
  • performing and/or testing the performance of, our products, services and internal processes;
  • following guidance and recommended best practice of government and regulatory bodies;
  • managing and auditing our business operations;
  • monitoring and to keeping records of our communications with you;
  • to comply with our legal obligations; and/or
  • with your (explicit) consent.

B9 How and where we store your personal data

We use strict procedures and security features designed to prevent any unauthorised or unlawful access to the personal data which we control.

Personal data which we hold in relation to you will be stored securely at our UK and Republic of Ireland offices and (where relevant) at the offices of third party agencies, service providers, representatives and agents. We may also hold your personal data in secure data centres located within the UK or European Economic Area (EEA).

We will retain a record of your personal data in accordance with relevant law and the following criteria:

  • in accordance with the terms of the contract(s) under which we are commissioned to deliver the DESP programme; and/or
  • in line with any legal and regulatory requirements or guidance in respect of retention periods.

B10 Your Rights

You have a number of important legal rights regarding the manner in which personal data relating to you is used. You can find more information about your rights on the Supervisory Authorities’ website

We have outlined below the key rights which we believe may be relevant to your use of the screening service and your interactions with the DESP.

If you would like to exercise any of these rights then please contact us. Please note that you may be asked to provide us with reasonable proof of your identity so that we can be sure that we are discussing or providing your personal data with, or to, you (or if someone is making a request on your behalf, we need to check that they have the authority to do so).

Access to information

You have the right to access certain information we hold about you so that you can be aware of, and verify the lawfulness of, the processing we undertake.

You can exercise your right of access by making what is generally referred to as a ‘subject access request’.

We will review each request which we receive and if we agree that we are obliged to provide personal data to you then we will (subject to certain limited exceptions provided under the relevant law) amongst other things: (i) describe it to you; (ii) tell you why we are holding it; (iii) tell you who it could be disclosed to; and (iv) let you have a copy of it (this may include providing an electronic copy).

Right to have information corrected

If you identify that any personal data that we hold about you is wrong, inaccurate or out of date then you may ask us to correct or update it. Please contact us via the details provided below and we will review each request and respond accordingly.

Right to stop or limit our processing of your personal data

This is also known as the ‘right to be forgotten’. You have the right to require us to stop or to limit any processing we are undertaking in respect of your personal data if we no longer have a valid reason to do so or if we have held it for too long.

This is not an absolute right but every request we receive will be considered carefully and we will respond accordingly (providing grounds for any decision we make).

Right to withdraw consent

You are free to withdraw any consent which you have given to us in relation to our use of your personal data at any time. Please note that not all uses which we make of your personal data require your consent.

Right to complain

If you are unhappy about the way in which we have processed your personal data then you have a right to raise the issue or to lodge a complaint with the relevant supervisory authority.