Privacy Policy

We’re committed to protecting the privacy and security of your personal data, and we want you to feel assured about any information that you provide. This privacy policy notice explains how we use information that we collect about you and your rights in relation to processing that information.

It is essential that you read this notice, together with any other documents we may provide when we are collecting or processing personal information about you so that you are aware of how and why we are using such information.

“We/us/our” in our entire privacy policy below means Mr Vinod Gangwani FRCS, MRCOphth and/or any member of his team.

Personal Data

Personal data is data which relates to any living individual who can be identified from that data, or from that data and other information; such as an expression of opinion about the individual.

What is the GDPR?

The General Data Protection Regulation 2018 (GDPR) replaces the Data Protection Act 1998 (DPA) in governing how personal data is managed by a “controller” or “processor”.

In this respect, a data controller is a person (or business) who determines the way in which, personal data is processed. A data processor is anyone who processes personal data on behalf of the data controller (not including the data controller’s employees).

A “Data Subject” is a person whose data is being processed.

We act as both a controller and processor of personal data. This means that we are responsible for deciding how we hold and use personal information about you, whether you use our services directly or via a third-party.

GDPR Principles

Under the GDPR, the data protection principles set out the main responsibilities for organisations.

GDPR requires that personal data shall be:

Processed lawfully, fairly and in a transparent manner. Collected for specified, explicit and legitimate purposes. Adequate, relevant and limited to what is necessary. Accurate and, where necessary, kept up to date. Kept in a form which permits identification of data subjects for no longer than is necessary. Processed in a manner that ensures appropriate security of the personal data.

It also requires that the controller shall be responsible for, and be able to demonstrate, compliance with the principles.

The GDPR provides the following rights for individuals:

The right to be informed – we must provide details (such as those provided in this privacy notice) of how we processes information to the data subject. This information must be available at any time personal data is obtained.

The right of access – Data subjects have the right to know what information we have in relation to them. Data subjects then have the right to access this information.

The right to rectification – Data subjects have the right request we update inaccurate or incomplete information that is being processed or stored by us. We take reasonable steps to ensure that the information we hold about you is accurate and complete. However, if you do not believe this is the case, you can request for us to update or amend it.

The right to erasure – Data subjects have the right to request we delete any information that we have in relation to them. However, as a private healthcare practice, we also have a legal duty to retain medical records for a period of time in line with UK law and guidelines, or if other legal obligations bind us.

The right to restrict processing – Data subjects have the right to block or suppress us from processing their information. However, it may be necessary to keep your information in order to perform a task which is in the public interest or for the purposes of establishing, exercise or defending legal claims.

The right to data portability – Data subjects can request that we make their information available to move, copy or transfer personal data easily from one environment to another.

The right to object – Data subjects can object to processing their information for activities such as marketing.

Individuals also have rights in relation to automated decision making and profiling. However, we do not carry out this type of processing.

Our website is the trading name of Consultant Ophthalmologist, Mr Vinod Gangwani FRCS, MRCOphth

Business Correspondence Address:

Nuffield Health Woking Hospital
Shores Road
GU21 4BY

Call: 0203 573 6736 or 07909 751 285
Email: Please visit our contact page.

Any information collected or produced as part of these services will be managed in accordance with our information security policies and procedures.

We act as both controllers and processors of personal information.

As Controller

As controller, we process activities include arranging appointments between data subjects (patients) and clinicians (doctors, physiotherapists, occupational health practitioners, etc.) for the purposes of consultation, examination, treatment, diagnostic and/or medical management services.

In arranging an appointment, the legal basis for us processing personal data, such as a data subject’s name, contact details, date of birth, will be contractual. It will be an informal contract between the data subject and us with the understanding that we will provide a medical service in exchange for payment. The data subject or their representative will be advised of this arrangement at the time of booking, as well as their rights in relation to processing their information.

We may also request that you consent to us contacting you with information relating to your service or other services we provide.

As Processor

As processor, we process activities which include arranging appointments between third-party referrers acting on behalf of an individual data subject and us. Where data is collected from third-parties, there will be a contractual agreement between us and the third-party.

Information about an individual, that is likely to be of a sensitive or private nature and could be used in a discriminatory way, is described as sensitive personal information and identified as special category data. This type of information needs to be treated with greater care than other forms of personal data.

Sensitive personal information may include:

  • Racial or ethnic origin
  • Political opinion
  • Religious or other similar beliefs
  • A physical or mental health or condition
  • Sexual Orientation

When a data subject presents for an appointment, they will be required to provide, or a clinician may generate/obtain and document information that may contain sensitive or special category data, including information relating to a physical or mental health or condition.

Second Lawful basis for processing special category data

Special category data is personal data which the GDPR says is more sensitive, and so needs more protection. When processing special category data, we must identify both a lawful basis under Article 6 and a separate condition for processing special category data under Article 9.

In accordance with GDPR Article 9, relating to special category information, the most appropriate lawful basis for us in processing this kind of data is that processing is: “Necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of an employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services.”

However, you may be asked to provide consent before or during an appointment where special category information may be obtained and/or processed.

Consent needs to be clear, concise, specific, granular, explicit, separate from other terms and conditions and will require the data subject to positively opt-in. Consent forms will be periodically and routinely reviewed and updated to ensure they remain relevant and applicable to the process for which it is required.

We will only use your personal information for the purposes for which we collected it unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal information for an unrelated purpose, we will notify you, and we will explain the legal basis which allows us to do so.

Requirements for sharing special category data with third-parties

We may act as a processor of personal data but become a controller in obtaining special category data during an appointment. We may also be a controller and need to transfer information to a third-party where the third-party acts as a processor. In these instances:

Third-parties will be identified to the data subject prior to transfer of information. Consent may be required for us to share personal information with third-parties, irrespective of their original role. Third-parties will be required to have a contractual agreement with us. As part of this contract, third-parties will be required to demonstrate that they have attained a suitable level of information security and have met the standards set by GDPR in acting as a processor.

We will not routinely transfer information outside of the EU. However, upon request from the data subject, we may be required to do so. In this situation, we will again need to ensure that there are adequate safeguards in place and that the recipient has a suitable level of information security and meet the same standards set by GDPR.

We will collect personal data:

  • Indirect communications (such as website, telephone, letter or video) either with the data subject or a third-party controller.
  • When a data subject completes a consent form, contact form, template, questionnaire, survey or registration form, either directly from the data subject or via a third-party.
  • When a clinician completes a clinical record or report as part of a consultation/appointment.
  • As part of a third-party instruction or referral where we are the processor.
  • As part of a clinical record obtained from a third-party, such as a diagnostic test result, screen or clinical specialist/expert/consultant where we are the original controller and referrer.
  • As part of financial processing.


A “Cookie” is a small file that is requested by your internet browser (such as Edge, Chrome, Safari or Firefox) and stored on your computer or device. This cookie file contains various information about websites you have visited. This can include information such as your location, the type of device you are using etc.

However, in some instances, some personal data can also be stored, such as when you add items to a shopping cart or enter form information. We use analytics programs such as Google Analytics, which collects cookie information to provide us with statistical data about website visitors. Learn more through our cookie policy.

Stop Using Cookies

If you would like to stop using Cookies, please follow the appropriate link for your browser:

Google Chrome
Mozilla Firefox
Microsoft Edge
Apple Safari

We will need to obtain a minimal amount of personal data to:

  • Contact a data subject, provide details of an appointment.
  • When we need to make changes to an appointment.
  • Identify the data subject in relation to their own existing medical record(s).

The type of information includes:

  • Information that you provide when you enquire become a customer, patient or apply for a job.
  • Details of correspondence.
  • The name and contact details of your next of kin/parent/guardian.
  • Details of service or treatment you have received from us.
  • Notes, records or reports relating to your health and/or treatment you have received.
  • The information you provide when you make a payment, such as financial or credit card information. We Do not store credit/debit card information unless we have your consent.

Data subjects are permitted to arrange appointments anonymously. However, the data subject will need to provide identifiable details, which will need to be recounted in communications with us to provide a regular service, such as receiving results.

The minimum amount of personal data a data subject’s is required to provide is contact information, name and date of birth. However, as part of an appointment, a clinician may also need to obtain or create sensitive personal information about a data subject, which includes information relating to a physical or mental health condition. We may also refer to previous medical opinion (such as medical records). We may also request further investigations and/or opinion in the form of a diagnostic screen result or report from a clinical specialist/expert/consultant.

The amount of information required will vary depending on individual circumstances, symptoms or requirement. However, the personal data required will be proportional and relevant. For instance, we may require a complete family medical history from data subject’s undertaking a health assessment or we may need to know whether a data subject is pregnant prior to administering or prescribing medication.

Data subjects are not compelled to provide any information. However, if you fail to provide certain information when requested, we may not be able to perform the contract we have entered into with you or we may be prevented from complying with our legal obligations. Withholding or providing inaccurate information may also affect the ability of our clinicians to provide an effective and safe service.

The information we collect will be confidential and only ever be used for the purposes of undertaking or providing consultation, treatment, immunisation, examination, diagnostic and/or medical management services. As part of these services, we may require personal information to create appointments and to convey or record medical opinion.

We will not use or pass on personal data to market services that are unrelated to those that have been consented. However, with consent, we may use personal data to inform a data subject about a follow-up or related service.

Sensitive personal data will only be disclosed to those involved with your appointment, care, in accordance with UK laws and guidelines of professional bodies or for the purpose of clinical audits.

We may use your personal data to:

Full-fill our obligations to you in relation to a contractual agreement to provide a service, including financial obligations. Provide you with information about products or services that we provide. Notify you about a change to the service requested. Respond to a request. Ensure the accuracy of information we hold about you. Support a healthcare professional or clinician directly involved in your care. Assess the quality of service you have received.

Where is personal data stored?

Information is either stored as an electronic record, on a central database or as a hardcopy (paper record) at our main administration centre. Information may be processed externally on-site or at one of our clinic locations, so long as use abides to our information security and Remote Working policy. A secure back-up of information is also stored externally, by an accredited IT support provider.

Personal data, including special category data, may be stored temporarily as part of communications, such as email or in a hardcopy transferable format, such as a data disk or paper record.

With consent, we may share information with third-parties for further investigation and/or specialist opinion. Examples of third-parties include:

Clinical experts, specialists or consultants, screening centres or laboratories, solicitors or agencies where we are/were originally acting as processor and employers who refer to us for occupational health opinion.

Anonymised information may be made available to Healthcare Inspectorate Wales (HIW) or Care Quality Commission (CQC) as part of a healthcare inspection to ensure that we meet the requirements set by the government provide private healthcare services.

We may also need to make information available on the basis of necessity. For instance, in an emergency, we may need to process your personal data (including sensitive personal data) or make personal data available to third parties on the basis of protecting your “vital interest” (i.e. your life or your health).

Third Parties

In providing a service, we may disclose your personal data to third-parties, including:

Business partners, suppliers and sub-contractors for the performance of any contract we enter into with you. Organisations providing IT systems support and hosting in relation to the IT systems on which your information is stored. Third-party service providers for the purposes of storage of information and confidential destruction, third-party marketing companies for the purpose of sending marketing emails, subject to obtaining appropriate consent.

Where a third party data processor is used, we ensure that they operate under contractual restrictions with regard to confidentiality and security, in addition to their obligations under Data Protection Laws.

Data subjects have the right to withdraw consent or request a copy/transferal/removal of certain information by requesting our Consent Removal form. However, as a healthcare provider, we may not be legally able to complete your request to restrict the processing or deletion of.

Data Retention

Type of patientMinimum period of retention
Patient who was under the age of 17 at the date on which the treatment to which the records refer was concluded.Until the patient’s 25th birthday
Patient who was aged 17 at the date on which the treatment to which the records refer was concluded.Until the patient’s 26th birthday
Patient who died before attaining the age of 18.A period of 8 years beginning on the date of patient’s death.
Patient who was treated for a mental disorder during the period to which the records refer.A period of 20 years beginning on the date of the last entry in the record.
Patient who was treated for a mental disorder during the period to which the records refer and who died whilst receiving that treatment.A period of 8 years beginning on the date of the patient’s death
Patient whose records relate to treatment by a general practitioner.A period of 10 years beginning on the date of the last entry in the record
All other casesA period of 8 years beginning on the date of the last entry in the record

Suspected breaches in data protection can be reported to our Data Protection officer Mr Vinod Gangwani FRCS, MRCOphth.

Breaches in Data Protections will result in us producing an incident investigation. Serious breaches will be reported to the Information Commissioner’s Office (ICO). You retain the right to report a breach to the ICO directly –

It’s our responsibility to ensure that any of our employees and contractors report suspected breaches of information security to our department heads, IT department, and/or Data Protection Officer without delay.

Changes to our Privacy Policy

This Privacy Policy will regularly be reviewed, and as a result, it may be amended without notice. We encourage you to review this Privacy Policy when you use our services.

This privacy policy was last updated on 22 May 2019.