Personal data, health data and need-to-know access

Personal data is any information about an identified or identifiable living person. Optical practices hold personal data on patients, customers, staff, carers, contractors and sometimes family members.

Health information is a special category of personal data under UK law and requires additional protection. In optical practice this typically includes eye-health records, prescriptions, symptoms, referral details, test results, images, measurements and notes that indicate a person’s health status.

Common optical examples

• Identifiers: name, address, phone number, email, date of birth, NHS number, patient ID and signature.
• Appointment information: appointment type, date, clinic, recall status, missed appointments and booking notes.
• Optical records: prescriptions, visual acuity, eye-health notes, dispensing records, measurements and contact-lens details.
• Images and scans: OCT images, fundus photographs, device outputs and clinical photographs.
• Financial and retail information: orders, payments, eligibility checks, vouchers, refunds and debt notes.
• Staff information: rota details, sickness information, HR notes, training records and incident reports.

The need-to-know test

Before accessing, discussing or sharing information, ask: Do I need this for a genuine work purpose right now? Curiosity, convenience, personal concern or gossip are not valid reasons to open a record or pass on information.

Apply the minimum-necessary principle. If a task only requires a name and appointment time, do not reveal a diagnosis, prescription, referral reason or scan result.

Need to know is the everyday test. If you do not need the information for your current work task, do not open it, repeat it or share it.