Privacy Notice

About us and what we do

Optimum Patient Care Limited or OPC is a not-for-profit social enterprise that provides quality improvement programmes to support GP practices, healthcare providers and commissioners to improve patient care. Over the last 15 years, we have supported more than 800 GP practices across England, Scotland, Wales and Northern Ireland with quality improvement in respiratory care. For more information about our services and the work we do with GP practices, please see our Quality Improvement Programme.

OPC also supports GP practices and researchers to conduct research in primary care. This includes observational research, which is where only anonymised data is used without patients taking part; and clinical research where patients are invited by their GP practice or doctor to take part in a study. We have supported 13 clinical research projects in general practice, including novel cluster randomised trials.

Our research database, the Optimum Patient Care Research Database (OPCRD), is approved by the NHS Health Research Authority Research Ethics Committee (REC reference: 20/EM/0148) to provide anonymised patient data for ethically approved scientific, exploratory and public health research. All research requiring the use of anonymised data from OPCRD must receive prior independent research ethics approval from the Anonymised Data Ethics and Protocol Transparency committee (ADEPT). The funds we get from OPCRD research is vital for us to continue providing quality improvement services at no cost (free) to GP practices across the UK. To read more about publications from research using data provided by OPCRD, please see our recent publications.

Why we have this privacy notice

This privacy notice tells you how OPC collects, processes, stores, uses or shares personal data when you contact us, use our website or use one of our services. Personal data is information that relates to an identified or identifiable individual.

In order to provide good quality services, OPC needs to collect and process personal data from service users, employees and contractors, suppliers, businesses and collaborators. OPC takes the privacy of individuals extremely seriously. We comply with the General Data Protection Regulation 2016 (GDPR) and the Data Protection Act 2018 (DPA) when handling personal data.

We may update this privacy notice at our discretion from to time when our data handling practices change. Any update to this notice will be applied to the handling of personal data as of that update date.

For information on how we handle de-identified data (this data is not personal data) relating to our quality improvement programmes and research support services, please visit our Data Protection and Transparency page.

Who we collect personal data from

We may collect personal data from individuals when they use or request a service with us, complete a survey, questionnaire or enrolment form, apply for employment with us, or communicate with us by email, telephone, in writing or in person.

We may also collect personal data about individuals when they provide or supply a service to us. This information is necessary to manage the relationship and work wo do with the supplier or service provider, such as contact details, contracting information, invoicing or payment details.

We may collect personal data from the public domain if permitted by law, for example, from registration and regulatory bodies.

What personal data we collect and why

The types of personal data we collect will vary depending on relationship between the OPC and the individual or the organisation. These include personal data collected from phone and email contact, from our website, from our social media, from images and photos, and from our events and educational activities.

We collect only the information that we need for a particular function, and only hold it for as long as it remains necessary for the purposes for which it was collected. We only use or disclose personal data for the purposes for which the individual gave it to us for, or for directly related purposes the individual would expect, or other purposes if agreed with the individual.

Personal data collected from phone and email contact

We may collect personal data when individuals contact our services by phone or email. We use this information for administrating our services and to correspond with service users. We never disclose this information without the individual’s consent.

Personal data collected on our website

We collect personal data when individuals visit our website, complete forms or questionnaires on our website, apply for employment with us via our website, or provide contact details through our website. We use this information to respond to the user’s enquiry, or to provide a requested service or to make improvements to our website.

When a user visits our website, our web server may request that the user’s browser create a cookie on the user’s computer. A cookie is a small piece of information sent by the server of a website to the user’s browser by other sites. We use cookies to measure how individuals use our website to help us make website updates and improvements.

Our website cookies do not contain personal information about users. However, cookies can identify a user’s browser. The cookies transferred by our website are used for such things as capturing information about a user’s web browser, controlling a pop-up window or enabling login access to password protected areas of the website. The cookies have an expiration date set 24 months from the most recent website visit date.

We use a third-party service, Google Analytics, to collect information regarding visitor activity to the website. This is not used to identify the user as an individual but is collated into aggregate results or classifications. We do not make attempt, to find out the identities of the visitors to our website.

If users do not wish to receive any cookies, they may set their browser to refuse or disable them. When you visit our website, you will be notified that we use cookies and asked if you agree to this or choose to decline. Please note that some features of our website may not work if cookies are disabled.

OPC does not allow advertising or marketing on its website.

Personal data collected on our social media

We use a number of social media platforms, including Facebook, Twitter and LinkedIn to update and inform our service users and the public. Comments posted on our social media are open to the public. We may collect personal data from social media posts that are uploaded to these platforms.

If users post or upload content to our social media platforms, they should be aware information is also collected by the company operating the social media platform, for example Facebook, Twitter or LinkedIn. The user should refer to the privacy policy of that social media company for information on how it collects, uses and discloses personal data.

Personal data from our events and educational activities

We collect personal data from individuals invited to, attending or participating in events and educational activities supported by OPC. We use this information to organise and run the events, and to support individuals attending or participating in the events.

In some cases, information on the education or participation activity status of individuals may be disclosed to relevant institutions or accreditation bodies for the purpose of certifying completion or participation or for recording continuing professional development points such as CPD points.

Personal data from our clinical research

Any personal data of patients taking part in clinical research studies or trials supported by OPC is collected or processed with the patient’s informed consent at their GP practice. OPC does not hold personal data for patients who take part in our clinical research. If you have questions about the use of your personal data in a clinical research study or trial, please contact your GP practice who will hold records about your involvement.

Personal data from images and photos

We will seek individual’s consent prior to taking a photo or image, or using it. In some cases that consent may be implied, such as the taking of photos at events to be used in publications.

If the photo or image contains sensitive information about a person e.g. information relating to their health, we will obtain the individual’s consent to take the photo or image and specify what it will be used for. This consent should be informed and freely given by the individual whose photo or image is to be shared. Individuals may withdraw their consent at any time. If this occurs, we will take all reasonable steps to stop using the image or photo from the time the consent is withdrawn.

How we use personal data

We may use personal data to:

  • respond to enquiries from individuals, service users and suppliers;
  • conduct evaluations of our products, materials, programs and services;
  • assist service users in conducting or participating in our quality improvement programmes and education workshops;
  • assist service users in conducting or participating in OPC-supported research;
  • invite individuals to complete questionnaires for health quality improvement;
  • invite individual to participate in research or to inform individual of educational programs;
  • provide and promote educational activities, events and conferences;
  • contact individuals for feedback on products, materials, programs and services; and
  • assist us to perform our corporate, regulatory and contractual obligations.

How we disclose or share personal data

Personal data that we hold is only shared or disclosed in accordance with the General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (DPA). We will disclose personal data if we are required to do so by law, by court order, government department or to prevent fraud or other crime.

We do not disclose personal data to third parties for marketing purposes. We do not sell personal data or confidential information to third parties.

We do not disclose any personal data collected in the UK to overseas entities. Personal data we collect is only stored in the European Economic Area (EEA).

We may disclose personal data to contractors to whom we outsource certain functions, or which provide services to us. We take all reasonable measures with contractors to ensure they comply with the law on data protection. Contractors must not to disclose any personal data or confidential information without prior approval in writing from us, unless they are required to disclose the information by law, court order, or to prevent fraud or crime.

We may disclose personal data to relevant institutions or accreditation bodies for the purpose of certifying completion or participation or for recording continuing professional development points, when individuals participate in our educational activities.

We may disclose personal data to data linkage authorities for linking data from different healthcare data sources, where this is approved by the relevant research ethics committee.

How we store personal data

OPC is committed to ensuring that any personal data we hold is as safe as possible, both while it is processed and when it is stored.  We store the personal data we collect on secure databases, electronic and hard copy files. Personal data is only stored in the UK and within the European Economic Area (EEA) in line with data protection laws.

We have archiving policies and procedures for the secure, permanent destruction of personal data when it is no longer required.

Please note that we hold de-identified patient data we receive from GP practices receiving services from us is stored in the OPC Quality Improvement Database and the OPC Research Database (OPCRD). The de-identified data stored in these databases is not personal data.

How long we keep personal data

We retain the personal data we collect for as long as needed to continue to meet the purposes for which the information is collected. We will delete personal data in line with our records retention policy or as required by law. Please note that non-identifiable data contributed for research purpose e.g. OPCRD data, is not personal data and is held indefinitely for research purposes.

How we protect and secure personal data

OPC takes preserving and protecting a person’s identity and personal data very seriously and it is a key responsibility of all our staff, contractors and partners. We have technical and organisational procedures in place to prevent unauthorised access or disclosure of personal data we hold.

We also make sure that any contractors and third parties we deal with have an obligation to keep secure all personal data they process on our behalf.

The steps we take to keep the personal data we hold secure include:

  • Regularly assessing the risk of misuse, loss, interference, modification, unauthorised access or disclosure of personal data.
  • Putting measures in place to address the above risks including robust information technology security, data encryption, restricted user access, and data security and protection policies.
  • Regularly ensuring that our staff and contractors only access personal data when needed.
  • Ensuring our staff and contractors are regularly trained on data protection at least annually.
  • Conducting regular internal audits to assess compliance with these measures and the GDPR/DPA.
  • Undertaking and complying with the NHS Data Security and Protection Toolkit (ref: 8HR5) assessment annually. This assessment ensures we comply with the National Data Guardian’s Data Security Standards.

Your data rights under the GDPR and DPA

The General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (DPA) provide every individual with data rights.

You have a right to:

  • request information about how your personal data is processed
  • request access to your personal data
  • request for any inaccurate information in your personal data to be corrected
  • request that your personal data is erased, if there is no longer a justification to keep it
  • ask for the processing of your personal data to be restricted in certain circumstances
  • request to receive a copy of your personal data in a structured, commonly used and machine-readable format if you provided the information to us yourself
  • raise an objection about how your personal data is processed
  • object to your personal data being used for automated decision-making or profiling. (Please note that OPC does not use personal data for any automated decision-making or profiling).

If you have any of the above requests, please contact our Data Protection Office using contact information provided on this page. Please note that we are only able to help you exercise your data rights if we hold your personal data.

If you have questions about the use of your personal data in a clinical research study or trial, please contact your GP practice who will hold records about your involvement.

Your right to opt-out of data sharing

You have the right to opt-out of the sharing of your de-identified medical data (this is data which you cannot be identified from) by your GP practice with OPC. Opting-out of sharing your de-identified medical data will not affect the direct care that you receive.

If you do not wish for your de-identified medical data to be collected, processed or used for any purpose including research and healthcare planning, please contact and inform your GP practice. Individuals in England can also opt-out of data sharing through the National Data Opt-out policy.

Contact us

If you have any questions or feedback about this privacy notice or if you have any complaints about how we handle personal data, please contact our Data Protection Office by email, phone or post using the details below:

OPC Data Protection Office


Phone: 01223 967 855

Post:      Optimum Patient Care, 5 Coles Lane, Cambridge CB24 3BA

If you wish to make a complaint to the Information Commissioner’s Office (ICO) or to request independent advice, the ICO can be contacted at:

Information Commissioner’s Office


Tel:         0303 123 1113

Post:      Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

[Notice last updated 12 March 2020]