Search the guidance

Make your search more specific...

Guidance areas


As well as searching, you can browse the Guidance.

Data Protection Act 2018 and EU General Data Protection Regulation

As a practitioner, your organisation may be the record holder, but you have responsibilities under the Data Protection Act 2018 (DPA 2018) and the EU General Data Protection Regulations (GDPR). The Optical Confederation has issued guidance on the DPA 2018 and the GDPR (see useful information and links). You should be familiar with the act and GDPR. For optometrists, key points are:
  1. keeping accurate patient data
  2. using the data for specific purposes
  3. amending inaccurate data and responding to objections from patients if the use of the data causes harm or distress
  4. keeping the data no longer than necessary. Suggested lengths of time for retaining records:

     Type of record

    Recommended period of retention

    adult patients  10 years after they were last seen, even if the patient has subsequently died.
    children and young people

    10 years after they were last seen or until the patient’s 25th birthday, if later. 
    If the child or young person has died, keep the records for 10 years after they were last seen.

  5. keeping the data confidential and secure. See section on Confidentiality.
  6. enabling patients, or an applicant acting on behalf of a patient, to access their data for the length of time that you keep the records. The applicant has a right to see the data, either because they have written authority from the patient or because they have Power of Attorney. Access to the record must be given within the time limit set out in the act and the GDPR requires that, if a patient asks for a copy of their record, this must be provided free of charge in most instances
  7. helping the patient to understand their record by explaining its content and abbreviations
  8. satisfying yourself that there is no further need of the record before destroying it
  9. disposing of any records securely
  10. noting that, if you, or your organisation, acquire a patient record, the obligations under the Data Protection Act and GDPR transfer to you as the new owner.
Most organisations that process personal information are required by law to register with the Information Commissioner. Some organisations are exempt from this.17


17   Information Commissioner’s Office. Data Protection Fee. [Accessed 1 Nov 2023]