At the Duncan and Todd Group, we are committed to providing you with high-quality service and we take data protection very seriously. We respect your and your children’s privacy and are committed to protecting your and their Personal Data. This Privacy Policy will inform you as to how we look after your and their Personal Data when you visit our website (regardless of where you visit it from), as well as when you engage with us as one of our patients and tell you about your and their privacy rights and how the law protects you and your children.
1. Who We Are
Duncan and Todd (Group) Limited (collectively referred to as “Duncan and Todd”, “we”, “us”, “our” in this Privacy Notice) is one of Scotland’s leading optical and hearing care providers operating from multiple sites, with our registered address being Unit 4 Kirkhill Commercial Park Dyce Avenue, Dyce, Aberdeen, Scotland, AB21 0LQ. Duncan & Todd Limited is the legal entity which owns many opticians operating both under its own name and other trading names, including Douglas Dickie; J M Macdonald Opticians; Browns Opticians; James Hughes Opticians and Hearing Care; and Smart Employee Eyecare (SEE).
For the purposes of data protection law, we act as the Data Controller in relation to the personal data we process and are registered with the Information Commissioners Office as Data Controller registration number Z8311243.
2. Your Privacy
This policy provides detailed information on when and why we collect your personal information, how we use it and the very limited conditions under which we may disclose it to others.
Your privacy matters to us and we are committed to the highest data privacy standards, patient confidentiality and adherence with the Data Protection Act 2018 and UK GDPR. We adopt the six core principles of data protection.
3. Collection of Your Personal Data
Where you provide personal data to us, we will become responsible for it as the data controller. We will only collect data that is necessary for us to deliver the best possible service and ensure that you are reminded about appointments or information relevant to your ongoing care.
We collect your personal information directly from you, for example, when you visit our practice; get in touch with us by telephone or email; use our booking system; enter a competition, promotion or survey; provide us with a review of our products or services; raise a query, complain or provide other feedback; or when you visit our website.
As you interact with our website, we will automatically collect Technical Data about your equipment, browsing actions and patterns. We collect this Personal Data by using cookies, server logs and other similar technologies. Please see our cookie policy [LINK] for further details.
We may also collect your personal data from other sources if it is legal to do so. This includes from the NHS or other healthcare providers; institutions or people you have authorised to provide information on your behalf, for example, parents or guardians; third-party service providers; government, tax or law-enforcement agencies; and others.
4. Main Categories and Type of Personal Data Collected and Processed
Processing Activity: Optical service and products
Personal Data Required/Held: Name, date of birth, telephone numbers, address and email. Current and past health and medication information, family history, your examination results (including images), and lifestyle information. Data received other healthcare professionals as part of your ongoing care
Retention Time: 10 years after last contact or until age 25, whichever is later
Reason to hold Data: Contract – in order to provide the service or products you have requested. Where health data is processed, we do so for the provision of healthcare.
Processing Activity: Hearing care service and products
Personal Data Required/Held: Name, date of birth, telephone numbers, address and email. Current and past health and medication information, family history, your examination results, and lifestyle information. Data received other healthcare professionals as part of your ongoing care
Retention Time: 10 years after last contact or until age 25, whichever is later
Reason to hold Data: Contract – in order to provide the service or products you have requested. Where health data is processed, we do so for the provision of healthcare.
Processing Activity: Reminders
Personal Data Required/Held: Name, email address, address, telephone numbers
Retention Time: 10 years after last contact or until age 25, whichever is later or until asked to stop by you
Reason to hold Data: Contract – In order to provide the ongoing service appointment reminders are sent
Processing Activity: Marketing
Personal Data Required/Held: Name, email address, address, telephone number, marketing and communication preferences
Retention Time: Until asked to stop by you or until consent withdrawn by you
Reason to hold Data: Legitimate interests – we will provide information which we believe is of genuine interest to you.
Consent – you have given consent to receive information about products or services that are of interest to you
Processing Activity: Credit/Debit card payments
Personal Data Required/Held: Cardholder name, card number, security number
Retention Time: Duration of the transaction
Reason to hold Data: Contract – you have agreed to provide these details to pay for the service or products ordered
Processing Activity: CCTV footage
Personal Data Required/Held: Images
Retention Time: 30 days
Reason to hold Data: Legitimate interests – Prevention and detection of crime. Protection of our colleagues and visitors. Investigation of accidents, incidents, criminal activities and breaches of our policies.
Processing Activity: Collection of online identifiers for analytical purposes (Cookies)
Personal Data Required/Held: Cookie information, IP address, Device ID, Session ID, Interaction history, Website feedback
Retention Time: See Cookie Policy- Cookie Policy | Duncan & Todd Group
Reason to hold Data: Consent – Ensuring visitors get the best experience.
5. Sharing of Personal Data
We share your personal data within our group of companies.
During the delivery of our service to you, we will share your data with other companies who are essential for the provision of our service to you. They are under contract with us and have provided sufficient guarantees that they will process your data only as per the terms of that contract and throughout processing activities will ensure your data is protected using appropriate technical and organisation measures.
Where necessary we may disclose your information to health care professionals including the NHS where we have a duty of care or to fulfil our legal obligations. We are compliant with the national data opt-out. For more details and to opt out see: https://www.nhs.uk/your-nhs-data-matters/manage-your-choice/
It may also be necessary, where the latest technology allows us to do so, to use your information and health data to facilitate digital consultations and diagnoses and we will always do this with your security in mind.
We may also pass information to external agencies and organisations, including the police, for the prevention and detection of fraud and criminal activity. Should any claim be made, we may pass your personal information to our insurers and, if our business is wholly or partially transferred to a third party, your personal information may be one of the transferred assets.
Our operations are based in the UK, and your personal information is generally processed within the UK and countries within the European Economic Area (EEA). In some instances, we may transfer your personal information to third countries, for example, where our suppliers or cloud service providers are situated outside the UK and EEA.
If the recipient is situated in a third country that has not received an adequacy decision from the relevant regulator, we will ensure additional safeguards are in place, including the use of applicable standard contractual clauses.
A full list of processors is available from our Data Protection Officer.
6. Securing and Processing your Personal Data
We have put in place appropriate security measures to prevent your Personal Data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your Personal Data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your Personal Data on our instructions, and they are subject to a duty of confidentiality. Personal Data which we collect is stored mainly within our Patient Management System provided by Optix Business Software Limited. They hold ISO 27001 (Information Security Management) Accreditation, and as part of our own due diligence, our Data Protection Officer has reviewed data security processes in place with them.
Your data is also stored within our own IT systems, which are secured using passwords and multi factor authorisation to prevent access or intrusion by anyone who is not authorised to have access to your data. Our practices are operated to ensure that all records and equipment holding your personal data are physically protected.
In the unlikely event that we lose your data, or a device on which your data resides, or it is accessed by someone unauthorised, we will inform you if the loss or unauthorised access of your data has potential to cause you harm. We will notify the Information Commissioners Office (ICO) of any reportable data breaches.
7. Your rights in relation to personal data
Under UK data protection law, you have following rights which you can exercise by emailing our Data Protection Officer.
Right to be Informed : This means that we have to be transparent in how we collect and use your personal data
Right of Access : You have the right to access your personal data.
Right to Rectification : If the information we hold about you is inaccurate or incomplete, you can request that we correct this
Right to Erasure : You can request that we delete or remove personal data in certain circumstances
Right to Restrict Processing : You have the right to request that we cease processing your data if you consider it inaccurate or incomplete and/or you object to the reason we're processing your data. We will review the validity of your request and respond to you with our decision
Right to Data Portability : Where you have consented to our processing your data or where the processing is necessary for us to deliver a contract you can request a copy of that data be provided to a third party
Right to Object : You have the right to object to our processing in certain circumstances and an absolute right to object to direct marketing
Rights relating to Automated Decision-Making including Profiling : We do not use automated decision-making or profiling
8. Changes to this Privacy Notice
We keep this Privacy Notice under regular review. This version was last updated on 23 September 2025.
9. Contact Us
For all data protection matters or questions relating to how we manage your data, or if you are concerned about how your data is being handled, you can contact our Data Protection Officer:
Clinical DPO.
Phone: 0203 411 2848
Email: DuncanandToddDPO@clinicaldpo.com
For complaints, please include the following where possible:
- Your name and contact information,
- A description of your concern or the data protection issue,
- Any relevant supporting information.
Complaints will be acknowledged within 30 days, and we aim to respond fully and resolve the matter without undue delay. If your issue requires more time or clarification, we will keep you informed throughout.
If you are dissatisfied with our response, you have the right to complain to the UK Information Commissioner's Office (ICO):
Website: https://ico.org.uk/make-a-complaint/
Phone: 0303 123 1113
Address: ICO, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF