Privacy Policy

Introduction

This privacy policy applies to the private ophthalmic services provided by Mr Chris Schulz, Consultant Ophthalmic Surgeon, through Oculitic Ltd. It explains how your personal information is collected and used, and sets out your rights under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

I take confidentiality and information governance seriously and am committed to handling your information lawfully, fairly and securely.

Who is responsible for your information

Oculitic Ltd is the data controller for the personal information held about you in connection with my private practice. As Director and the treating clinician, I am responsible for data protection within the company and am your named point of contact.

• Data controller: Oculitic Ltd
• Registered address: MMO, Wellesley House, 204 London Road, Waterlooville, Hampshire, PO7 7AN
• Named contact: Mr Christopher B. Schulz, Consultant Ophthalmic Surgeon
• Email: info@mrchrisschulz.com
• ICO registration reference: ZC142675 (registered 8 May 2026)

You can contact me at the email address above for any question about how your information is used or to exercise any of your rights.

What personal information I collect

When you contact me, attend a consultation or receive treatment, I may collect:

• Identification information such as your full name, date of birth, gender, address and contact details
• Health information including your medical and ophthalmic history, examination findings, investigation results, photographs and scans of your eyes and surrounding tissues, diagnoses, treatments, prescriptions and operation notes
• Family and social history where relevant to your eye condition or surgical planning
• GP details and the names of any other clinicians involved in your care
• Insurance details including your insurer, policy or membership number and authorisation reference where you are using private medical insurance
• Payment information for self-funded consultations and procedures
• Correspondence between you and me, including emails, letters and notes of telephone calls

Information about your health is special category data under UK GDPR and receives additional legal protection.

Where I collect your information from

I may receive information about you from:

• You directly, when you complete forms, contact me or attend consultations
• Your GP or referring clinician, by way of a referral letter
• Your optometrist or other healthcare professionals involved in your care
• The hospital or clinic where I see you (currently Queen Alexandra Hospital, Southwick Hill Road, Portsmouth)
• Your medical insurer (for example Aviva, Alliance Healthcare or Vitality), when arranging or settling claims
• Imaging providers, laboratories and other diagnostic services
• Previous or concurrent treating clinicians, with your consent

Why I use your information, and my legal basis

I use your information to provide you with safe and effective medical care and to run my practice. Under UK GDPR I need a lawful basis for processing personal information, and a further condition for processing health information.

For clinical purposes my lawful basis is:

• Article 6(1)(b) UK GDPR: processing necessary for performance of a contract (the contract for medical services between us), and
• Article 9(2)(h) UK GDPR: processing necessary for the provision of health care and treatment and the management of health care services, supported by Schedule 1, Part 1, paragraph 2 of the Data Protection Act 2018.

For administrative and business purposes my lawful basis is:

• Article 6(1)(f) UK GDPR: my legitimate interests in running a professional medical practice, where these are not overridden by your rights
• Article 6(1)(c) UK GDPR: compliance with a legal obligation, for example statutory reporting duties or court orders

I use your information specifically to:

• Assess, diagnose and treat your condition
• Communicate with you about appointments, results and treatment plans
• Write to your GP, referring clinician and other healthcare professionals involved in your care
• Arrange investigations, scans and surgery
• Submit invoices to you or your insurer and manage payment
• Maintain accurate clinical records
• Respond to complaints, regulatory enquiries and legal claims
• Meet my professional obligations to the General Medical Council, the Care Quality Commission and other regulators
• Audit and improve the quality of the care I provide

I also owe you a separate common law duty of confidentiality, which applies alongside data protection law.

Who I share your information with

I share your information only where necessary and on a strict need-to-know basis. The recipients may include:

• Your GP. Unless you specifically ask me not to, I will write to your GP after each consultation and at significant points in your care. Keeping your GP informed is good clinical practice and supports continuity of care. You can ask me to limit or stop these letters at any time.
• The clinician who referred you, where applicable, to keep them informed of the outcome of the referral
• Other clinicians involved in your treatment, for example anaesthetists, radiologists, pathologists, oncologists, optometrists and allied health professionals
• The hospital or clinic where you are treated (currently Queen Alexandra Hospital, Portsmouth), which holds its own records and acts as a separate or joint controller for those records
• Your medical insurer (such as Aviva, Alliance Healthcare or Vitality), where you are using insurance to fund your treatment, for pre-authorisation, claims handling and audit
• My medical secretary and practice administrators, who handle correspondence, appointments and billing on my behalf under a duty of confidentiality
• My medical indemnity provider (currently the Medical Defence Union), where I need to seek advice or where a complaint or claim arises
• My accountant and any professional advisors, on a confidential basis and only to the extent necessary
• IT and software providers who host my electronic patient records, appointment system, telephony and email, under written contracts that require them to keep your information secure and to process it only on my instructions
• Regulators and public authorities such as the General Medical Council, the Care Quality Commission, the police, the courts, the coroner or HM Revenue and Customs, where I am legally required to disclose information
• Public health authorities where there is a statutory duty to report a notifiable condition

Where another organisation acts as a joint or independent controller (such as a hospital where you are treated, or your insurer), they have their own privacy policy which applies alongside this one.

I do not sell your information. I do not share your information for marketing purposes.

International transfers

Your information is stored in the United Kingdom wherever possible. If any of my IT providers transfer your information outside the UK, this will only be to countries that the UK government has decided provide an adequate level of protection, or under appropriate safeguards such as the UK International Data Transfer Agreement or Standard Contractual Clauses recognised by the Information Commissioner’s Office.

How long I keep your information

I keep medical records in line with the NHS Records Management Code of Practice and the recommendations of my medical indemnity provider:

• Adult records: for a minimum of 8 years after the conclusion of your treatment
• Records of children and young people: until your 25th birthday, or 26th birthday if you were 17 when treatment ended, or for 8 years after death if you die before that age
• Records relating to a serious mental illness or to maternity care: for the longer periods recommended in the Code of Practice
• Records subject to a complaint, claim or legal proceedings: for as long as needed to deal with the matter, and until any limitation period has expired

I keep financial records for at least 7 years to comply with HMRC requirements.

After these periods I securely destroy paper records and delete electronic records.

How I keep your information secure

I take the security of your information seriously. Measures I have in place include:

• Encrypted storage of electronic records
• Password-protected systems with multi-factor authentication where available
• Encrypted email and secure file transfer for clinical correspondence
• Written contracts with all IT providers and processors requiring them to keep your information secure and to process it only on my instructions
• Confidentiality training for staff who handle patient information
• Locked storage for any paper records, with disposal by a registered confidential waste service

No system is completely secure and I cannot guarantee the security of information transmitted to me over the internet, but I take reasonable steps to protect it and to notify you and the ICO of any breach affecting your information where the law requires.

Your rights

Under UK GDPR you have the following rights in relation to your personal information:

• Right of access: to ask for a copy of the personal information I hold about you, including your medical records
• Right to rectification: to ask me to correct information that is inaccurate or incomplete
• Right to erasure: to ask me to delete information in certain circumstances. This right is limited for clinical records, which I am required to retain for the periods set out above
• Right to restrict processing: to ask me to limit how I use your information in certain circumstances
• Right to object: to object to processing carried out on the basis of my legitimate interests
• Right to data portability: to receive certain information you have provided to me in a structured, commonly used and machine-readable format
• Right to withdraw consent: where I rely on your consent, you can withdraw it at any time. This will not affect the lawfulness of processing carried out before withdrawal, nor will it affect processing carried out under another lawful basis

To exercise any of these rights please contact me at info@mrchrisschulz.com. I will respond within one month. I may need to verify your identity before responding. There is no charge for most requests, but I may charge a reasonable fee or refuse a request that is manifestly unfounded or excessive.

Right to complain

If you are unhappy with how I have handled your information, please contact me in the first instance so I have the opportunity to put things right.

You also have the right to complain to the Information Commissioner’s Office:

• Website: https://ico.org.uk
• Helpline: 0303 123 1113
• Address: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

Cookies and this website

This section covers mrchrisschulz.com only. It does not change how clinical records from consultations are handled, which is described in the sections above.

Enquiries through the website

If you use the enquiry form on the Contact page, I collect only what you choose to send:

• Name — so I can address you correctly
• Email address — so I can reply
• Phone number (optional) — only if you would prefer a call back
• Reason for enquiry — to direct your message appropriately
• Your message — the substance of your enquiry

Please do not send clinical details, medical history or other sensitive health information through the form. If your query is clinical, I will arrange a secure way to continue the conversation.

The lawful basis for processing this information is Article 6(1)(f) UK GDPR — my legitimate interest in responding to an enquiry you have chosen to send.

When you submit the form, your message is checked for automated spam by Cloudflare Turnstile (which may process your IP address and limited browser metadata; it does not see the contents of your message), passed through a function hosted by Netlify, and delivered by email via Resend to info@mrchrisschulz.com. I do not store enquiries in a separate database on the website. The email is kept in the practice mailbox for as long as needed to respond and keep a record of correspondence, typically up to 24 months, unless it becomes part of a clinical record held under the retention rules above.

Cookies and similar technologies

I do not use Google Analytics, advertising cookies or any similar profiling or behavioural-advertising tools on this website.

The only third-party scripts that may set or use cookies or similar storage are:

• Cloudflare Turnstile — loaded on the contact form to reduce spam. It does not set advertising or profiling cookies.
• Netlify Identity — loaded for staff sign-in to the content editor at /admin only. It is not used for visitors browsing the public site.

Our hosts (Netlify and Cloudflare) keep short-lived technical access logs — including IP address, browser type and pages requested — for routine security and reliability. These are managed by those providers under their own privacy terms.

Personal information sent through the enquiry form may be processed outside the United Kingdom because Netlify, Cloudflare and Resend operate global infrastructure. Each provider uses safeguards permitted under UK GDPR, such as Standard Contractual Clauses or equivalent transfer mechanisms.

You can block or delete cookies through your browser settings. Because I do not use optional marketing or analytics cookies on the public site, there is no separate cookie preference centre to manage.

Children

My practice provides care for patients of all ages including children. Where the patient is under 13, I rely on a parent or person with parental responsibility to provide information on the child’s behalf. I do not knowingly collect information from children through my website.

Changes to this policy

I review this policy regularly and may update it from time to time. If I make material changes I will draw them to your attention through my website or by contacting you directly where appropriate. The current version is dated below.

Contact

For any question about this policy or how your information is used, please contact me at info@mrchrisschulz.com.

Last updated: 28 May 2026