Compliance Guide
How SightSync meets GDPR, PECR, ICO, and GOC requirements — and what your practice needs to do.
Regulatory landscape
AI recall calls for UK optical practices sit at the intersection of three regulatory frameworks. SightSync is designed to handle the platform obligations automatically — but your practice also has responsibilities as the data controller.
Privacy and Electronic Communications Regulations 2003
Governs automated telephone calls. Requires prior consent or existing customer relationship, mandatory disclosure, and instant opt-out.
UK General Data Protection Regulation
Governs how patient personal data is collected, stored, processed, and deleted. Practice is data controller; SightSync is data processor.
General Optical Council Standards
GOC Standards of Practice require practices to contact at-risk patients (diabetic, glaucoma suspects) for recalls. AI-assisted recall supports this duty.
Information Commissioner's Office
Regulatory authority for data protection. Practices should be registered with ICO. SightSync helps with the technical safeguards — ICO registration is the practice's responsibility.
PECR compliance
PECR (Privacy and Electronic Communications Regulations) is the primary regulation governing automated telephone calls. SightSync is purpose-built to comply.
Existing relationship required
You may only use SightSync to call patients who have previously attended your practice. Cold outreach to patients who have never visited you is not permitted under PECR.
Automated disclosure in first sentence
Every call opens with the AI identifying itself as automated — before any clinical message. This is a hard requirement under PECR. The disclosure cannot be removed or moved.
Immediate opt-out
Patients can press 0 at any moment during the call to opt out permanently. The AI ends the call immediately. The patient is never called again.
TPS screening
All numbers are automatically checked against the Telephone Preference Service (TPS) before any campaign. TPS-registered numbers are excluded without exception.
OFCOM calling hours
Calls are only made between 9am–6pm, Monday–Friday (UK time), in compliance with OFCOM guidelines on unsolicited calls. Calls never go out on bank holidays or weekends.
GDPR / UK GDPR
Under UK GDPR, your practice is the data controller and SightSync is the data processor. This means SightSync only processes patient data on your documented instructions, and your practice retains full ownership and responsibility for that data.
Your lawful basis for processing patient data for recall is:
Legitimate Interests (Article 6(1)(f)) — recall of existing patients for clinical eye care is a legitimate purpose that does not override their rights, particularly for high-risk categories (diabetic, glaucoma).
Alternatively: Legal Obligation (Article 6(1)(c)) for clinically at-risk patients where GOC Standards of Practice require follow-up.
Data minimisation: SightSync only requires first name, last name, and phone number. Risk category and last test date are optional but improve call quality. Do not upload NHS numbers, addresses, or clinical records unless specifically needed.
Data Processing Agreement: By using SightSync, you enter into a DPA with New Vantage Co Ltd. The DPA is available on request and covers sub-processors (telephony providers, cloud infrastructure), data transfer safeguards, and incident notification timelines.
- Patient data is encrypted at rest and in transit
- Access to patient data is restricted to your practice account only (multi-tenant isolation)
- SightSync does not use your patient data for any purpose other than providing the service to you
- Patient data is not sold, shared, or used for training AI models
GOC alignment
The GOC Standards of Practice (2016, updated 2023) place a duty on registrants to follow up at-risk patients who are overdue for clinical review. SightSync's clinical recall scripts are aligned to GOC recall guidance for each risk category.
Scripts for each group include the clinical reason for the recall in the first sentence — this aligns with GOC guidance that patients should understand why they are being contacted.
Patient opt-out
Opt-out is immediate, permanent, and available through three independent channels:
Tell the AI to stop calling
If a patient says they don't want to be called, asks to be removed, or uses any opt-out phrase ("stop calling", "remove me", "opt out"), the AI ends the call. Their record is permanently marked opted-out and no further calls are ever made.
Reply STOP to any SMS or WhatsApp message
Any STOP reply to an SMS or WhatsApp message from SightSync triggers an immediate permanent opt-out. The patient is excluded from all future campaigns and messages.
Personal opt-out link
Every confirmation and fallback message includes a unique, signed opt-out link. Clicking it takes the patient to a simple web page. No login, no form — one click and it's done. The link expires after 90 days but the opt-out is permanent.
Staff override
Any member of your team can mark a patient as opted-out from the patient list in your dashboard. Useful when a patient calls in to request no more contact.
Re-upload protection: Opted-out patients are permanently excluded from all future campaigns, even if they are included in a new CSV upload. The opt-out flag is stored against the phone number and is not overwritten by re-import.
Audit trail
Every patient interaction is logged with a full audit trail — meeting both GOC inspection requirements and ICO accountability obligations.
Each call record includes:
- Patient identifier (name, phone number), risk category
- Call timestamp, duration, and final outcome (Booked / Voicemail / No Answer / Opted Out / Failed)
- Full call transcript — AI utterances and patient responses, turn by turn
- Call recording (where technically available from the telephony provider)
- AI-generated one-line summary of the outcome
- Retry history — all attempts with timestamps
- Opt-out events with channel (call / SMS link / staff) and timestamp
- Booking confirmations — slot, time, calendar integration status, SMS sent confirmation
Data retention
Call recordings
12 months from call date
Transcripts & logs
2 years (GOC audit)
Patient records
Duration of subscription + 90 days
Opt-out records
Indefinitely (legal obligation)
You can export the full audit log for any patient or date range as CSV from your dashboard at any time — useful for responding to Subject Access Requests (SARs) under UK GDPR.
Subject Access Requests
If a patient submits a SAR requesting their data, you can export their complete record from SightSync — including all calls, transcripts, and opt-out history — from the patient detail page.
Response time: UK GDPR requires SARs to be fulfilled within one calendar month. SightSync exports are available instantly. You do not need to contact SightSync support to fulfil a SAR.
Deletion requests: If a patient requests deletion of their data (right to erasure), you can delete their record from the patient list. This removes all associated data except opt-out records, which are retained as required by law to prevent re-contacting them.
Practice compliance checklist
Things your practice should have in place before running live campaigns:
- ICO registration completed (required for any organisation processing personal data)
- Privacy notice on your website updated to mention AI recall calls
- Patients informed at eye examination that they may receive an AI follow-up call
- Your Data Processing Agreement with New Vantage Co Ltd signed (available on request)
- Staff know they can mark patients as opted-out from the patient list if asked
- Process in place to respond to SARs within one calendar month