Data Protection and Data Control Policy
Last Updated – 01/04/2019
Data Governance for Hairflair Designs is encapsulated within this process and procedure we have in place to manage and control the gathering, handling, storage and use of certain information about individuals. This includes our patients and clients, suppliers, business contacts and employees.
As a company this process and procedure manages all aspects of critical areas like patient and client confidentiality, the storage of personal details and personal information, the collection of sensitive commercial and banking information, the governance on how all information is stored and transmitted on computers and phones as well as the responsibilities our employees have.
This policy is briefed to all members of staff and in-house training is provided to ensure they understand the right data protection standards and compliance with the law.
This policy sets out below our approach and what (as a Company) we believe is very important.
Firstly, this policy is in place to enforce adherence and to meet the Company’s data protection standards and to comply with the law (Data Protection Act 1998) which outlines how a Company should store and process data and how it protects itself from a breach. This applies to all data that we hold relating to identifiable individuals. This includes names of individuals, patient/hospital information, postal addresses, e-mail addresses and telephone numbers.
Everyone who works for Hairflair Designs Ltd has some responsibility for ensuring data is collected, stored and handled appropriately, however the Director has key areas of responsibility:
- Is ultimately responsible for ensuring that Hairflair Designs meets its legal obligations.
- Reviews all data protection procedures and related policies, in line with an agreed schedule.
- Arranges data protection training and advice for the people covered by this policy.
- Handles data protection questions from staff and anyone else covered by this policy.
- Checks and approves any contracts or agreements with third parties that may handle the company’s sensitive data.
- From an IT perspective ensures all systems, services and equipment used for storing data meet acceptable security standards.
- Performs regular checks and scans to ensure security hardware and software is functioning properly.
- Ensures all historical data is archived correctly or destroyed once there is no requirement to retain the information. All archived information is held securely at the Hairflair Designs Premises.
We have defined general staff guidelines that ensure we do not run the risk of breaches:
- The only people able to access data covered by this policy are those who need it for their work.
- Data is not shared informally. When access to confidential information is required, employees request it from the Director.
- Employees keep all data secure, by taking sensible precautions. In particular strong passwords are used and they are never shared.
- Personal data is not disclosed to unauthorised people, either within the company or externally.
- Data is regularly reviewed and updated. If it is found to be out of date, if no longer required then it should be deleted and disposed of.
- When working with personal data, employees will ensure the screens of their computers are always locked when left unattended.
- Data is always encrypted and password protected before it is sent and any password is conveyed “off-line” / verbally with the receiver of the information. This information is never passed electronically. When sending periodic reports, invoicing the Trust and the like, all files will be encrypted and sensitive data hidden in line with any protocol agreed.
We have outlined the following clear rules around data storage and ensure the following is adhered to:
- When data is stored on paper, it is kept in a secure place where unauthorised people cannot see it. These guidelines also apply to data that is usually stored electronically but has been printed out for some reason.
- When not required, the paper or files are kept in a locked drawer or filing cabinet.
- Employees make sure paper and printouts are not left where unauthorised people could see them, like on a printer.
- Data printouts will be shredded and disposed of securely when no longer required.
- When data is stored electronically, it is protected from unauthorised access, accidental deletion and malicious hacking attempts through the firewall and malware protections we have on our server.
- Data is always protected by strong passwords that are changed regularly and never shared between employees.
- If data is stored on removable media (like a CD or DVD), these are kept locked away securely when not being used. This practice is seldom used and not encouraged.
- Data is only stored on designated drives and servers. Data is stored in controlled files or folders set-up for the business.
- Data is backed up frequently. Those backups are tested regularly, in line a standard backup procedure.•Data is never saved directly to laptops or other mobile devices like tablets or smart phones.
- Also we do not have any personal data stored or accessed via our Hairflair Designs server.
All servers and computers containing data are protected by approved security software and a firewall and our systems are managed by a Computer Consultant who regularly checks the integrity of our server, settings and our data store and manages our remote back up facility.
With respect to banking and sensitive commercial information, Hairflair Designs provides clients with the option of card payments and retains strict governance in the use of this information:
- Hairflair Designs uses a Worldpay mobile terminal and this is the principle means of taking electronic card or bank payments.
- The arrangement is governed by an annual compliance check and assurance process via Worldpay and in-line with the PCI DSS requirements.
- The use of the terminals is restricted to only several members of staff and they are trained on its use.
- The bulk of payments are done face to face with the customer and no card information is stored or retained after the transaction.
- Should transactions be undertaken over the phone (there and then), the payment is always taken verbally and we will ring the client to ensure a secure line. Should a receipt need to be sent then this will be posted recorded delivery and will never declare the full card details.
- With respect to BACS payments, information is never sent electronically (always verbally) and a confirmation of receipt is always processed via the bank (on completion).
Hairflair Designs recognises that data in certain circumstances may need to be declared to law enforcement agencies without the consent of the data subject. Under these circumstances, the Director only will disclose requested data, but will firstly ensure the request is legitimate and understand how the data is being used. In this instance it would inform the Clientif it was relevant to do so.