Data Protection
To deliver our service to you, we need to collect certain information.
We want to be clear and transparent about how we collect, store and use your information so you have a good understanding and so we comply with the law. This policy applies whether data is electronic, written or stored by any other means.
This data protection policy is to make sure we:
- Follow good practice.
- Protect the rights of clients, staff and partners.
- Are open about how we store and process data.
- Protect ourselves against data breaches.
This policy applies to:
- All our “staff” – Employees, contractors, suppliers, associates or volunteers associated with delivering our services.
We process some information to deliver our services. This information may include:
- Personal details (usually limited to name, email, phone number and workplace).
- Services provided to you by us.
We also process sensitive classes of information that may include:
- Physical or mental health details (This is to make sure we are aware of any health issues you may have – We want to make sure you are suitable to use our services and to mitigate any risks to you).
All individuals who have data held with us are entitled to:
- Ask what information we hold on them and why.
- Ask how to gain access to it.
- Be informed how the company is meeting its data protection obligations.
If any individual requests this information, this is called a subject access request. Any request should be made by email to [email protected]. We will aim to provide the relevant data within 14 days. We will always verify the identity of anyone making an access request before providing any information.
The “right to be forgotten” – You have the right to ask for all data concerning you to be erased.
Our guidelines:
- We will provide training for any relevant member of staff to make sure they understand their obligations when handling data.
- The only people able to access data should be those who need it for legitimate work purposes.
- Data will not be shared informally but on a “need to know” basis, and never shared with unauthorised people internally or outside of the company without explicit agreement of the persons involved.
- Data will be kept in as few places as possible – Staff should not create unnecessary additional data sets or files.
- All staff will keep digital data secure by using unique, strong passwords which are never shared. Systems will be locked when not in use. Paperwork will be kept securely where no unauthorised people can have access (e.g. locked drawer or filing cabinet), and only as long as necessary.
- Personal data will only be saved to computers that have been approved by the company.
- Data will be regularly reviewed and updated if it is found to be out of date. If found to be no longer relevant, it should be deleted and disposed of in a way that it cannot be retrieved again (e.g. deleting then formatting computer drives or shredding paperwork).
- Data should only be saved on designated local drives and servers, or designated cloud servers.
- All systems should be protected with appropriate security software, antivirus and firewalls.
Potential data breaches:
If we identify a potential breach, we have a duty of care to record and identify the scope of the breach and where appropriate, report and notify it to the Information Commissioners Office and to the data subject within 72 hours.
More detail – In practice the above means:
- We store all paper records at a single office location in a locked filing cabinet. Any documents to be disposed of are shredded by machine, bagged and disposed of to landfill.
- Our digital records are held in a cloud storage service which is encrypted at source (the provider cannot even access the files they store), plus usage is limited to our trusted, senior office staff, and only those who have “end-to-end encryption” keys on their approved machines.
- Our online booking system is provided by a leading third-party software booking provider. The account is password protected and access is limited to 2 members of staff in our office.
- Our booking calendar is provided as part of the Google Business Suite. Access is password protected with additional “two-factor authentication). Access to the individual service calendars within the calendar is shared only with our trusted office staff (as administrators), the individual therapists that visit to deliver the service in question, and in some cases a nominated member of your company (as the “client” – usually your Human Resources or Wellbeing Team Manager). Access is revoked from any individual as and when their need for this data changes.
- Our booking confirmation emails are sent from the system to your email address – This will likely be your company server, or more infrequently your personal email account (Gmail, Outlook, Yahoo etc.). We highly recommend that you use unique, strong passwords plus two factor authentication wherever available.
Our Process for Reporting a Data Breach
Any member of staff that identifies a potential data breach will inform the Boost Wellbeing – Hands on Health UK nominated Data Protection Officer.
We will assess the scope of the breach – E.g. access by an unauthorised third party, sending personal data to an incorrect recipient, computing devices containing personal data being lost or stolen, alteration of personal data without permission or loss of availability of personal data.
We will establish the likelihood and severity of the resulting risk to people’s rights and freedoms because of a breach. From this determine if the breach is notifiable under GDPR regulations and if it meets the threshold of informing the individual.
If notifiable, we will report the breach to the ICO without undue delay, and within 72 hours after becoming aware of it.
When reporting a notifiable breach to the ICO, we will provide:
- A description of the nature of the personal data breach including, where possible:
- The categories and approximate number of individuals concerned; and
- The categories and approximate number of personal data records concerned;
- The name and contact details of our data protection officer or other contact point where more information can be obtained;
- A description of the likely consequences of the personal data breach; and
- A description of the measures taken, or proposed to be taken, to deal with the personal data breach, including, where appropriate, the measures taken to mitigate any possible adverse effects.
When reporting a breach to an individual, we will:
Describe, in clear and plain language, the nature of the personal data breach and, at least:
- The name and contact details of our data protection officer or another contact point where more information can be obtained;
- A description of the likely consequences of the personal data breach; and
- A description of the measures taken, or proposed to be taken, to deal with the personal data breach and including, where appropriate, of the measures taken to mitigate any possible adverse effects.