DATA PROTECTION POLICY
Definitions
Business – means Indigo Hair & Beauty Ltd, registered number SC481467
GDPR – means the General Data Protection Regulation.
Responsible Person – means the Salon manager
Register of Systems – means a register of all systems or contexts in which personal data is processed by Indigo Hair & Beauty.
- Data protection principles
The Business is committed to processing data in accordance with its responsibilities under the GDPR.
Article 5 of the GDPR requires that personal data shall be:
a. processed lawfully, fairly and in a transparent manner in relation to individuals;
b. collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;
c. adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
d. accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
e. kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals; and
f. processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures. - General provisions
a. This policy applies to all personal data processed by the business.
b. The Responsible Person shall take responsibility for the business ongoing compliance with this policy.
c. This policy shall be reviewed at least annually.
d. The business shall register with the Information Commissioner’s Office as an organisation that processes personal data. - Lawful, fair and transparent processing
a. To ensure its processing of data is lawful, fair and transparent, the business shall maintain a Register of Systems.
b. The Register of Systems shall be reviewed at least annually.
c. Individuals have the right to access their personal data and any such requests made to the business shall be dealt with in a timely manner. - Lawful purposes
a. All data processed by the business must be done on one of the following lawful bases: consent, contract, legal obligation, vital interests, public task or legitimate interests.
b. The business shall note the appropriate lawful basis in the Register of Systems.
c. Where consent is relied upon as a lawful basis for processing data, evidence of opt-in consent shall be kept with the personal data.
d. Where communications are sent to individuals based on their consent, the option for the individual to revoke their consent should be clearly available and systems should be in place to ensure such revocation is reflected accurately in the business’ systems. - Data minimisation
a. The Charity shall ensure that personal data are adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed. - Accuracy
a. The business shall take reasonable steps to ensure personal data is accurate.
b. Where necessary for the lawful basis on which data is processed, steps shall be put in place to ensure that personal data is kept up to date. - Archiving / removal
a. To ensure that personal data is kept for no longer than necessary, the business shall put in place an archiving policy for each area in which personal data is processed and review this process annually.
b. The archiving policy shall consider what data should/must be retained, for how long, and why. - Security
a. The business shall ensure that personal data is stored securely using modern software that is kept-up-to-date.
b. Access to personal data shall be limited to personnel who need access and appropriate security should be in place to avoid unauthorised sharing of information.
c. When personal data is deleted this should be done safely such that the data is irrecoverable.
d. Appropriate back-up and disaster recovery solutions shall be in place. - Breach
In the event of a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data, the business shall promptly assess the risk to people’s rights and freedoms and if appropriate report this breach to the information commissioners office (ICO).
CONFIDENTIALITY POLICY
1. AIMS & OBJECTIVES
Employees and personnel of Indigo Hair & Beauty have a duty of maintaining the confidentiality of information received by them in the course of their employment or engagement.
This Confidentiality Policy documents the confidentiality and non-disclosure duties and obligations of the employees and personnel of Indigo Hair & Beauty.
The employees and personnel of Indigo Hair & Beauty will, in the course of their employment and engagement, become aware of and possess information of Indigo Hair & Beauty or of third parties disclosed to Indigo Hair & Beauty that is not generally known.
This may include information which if disclosed could jeopardise the interests of the Indigo Hair & Beauty. It may also include commercial trade secrets disclosure of which could harm the interests of the Indigo Hair & Beauty.
All employees and personnel of the Indigo Hair & Beauty have a duty to keep such information strictly confidential and to use it only for the proper purposes in accordance with the law.
2. PURPOSE
The purpose of this Confidentiality Policy is to lay down the principles that must be observed by all who work with the Indigo Hair & Beauty and have access to confidential information.
This policy, where relevant, should be read in conjunction with the appointment letter and/or employment contract applicable to L&T Group employees and personnel, and other work rules, policies and procedures applicable to L&T Group employees and personnel.
3. CONFIDENTIAL INFORMATION
Confidential information includes any information which is not publicly known. It can concern technology, business, finance, transaction or other affairs of a company. It includes information which is commercially valuable such as trade secrets or business information, as well as personal information.
Examples of confidential information include but are not limited to: any document, discovery, invention, improvement, patent specification, formulations, plans, ideas, books, accounts, data, reports, drafts of documents of all kinds, correspondence, client information, lists and files, decisions, information about employees, strategies, drawings, recommendations, designs, office precedents, policies and procedures, budget and financial information in any form, i.e. physical, electronic, electro- magnetic or otherwise.
Confidential information to do with unpublished inventions can be particularly sensitive. Disclosure of an invention before a patent application is filed will cause irreversible loss of intellectual property rights to the owner of the invention. Even after a patent application is filed, care must be taken not to disclose improvements to the invention. Trade secret protection will also be lost through open disclosure of the secret.
4. PRINCIPLES
L&T Group expects all of its employees and personnel to handle all confidential information in a sensitive and professional manner. L&T Group employees and personnel are under an obligation not to gain access or attempt to gain access to information which they are not authorised to have. The L&T Group, however, recognises the importance of an open culture with clear communication and accountability. The L&T Group wishes to maintain personal and organisational safety and expects all employees and personnel to handle confidential information in a way which protects organisational security.
The purpose of confidentiality is essentially two fold. Firstly it protects sensitive or confidential information of the L&T Group and its clients and customers. Secondly, in order for the L&T Group to be effective, L&T Group employees and personnel must be able to share information and knowledge, and therefore confidentiality is necessary as a condition of trust.
The best protection against breaches in confidentiality is to keep the number of employees and personnel who have access to sensitive information to a necessary minimum.
Intentional, repeated, accidental, or unauthorised disclosure of any confidential information by any member of staff will be subject to disciplinary action. Any such disciplinary action will take account of the confidential and possible sensitive nature of the information and will make sure that in dealing with it, no further breaches of confidentiality take place.
5. MAINTENANCE OF CONFIDENTIALITY & NON-DISCLOSURE
L&T Group employees and personnel:
- must keep confidential all confidential information;
- may use confidential information solely for the purposes of performing their duties as an employee of the L&T Group; and
- may only disclose confidential information to persons who are aware that the confidential information must be kept confidential and who have a need to know (but only to the extent that each person has a need to know).
The employee’s and personnel’s obligation of maintaining confidentiality and non-disclosure does not extend to confidential information that is required to be disclosed by the employee pursuant to an order of a Court or any statutory authority. The employee or person will promptly notify the Company of any such requirement to enable the Company to take necessary action as deemed fit by the Company in the circumstances.
At the end of the period of employment, L&T Group employees and personnel must return to the L&T Group:
- all confidential information in material form;
- those parts of all notes and other records in whatsoever form,based on or incorporating confidential information;
- all copies of confidential information and notes and other records based on or incorporating confidential information; and
- all of L&T Group property and assets,in the possession or control of the L&T Group employee or personnel.The obligation of maintaining confidentiality and non-disclosure will continue even after the end of the period of employment or engagement in respect of all confidential information.Any employee found to be in breach of this confidentiality and non-disclosure obligation, whilst employed by the L&T Group will be disciplined, and in serious instances, dismissed. Any ex-employee found to be in breach of this confidentiality obligation may be subject to legal action being taken against them, dependent upon the circumstances of the breach, including cancellation / withdrawal of any or all benefits if extended to the ex-employee by the Company.This policy will operate in conjunction with the contract of employment or letter of appointment for L&T Group employees and personnel.
6. NEED TO KNOW
Confidential information is only to be disclosed on a “need to know” basis, only when the information is necessary to the employee for performing his or her employment duties effectively.
7. CIRCUMSTANCES IN WHICH INFORMATION CAN BE DISCLOSED
• With the written consent of his/her reporting superior of not lower than Tier 4 and for a particular purpose.
•
•
8.
9.
10.
If the information is required by or under a Court order or of a statutory authority, the employee or person will promptly notify the Company of any such requirement to enable the Company to take necessary action as deemed fit by the Company in the circumstances.
Where disclosure can be justified for any other purpose. This is usually for the protection of the public and is likely to be in relation to the prevention and detection of serious crime. A request for information by the police must be carefully considered.
The L&T Group employee must be able to justify any decision when information has been disclosed.
STORAGE OF DATA
No written document containing confidential information must be left visible where it can be read by anyone. This includes telephone messages, computer prints, letters and other documents. All hardware containing confidential information must be housed in a secure environment. Security precautions must be taken in accordance with the L&T Group Policy and Procedures.
THE MEDIA
Confidential information must not be passed on to members of the press, or other media communications without the written consent of his reporting superior of not lower than Tier 4 and for a particular purpose. All requests from the media must be dealt with under the L&T Group’s procedure for handling media queries.
DISPOSAL OF INFORMATION
All media containing confidential information must be disposed off in a manner that ensures that information is not disclosed to an unauthorised person.