On 25th May 2018, a new set of European-wide data regulations (GDPR) come into force, which will strictly regulate the way in which personal data is processed. To carry out our business and provide services, we will need to collect personal information about the people we work with and employ. We are committed to being transparent about the data we collect, how it is used and with whom it is shared.
What information we collect
The people we collect information about are called data subjects. Data subjects could be customers, employees, suppliers and other business contacts. The information we collect will vary by data subject sector, but can include name, address, email address, date of birth, confidential information and sensitive information.
In addition, we may occasionally be required to collect and use certain types of such personal information to comply with the requirements of the law. No matter how it is collected, recorded and used (e.g. on a computer or other digital media, on hardcopy, paper or images) this personal information is dealt with securely.
The lawful and proper treatment of personal information by Mangar Health is extremely important to the success of our business and to maintain the trust of our customers, suppliers and employees.
Protecting your data
It is important that you and your data is protected and to ensure this happens, Mangar Health will:
- Comply with the data protection law and follows good practice
- Protect the rights of staff, customers and suppliers
- Is open about how it stores and processes data
- Protects itself from the risk of data breach.
In line with GDPR principles, and the lawful, fair and transparent processing of data we will:
- Collect data for specified, explicit and legitimate purposes only
- Only collect information which is adequate, relevant and limited to what is necessary;
- Ensure data is accurate and up to date – with every reasonable step taken to ensure inaccurate personal data is erased or rectified;
- Data is not kept longer than necessary;
- Processed in a manner that ensures appropriate security.
This policy applies to:
- All customer – past, present and prospective
- All contractors, suppliers and other people working on behalf of Mangar Health
- The head office of Mangar Health
- All branches of Mangar Health
- All staff of Mangar Health
What is personal data?
GDPR’s definition of “personal data” covers any data that can be used to identify a living individual. It applies to all data that the company holds, and can include but is not limited to:
|· Names of individuals
· Postal addresses
· Email addresses
· Telephone numbers
· Credit information
|· Financial information
· Sales figures
· Key performance indicators
· Controlled documents
· Usernames and passwords
GDPR also has a category called ‘sensitive information’, which includes the following:
- Racial or ethnic origin;
- Political opinions;
- Religious or other similar beliefs;
- Membership of trade unions;
- Physical or mental health or condition;
- Sexual life; and.
- Convictions, proceedings and criminal acts.
Mangar Health will need to collect sensitive information from employees and this is explained in the employee handbook.
Customers making an application is made for VAT exemption will also be asked to declare sensitive information and this is a legal requirement.
All sensitive and personal information will be stored securely and is accessible to the data subject as detailed in the policy below.
Keeping you informed
Mangar Health aims to ensure that individuals are aware that their data is being processed, and that they understand:
- How the data is being used
- How to exercise their rights
Mangar Health and its employees have responsibility for ensuring data is collected, stored and handled appropriately.
Each team that handles personal data must ensure that it is handled and processed in line with this policy and data protection principles. All staff handling data participate in annual training to ensure they are GDPR compliant and act responsibly.
Key areas of responsibility:
- The board of directors is ultimately responsible for ensuring that Mangar Health meets its legal obligations.
- A responsible Director has been appointed to:
- Keeping the board updated about data protection responsibilities, risks and issues.
- Reviewing all data protection procedures and related policies, in line with an agreed schedule.
- A data protection officer has been appointed and is responsible for:
- Arranging data protection training and advice for the people covered by this policy.
- Handling data protection questions from staff and anyone else covered by this policy.
- Dealing with requests from individuals to see the data Mangar Health holds about them (also called ‘subject access requests’).
- Checking and approving any contracts or agreements with third parties that may handle the company’s sensitive data.
- Applying annual audits and testing of procedures.
- The IT Manager is responsible for:
- Ensuring all systems, services and equipment used for storing data meet acceptable security standards.
- Performing regular checks and scans to endure security hardware and software is functioning properly.
- Evaluating any third-party services, the company is considering using to store or process data. For instance, cloud computing services.
- The Marketing Director is responsible for:
- Ensuring all marketing initiatives and direct marketing campaigns are GDPR compliant
- Approving any data protection statements attached online platforms and emails.
- Addressing any data protection queries from journalists or media outlets like newspapers.
How we store our data
Data is either stored digitally or on paper.
When data is stored on paper, it is kept securely in a locked drawer or cabinet, where unauthorised people cannot access it. Data printouts are shredded and disposed of securely when no longer required.
When data is stored electronically, it is protected from unauthorised access, accidental deletion and malicious hacking attempts, through:
- Password protected files
- Storage on designated drives and servers, with uploads to an approved cloud computing services.
- Servers containing sensitive data are sited in a secure location, away from general office space.
- Data is backed up daily and tested regularly, in line with the company’s standard backup procedures.
- Data is never saved directly to laptops or other mobile devices like tablets or smart phones.
- All servers and computers containing data are protected by approved security software and a firewall.
Guidelines for staff
When working with personal data, employees following compliance guidelines:
- Screens of their computers are always locked when left unattended
- Data is not to be shared informally
- Data is encrypted before being transferred electronically.
- Personal data should never be transferred outside of the European Economic Area
- Employees should not save copies of data to their own computers. Always access and update the central copy of any data which is accessible by the data protection officer and the IT manager.
The law requires Mangar Health to take reasonable steps to ensure data is kept accurate and up to date.
It is the responsibility of all employees who work with data to take reasonable steps to ensure it is kept as accurate and up to date as possible.
- Data is held on:
- Sage Accounting System
- Sage CRM system
- Pure 360 Enews portal
- Staff will take every opportunity to ensure data is updated as requested.
- Mangar Health will make it easy for data subjects to update the information Mangar Health holds about them.
- Data should be updated as inaccuracies are discovered. For instance, if a customer can no longer be reached on their stored telephone number, it should be removed from the database.
What are your rights?
All individuals who are the subject of personal data held by Mangar Health are
- Ask what information the company holds about them and
- Ask how to gain access to
- Be informed how to keep it up to
- Be informed how the company is meeting its data protection obligations.
The data subject has the right to access the information held by Mangar Health and will be provided information, on request, within 1 calendar month unless the request is complex, in which case timescales maybe extended by a further 2 months. The request will be dealt with by the data protection officer. Exceptions include:
- Personal data of third parties which is not reasonable to disclose without consent
- Health and social care records where disclosure would be likely to cause serious harm to physical and mental health.
- Disclosure to other organisations without consent such as police, courts and solicitors, where not doing so would prejudice purposes for which it is required.
Subject access requests from individuals should be made by email, addressed to the data controller at firstname.lastname@example.org. The data controller can supply a standard request form, although individuals do not have to use this. The data controller will always verify the identity of anyone making a subject access request before handing over any information.
Data subjects may obtain rectification of inaccurate or incomplete personal data. If the data has been disclosed to a third party, the rectification will be passed on as soon as possible.
Erasure/Right to be forgotten
- Data subject has right to have personal data erased and prevent processing
- Data controllers must erase on request without undue delay where, e.g. Personal data is no longer necessary for purposes (and no new lawful purpose exists) or the data subject withdraws consent and there are no other grounds to process
- Data subject objects to processing and no overriding grounds for continuing. This does not apply where necessary for:
- the performance of a public interest task or exercise of official authority
- the exercise or defence of legal claims
- Data subject may object to processing based on performance of a task in the public interest / exercise of official authority.
- Mangar Health will stop processing unless:
- Can demonstrate compelling legitimate grounds for the processing which overrides the data subject’s interests, rights and freedoms; or
- For the establishment, exercise or defence of legal claims.
Third party disclosure
Your information will not be passed to third parties unless contractually or legally required to do so. If your data is passed to a third party, you will be notified in advance.
In certain circumstances, the Data Protection Act allows personal data to be disclosed to law enforcement agencies without the consent of the data subject.
Under these circumstances, Mangar Health will disclose requested data. However, the data controller will ensure the request is legitimate, seeking assistance from the
board and from the company’s legal advisers where necessary.
What happens if you want to complain?
You have the right to escalate the complaint to the Information Commissioner’s Office (ICO). www.ico.org.uk
Data Protection Risks
This policy helps to protect Mangar Health from very real data security risks, including:
- Breaches of confidentiality. For instance, information being given out inappropriately.
- Failing to offer choice. For instance, all individuals/companies should be free to choose how the company uses data relating to them.
- Reputation damage. For instance, the company could suffer if hackers successfully gained access to sensitive data.
If any loss, theft of compromise of data is identified, Mangar will implement its Information Security Incident Management Procedure. The appropriate authorities will be informed including the Information Commissioners Office (ICO), and the data subjects affected will be notified within 48 working hours of the breach.
Tel: 0800 2800 485
GDPR0001 Issue 1