Data access & usage policy
Solaris Care ware 1.0
GDPR adapted policies
Data Protection measures:
The Company shall ensure that all its employees, agents, contractors, or other parties it works with comply with the following when working with personal data:
a) All emails containing personal data must be encrypted or password protected prior to issue;
b) Where any personal data is to be erased or otherwise disposed of for any reason (including where copies have been made and are no longer needed), it should be securely deleted and disposed of. Hardcopies should be shredded, and electronic copies should be deleted securely.
c) Personal data may be transmitted over secure networks only; transmission over unsecured networks is not permitted in any circumstances;
d) Personal data may not be transmitted over a wireless network if there is a wired alternative that is reasonably practicable;
e) Personal data contained in the body of an email, whether sent or received, should be copied from the body of that email and stored securely. The email itself should be deleted. All temporary files associated therewith should also be deleted;
f) Where Personal data is to be sent by facsimile transmission the recipient should be informed in advance of the transmission and should be waiting by the fax machine to receive the data;
g) Where Personal data is to be transferred in hard copy form it should be passed directly to the recipient or sent using tracked and recognised mail delivery service such as The Royal Mail .
h) No personal data may be shared informally and if an employee, agent, sub-contractor, or other 3rd party working on behalf of the company requires access to any personal data that they do not already have access to, such access should be formally requested from the office manager;
i) All hardcopies of personal data, along with any electronic copies stored on physical, removable media should be stored securely in a locked box, drawer, cabinet or similar.
j) No personal data may be transferred to any employees, agents, contractors, or other parties, whether such parties are working on behalf of the company or not, without the authorisation of the office manager;
k) Personal data must be handled with care at all times and should not be left unattended or on view to unauthorised employees, agents, sub-contractors or other parties at any time.
l) If personal data is being viewed on a computer screen and the computer in question is to be left unattended for any period of time, the user must lock the computer and screen before leaving it;
m) No personal data should be stored on any mobile device (including, but not limited to, laptops, tablets and smartphones), whether such device belongs to the Company or otherwise without the formal written approval of the office manager and, in the event of such approval, strictly in accordance with all instructions and limitations described at the time the approval is given, and for no longer than is absolutely necessary;
n) No personal data should be transferred to any device personally belonging to an employee and personal data may only be transferred to devices belonging to agents, contractors, or other parties working on behalf of the company where the party in question has agreed to comply fully with the letter and spirit of this Policy and of the regulation (which may include demonstrating to the company that all suitable technical and organisational measures have been taken).
o) All personal data stored electronically should be backed up to the company’s main server with backups stored onsite and offsite.
p) All electronic copies of personal data should be stored securely using passwords and data encryption where this is considered necessary.
q) All passwords used to protect personal data should be changed regularly and should not use words or phrases that can be easily guessed or otherwise compromised. All passwords must contain a combination of uppercase and lowercase letters, numbers, and symbols. All software used by the Company is designed to require passwords.
r) Under no circumstances should any passwords be written down or shared between any employees, agents, contractors, or other parties working on behalf of the company, irrespective of seniority or department. If a password is forgotten, it must be reset using the applicable method. IT staff do not have access to passwords.
s) Where personal data held by the company is used for marketing purposes, it shall be the responsibility of sales staff issuing such communications to ensure that no data subjects have added their details to any marketing preference databases including, but not limited to, the Telephone Preference Service, the Mail Preference Service, the Email Preference Service, and the Fax Preference Service. Such details should be checked at least every 6 months.
Organisational Measures - The Company shall ensure that the following measures are taken with respect to the collection, holding, and processing of personal data:
a) All employees, agents, contractors, or other parties working on behalf of the company shall be made fully aware of both their individual responsibilities and the company’s responsibilities under the regulation and under this Policy, and shall be provided with a copy of this Policy.
b) Only employees, agents, sub-contractors, or other parties working on behalf of the company that need access to, and use of, personal data in order to carry out their assigned duties correctly shall have access to personal data held by the company;
c) All employees, agents, contractors, or other parties working on behalf of the company handling personal data will be appropriately vetted and trained to do so.
d) All employees, agents, contractors, or other parties working on behalf of the company handling personal data will be appropriately supervised.
e) Methods of collecting, holding and processing personal data shall be regularly evaluated and reviewed;
f) The performance of those employees, agents, contractors, or other parties working on behalf of the company handling personal data shall be regularly evaluated and reviewed.
g) All employees, agents, contractors, or other parties working on behalf of the company handling personal data will be bound to do so in accordance with the principles of the regulation and this policy by contract;
h) All agents, contractors, or other parties working on behalf of the company handling personal data must ensure that any and all of their employees who are involved in the processing of personal data are held to the same conditions as those relevant employees of the company arising out of this Policy and the Regulation.
i) Where any agent, contractor or other party working on behalf of the company handling personal data fails in their obligations under this policy that party shall indemnify and hold harmless the company against any costs, liability, damages, loss, claims or proceedings which may arise out of that failure.
Transferring personal data to a country Outside the EEA - The company may from time to time transfer (‘transfer’ includes making available remotely) personal data to countries outside of the EEA.
The transfer of personal data to a country outside of the EEA shall take place only if one or more of the following applies:
a) The transfer is to a country, territory, or one or more specific sectors in that country (or an international organisation), that the European Commission has determined ensures an adequate level of protection of personal data.
b) The transfer is to a country (or international organisation) which provides appropriate safeguards in the form of a legally binding agreement between public authorities or bodies; binding corporate rules; standard data protection clauses adopted by the European Commission; compliance with an approved code of conduct approved by a supervisory authority (e.g. the Information Commissioner’s Office); certification under an approved certification mechanism (as provided for in the Regulation); contractual clauses agreed and authorised by the competent supervisory authority; or provisions inserted.
into administrative arrangements between public authorities or bodies authorised by the competent supervisory authority;
c) The transfer is made with the informed consent of the relevant data subject(s);
d) The transfer is necessary for the performance of a contract between the data subject and the Company (or for pre-contractual steps taken at the request of the data subject);
e) The transfer is necessary for important public interest reasons;
f) The transfer is necessary for the conduct of legal claims;
g) The transfer is necessary to protect the vital interests of the data subject or other individuals where the data subject is physically or legally unable to give their consent; or
h) The transfer is made from a register that, under UK or EU law, is intended to provide information to the public and which is open for access by the public in general or otherwise to those who are able to show a legitimate interest in accessing the register.
Data Breach Notification All personal data breaches must be reported immediately to the office manager.
If a personal data breach occurs and that breach is likely to result in a risk to the rights and freedoms of data subjects (e.g. financial loss, breach of confidentiality, discrimination, reputational damage, or other significant social or economic damage), the office manager must ensure that the Information Commissioner’s Office is informed of the breach without delay, and in any event, within 72 hours after having become aware of it.
In the event that a personal data breach is likely to result in a high risk to the rights and freedoms of data subjects, the data protection officer must ensure that all affected data subjects are informed of the breach directly and without undue delay.
Data breach notifications shall include the following information:
a) The categories and approximate number of data subjects concerned;
b) The categories and approximate number of personal data records concerned;
c) The name and contact details of the company’s data protection officer (or other contact point where more information can be obtained);
d) The likely consequences of the breach;
e) Details of the measures taken, or proposed to be taken, by the company to address the breach including, where appropriate, measures to mitigate its possible adverse effects.