Data Protection Policy

Data Protection Policy 

 

This policy is addressed to all staff members. It is valid in any circumstances where it can reasonably be applied.

We also have strict legal obligations to meet in the way we handle data, most particularly sensitive personal data.

This policy is not flexible. If you work for us or with us, you must comply. This policy is part of the contract of employment of every one of our employees.

If you come across any breach of this policy you should immediately report it, preferably in writing to a manager or director.

1.Aim of our data protection principles

    1. The protection of data is of extreme importance. It is important for us as a business, for our customers and suppliers, for you and particularly for every individual, whether or not that person comes into one of those categories.
    2. The aim of this policy is to ensure that everyone handling Personal Data is fully aware of the requirements and acts in accordance with these procedures.
    3. As an employee of Monoptics Ltd you should be aware of the importance of complying fully with all policies of the company.
    4. The data protection policy exists to:
      1. comply with the law;
      2. protect your data;
      3. protect the data of other staff members;
      4. protect and manage the data of every third party with whom we deal, in accordance with the law;
      5. protect the data of the company.
    5. Please remember that data protection is the responsibility of all staff members at all times. It is very easy to disclose information about a colleague to a customer or friend, or about a customer to your spouse or relative. If you do so, you are in breach of this policy and of your contract of employment. To avoid this, you should avoid discussing any aspect of your work outside of work station and discuss issues about which you have strong feelings only with the appropriate person at work.
    6. We are extremely concerned to protect your privacy and confidentiality. We understand that not only all employees, but also customers, suppliers and others with whom we come into contact in our working day are quite rightly concerned to know that your or their data will not be used for any purpose unintended by them, and will not fall into the hands of a third party. Our policy is both specific and strict. If you come across any instance of a failure of our policy, please do let us know.
    7. Information may be unlawfully available to computer hackers and unlawful visitors. We will take reasonable precautions against such events, but we take no responsibility for any unlawful act of any person.
    8. Except as set out below, we do not share, or sell, or disclose to a third party, any personally identifiable information we collect.
    9. To comply with the law, personal information will be collected and used fairly, stored safely and not disclosed to any other person unlawfully.

2.Definitions used in this policy

“Personal Data”

means fact or opinion about any human individual processed or recorded electronically, whether or not automatically, whether or not intentionally, and accessible by any one or more human or corporate persons.

“Data Protection Officer”

means a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any Personal Data are, or are to be, processed

3.Data security

    1. Shahnaz Gonzalvez is the Data Protection Officer in the Company.
    2. Sensitive Personal Data is kept on one computer in the company. That computer is kept in a room, which is locked at night. Access to the sensitive data is protected and is limited to 5 staff members. If is necessary to extract any such data for use by another staff member, the Data Protection Officer will follow the use and satisfy him / herself that the data has been deleted after use.
    3. The company has a backup procedure for all data. Those involved in any element of it are reminded of the crucial importance of timely compliance with the procedures.
    4. The organisation will take steps to ensure that Personal Data is kept secure at all times against unauthorised or unlawful loss or disclosure. The following measures will be taken: Hard backups to be carried out once a week, UK cloud to be used. Access to computers only available by authorised staff with passwords. Securing the premises during closing hours.
    1. Any unauthorised disclosure of Personal Data to a third party by an employee may result in disciplinary procedures.

4.Data Protection Principles: the Law

Personal Data must be:

    1. processed fairly and lawfully meaning that the individual must give consent to the processing of it. For sensitive Personal Data, the individual must give explicit consent.
    2. obtained only for specified and lawful purposes;
    3. adequate, relevant and no more than is necessary;
    4. accurate and up to date;
    5. not kept for any longer than is necessary;
    6. processed in keeping with the rights of the individual;
    7. protected against unauthorised or unlawful processing, loss, destruction or damage.

5.Sensitive Personal Data

    1. The Act defines eight categories of sensitive Personal Data. These are:
      1. the racial or ethnic origin of data subjects;
      2. their political opinions;
      3. their religious beliefs or other beliefs of a similar nature;
      4. whether they are a member of a trade union;
      5. their physical or mental health or condition;
      6. their sexual life;
      7. the commission or alleged commission by them of any offence;
      8. any proceedings for any offence committed or alleged to have been committed by them, the disposal of such proceedings or the sentence of any court in such proceedings.
    2. We do hold data in one or more of the above categories.
    3. Data must not be transferred outside the European Economic Area unless there is adequate protection for the rights of data subjects.
    4. Here is a list of the information we collect, and why it is necessary to collect it:

Name, Addresses and Dates of birth. Also hold medical information with regard to a patient with the purpose of carrying out our duties as Ophthalmic Opticians

6.Training

Training and awareness about the Data Protection Act and how it is followed in this organisation will take the following forms:

    1. On induction: Any new employee will be taking through the necessary steps to ensure they are fully aware of their Data Protection responsibilities.
    2. General training/ awareness program: Existing staff will be continuously assessed to make sure that high standards are being adhered to.

7.Employee information

This information is used:

    1. to maintain proper employment records for our own use;
    2. to maintain salary records and to pay staff in accordance with our obligations;
    3. to comply with our legal obligations relating to tax and money;
    4. to comply with legal obligations relating to employment.

8.Customer and client information

This information is used:

    1. to provide customers and clients with the services they have requested;
    2. for billing and accounting purposes;
    3. to enable us to answer their enquiries;
    4. for verifying their identity for security purposes;
    5. for marketing our services and products;

Information which does not identify any individual may be used in a general way by us or third parties, to provide class information, for example relating to demographics or usage of a particular page or service.

9.Domain names and email addresses

You are recognised by our servers and the pages visited are recorded. This information is used:

    1. in a collective way not referable to any particular individual, for the purpose of quality control and improvement of our site;
    2. to send out news about the services to which website visitors have signed up;
    3. to tell customers and clients about other of our services.

10.Financial information, including credit card details

This information is used to obtain payment for goods and services ordered from us. We do not use it for any other purpose. We do not store this information longer than is necessary to process a payment. We are not responsible for such data once it has passed to our merchant service provider /bank.

11.Business associates’ information

This is information given to us in the course of business. This information is used:

    1. to maintain our accounts and business records;
    2. to enable us to answer enquiries;
    3. to verify identities.

12.Disclosure to Government and their agencies

We are subject to the law like everyone else. We may be required to give information to legal authorities if they so request or if they have the proper authorisation such as a search warrant or court order.

13.Cookies

The Privacy and Electronic Communications (EC Directive) Regulations 2003, cover the use of cookies and similar technologies for storing information, and accessing information stored. This website complies with that law.

14.Information request

At any time you may review or update the personally identifiable information that we hold about you, by contacting us at the address below. To better safeguard your information, we will also take reasonable steps to verify your identity before granting access or making corrections to your information.

15.Confidentiality before and after termination of the employment

Between us and each employee, the provisions of this agreement shall remain valid and binding not only for the employment period but for a period of ten years after that. Breach of this provision is a breach of the contract of employment.

Explanatory notes:


Data protection policy

General notes

  1. Compliance with the Data Protection Act 1998 consists in registration and the setting up of appropriate security procedures, then following them. This document does not alone provide compliance.
  2. Your data protection policy is a matter for your discretion. This model policy is built around:
    1. protecting you from contravening the Data Protection Act;
    2. placing contractual obligations on staff;
    3. providing re-assurance to your staff;

For compliance, it is essential that you specify what data is collected and what you do with it. The image you present to your staff is of course a matter for your choice.

  1. For compliance, do include all uses to which you might wish to put Personal Data.

Here is the official government guidance, (Crown copyright acknowledged), from: https://ico.org.uk

Every data controller must take into account the privacy rights of an individual. That word means both employees and external third parties who might come to your website. The following points should be considered by data controllers in planning their Internet strategies.

    1. Personal data placed on the Internet is available world-wide. In many countries the use of Personal Data is not protected by legislation. Because of this it is always advisable and will often be essential to obtain consent from individuals before publishing their Personal Data on your website.
    2. When collecting information via the Internet always inform the user of who you are, what Personal Data you are collecting, processing and storing and for what purpose. Do this before a user gives you any information, when they visit your site and wherever they are asked to provide information, for example via an on-line application form.
    3. It is good practice to ask for consent for the collection of all data and it is usually essential to get consent if you want to process sensitive Personal Data.
    4. Always let individuals know when you intend to use ‘Cookies’ or other covert software to collect information about them. Never collect or retain Personal Data unless it is strictly necessary for your purposes. For example you should not require a persons name and full address to provide an on-line quotation. If extra information is required for marketing purposes this should be made clear and the provision of the information should be optional. Design your systems in such a way as to avoid or minimize the use of Personal Data.
    5. Upon a user’s request you should correct, change or delete inaccurate details. If information is altered notify the third parties to whom the original information was communicated.
    6. Regularly delete data which is out of date or no longer required. Stop processing data if the user objects to it because the processing is causing him damage or distress.
    7. When you have collected Personal Data online, you should obtain the permission of the data subject before using it for marketing purposes. If a user asks you to stop using his or her data for marketing purposes you must comply with that request. If the Personal Data is “sensitive Personal Data” you should use it only with the precise and express consent of the data subject.
    8. Use the most up to date technologies to protect the Personal Data collected or stored on your site. Especially sensitive or valuable information, such as financial details should be protected by reliable encryption technologies.
  1. Cookies
    1. If you use cookies (as almost all websites do), you must obtain the consent of every computer user you communicate with via the Internet.
    2. Consent can be either express consent or implied consent. It is a matter of fact for any occasion, as to whether consent is express or implied, or there is no consent.
    3. Implied consent can be valid for the purposes of the Regulations. The most common instance of implied consent is when a computer user has consented on one occasion and returns to your site at some later time.
    4. Express consent is most commonly given by the user taking some specific action to confirm agreement or acceptance. An example is ticking a box.
    5. For informed consent you should not rely on the fact that a user might have read a privacy policy that is perhaps hard to find or difficult to understand.
    6. To comply with the law we must obtain informed consent and provide clear and comprehensive information about any cookies you are using.
    7. Although devices which process Personal Data give rise to greater privacy and security implications than those which process data from which the individual cannot be identified, the Regulations apply to all uses of such devices, not just those involving the processing of Personal Data.