GDPR Policy
It is a legal requirement for the company to comply with General Data Protection Regulations (GDPR). It is also company policy to ensure.
Data protection principles
The company needs to keep certain information about its employees, customers and suppliers for financial and commercial reasons and to enable us to monitor performance, to ensure legal compliance and for health and safety purposes. To comply with the law, information must be collected and used fairly, stored safely and not disclosed to any other person unlawfully. This means that we must comply with the Data Protection Principles set out in GDPR
These principles require that personal data must be:
➢ Obtained fairly and lawfully and shall not be processed unless certain conditions are met;
➢ Obtained for specified and lawful purposes and not further processed in a manner incompatible with that purpose
➢ Adequate, relevant and limited to what is necessary
➢ Accurate and up to date;
➢ Kept for no longer than necessary;
➢ Processed in accordance with data subjects’ rights;
➢ Protected by appropriate security;
➢ Not transferred to a country outside the European Union without adequate protection.
1 Policy Statement
Everyone has rights with regard to how their personal information is handled. During the course of the Company’s activities the Company may collect, store, and process personal information about staff, customers, clients and service providers and the Company recognises the need to treat this data in an appropriate and lawful manner. The Company is committed to complying with its obligations in this regard in respect of all personal data it handles.
This data will include medical history, address and contact and billing details, allergy status, GP/ Consultant details and any communication with/from them. Covid- 19 screening information will also be collected and held in order to ensure the safety of staff and patients.
The Company will also keep information relating to suppliers, including quotes, invoices and any other correspondence.
The information, which may be held on paper or on a computer or other media, is subject to certain legal safeguards specified in the GDPR and other regulations. The Acts impose restrictions on how the Company may collect and process that data. This policy may be amended at any time. Any breach of this policy will be taken seriously and the Data Protection Commissioner will be informed with z
2 Purpose and Scope of Policy
This policy sets out the company rules on data protection and the legal conditions that must be satisfied in relation to the collecting, obtaining, handling, processing, storage, transportation and destruction of personal and sensitive information.
3 Definition of Data Protection Terms
Data is information, which is stored electronically, on a computer, or on paper. This would include phone, laptop, appointment books and other paper-based documentation.
Personal Data means data relating to a living individual who can be identified from data (or from that data and other information that is in, or is likely to come into, the possession of the data controller). Personal data will be factual (such as a name, address or date of birth).
Data controllers are the individual or organisations who control and are responsible for the keeping and use of data.
Data processors include employees whose work involves using personal data. They have a duty to protect the information they handle by following the Company’s data protection and security policies at all times.
Processing means performing any operation or set of operations on data, including:
-
Obtaining, recording or keeping data
-
Collecting, organising, storing, altering or adapting the data
-
Retrieving, consulting or using the data
-
Disclosing the information or data by transmitting, disseminating or otherwise making it available
-
Aligning, combining, blocking, erasing or destroying the data.
-
Auditing and billing
Sensitive personal data includes information about a person’s racial or ethnic origin, political opinions, religious or similar beliefs, trade union membership, physical or mental health or condition or sexual life, criminal convictions or the alleged commission of an offence. Sensitive personal data can only be processed under strict conditions, and will usually require the express consent of the person concerned.
4 Data Protection Principles
Anyone processing personal data must comply with the eight enforceable principles of good practice. These provide that personal data must be:
➢ Obtained and processed fairly.
➢ Kept only for one or more specified, explicit and lawful purposes.
➢ Used and disclosed only in ways compatible with these purposes.
➢ Kept safe and secure.
➢ Kept accurate complete and up to date.
➢ Adequate, relevant and limited to what is necessary.
➢ Retained for no longer that is necessary for the purpose or purposes for which it was collected.
➢ Provided to data subjects on request.
5 Obtained and Processed Fairly
The Acts are intended not to prevent the processing of personal data, but ensure that it is done fairly and without adversely affecting the rights of the data subject. The data subject must be told who the data controller is (The Dressing Clinic Ltd.), the purpose for which the data is to be processed by the Company, and the identities of anyone to whom the data may be disclosed or transferred.
For personal data to be processed lawfully, certain conditions have to be met. These may include, among other things, requirements that the data subject has consented to the processing, or that the processing is necessary for the legitimate interest of the data controller or the party to whom the data is disclosed. When sensitive personal data is being processed, more than one condition must be met. In most cases the data subject's explicit consent to the processing of such data will be required.
6 Kept only for Specified, Explicit and Lawful Purposes
Personal data may only be processed for the specific purposes notified to the data subject when the data was first collected or for any other purposes specifically permitted by the Acts. This means that personal data must not be collected for one purpose and then used for another. If it becomes necessary to change the purpose for which the data is processed, the data subject must be informed of the new purpose before any processing occurs.
7 Used and Disclosed Only In Ways Compatible With Purpose
Personal data should be only be collected to the extent that is required for the specific purpose notified to the data subject. Any data which is not necessary for that purpose should not be collected in the first place.
8 Kept Safe and Secure
The Company and its employees must ensure that appropriate security measures are taken against unlawful or unauthorised processing of personal data, and against the accidental loss of, or damage to, personal data.
The Acts require the Company to put in place procedures and technologies to maintain the security of all personal data. Personal data will only be used by the Company for the purpose it was collected and will never be shared with any other individual or organization.
The following must be maintained to ensure the following:
9 Confidentially - that only the people who are authorised to use the data can access it.
10 Integrity – that the personal data is accurate and suitable for the purpose for which it is processed.
11 Availability – that authorised users should be able to access the data if they need it for authorised purposes.
Security procedures include:
Laptops and phones are password protected. No confidential data will ever be sent via email.
(Personal information is always considered confidential.)
12 Methods of disposal. - Paper documents will be uploaded to cloud storage and will then be shredded.
13 Accurate and Complete Data
Personal data must be accurate and kept up to date. Information, which is incorrect or misleading, is not accurate and steps should be taken to check the accuracy of any personal data at the point of collection and at regular intervals afterwards. Inaccurate or out-of-date data should be destroyed.
14 Timely Processing
Personal Data should not be kept longer than is necessary for the purpose for which it was obtained.
15 Processing In Line With Data Subjects Rights
Data must be processed in line with data subjects’ rights. Data subjects have a right to:
➢ Request access to any data held about them by a data controller.
➢ Prevent the processing of their data for direct-marketing purposes.
➢ Ask to have inaccurate data amended.
➢ Prevent processing that is likely to cause damage or distress to themselves or anyone else.
16 Dealing with subject access request
A formal request from a data subject for information that the company holds about them must be made in writing to info@thedressingclinic.ie . No fee is required from the data subject for provision of this information. Data subjects should be provided with their data in accordance with any such request within 1 month of receiving the request.
17 Review Of Policy
The Company will continue to review the effectiveness of this policy to ensure it is achieving its stated objectives on at least every 3 years and more frequently if required taking into account changes in the law and organisational or security changes.
18 Transferring Data Outside The State
The Company will never share your data with any third party. Should it be relevant to your care, data will be shared with your GP or other healthcare professional only after obtaining your consent.
Data Breach Procedure
Introduction:
The purpose of this document is to provide a concise procedure to be followed in the event that The Dressing Clinic Ltd. becomes aware of a loss of personal data. This includes obligations under law, namely the Irish Data Protection Act (1988), and the Irish Data Protection (Amendment) Act (2003), and the General Data Protection Regulation 2018. The procedure is consistent with the guidelines issued by the Irish Data Protection Commissioner, and enshrined in Irish law.
Rationale:
The response to any breach of personal data (as defined by the legislation) can have a serious impact on The Dressing Clinic Ltd.’s reputation and the extent to which the public perceives The Dressing Clinic Ltd. as trustworthy.
Scope:
The policy covers both personal and sensitive personal data held by The Dressing Clinic Ltd. The policy applies equally to personal data held in manual and automated form.
All Personal and Sensitive Personal Data will be treated with equal care by The Dressing Clinic Ltd. Both categories will be equally referred-to as Personal Data in this policy, unless specifically stated otherwise.
This policy should be read in conjunction with the related policies and procedures listed below.
What constitutes a breach, potential or actual?
A breach is a loss of control, compromise, unauthorized disclosure, unauthorized acquisition, unauthorized access, or any similar term referring to situations where persons other than authorized users, for an authorized purpose, have access or potential access to personal data in usable form, whether manual or automated.
This could be but not limited to:
● Loss of a laptop or mobile device that contains personal data
● Lack of a secure password on laptop
● Emailing a data to someone in error
● Giving a password to an unauthorised person
What happens if a breach occurs?
Actual, suspected, or potential breaches should be reported to the Office of the Data Protection Commissioner and relevant regulatory bodies will be informed within 72 hours following detection.
In certain circumstances The Dressing Clinic Ltd. may (e.g. if required by the Office of the Data Protection Commissioner), inform the data subjects of the loss of their data and provide them with an assessment of the risk to their privacy. The Dressing Clinic Ltd. will then implement changes to procedures, technologies or applications to prevent a recurrence of the breach.
When will the Office of the Data Protection Commissioner be informed?
All incidents in which personal data has been put at risk will be reported to the Office of the Data Protection Commissioner.
Data Loss Incident logging
All data breaches will be recorded in an incident as required by the Office of the Data Protection Commissioner. The log will maintain a summary record of each incident which has given rise to a risk of unauthorised disclosure, loss, destruction or alteration of personal data. The record will include a brief description of the nature of the incident and an explanation of when the Office of the Data Protection Commissioner was informed. Such records will be provided to the Office of the Data Protection Commissioner upon request.
If you wish to withdraw this consent at any point, please contact The Dressing Clinic Ltd. by
email at the following address - info@thedressingclinic.ie