Advanced Seating Solutions Ltd Data Protection Policy

Advanced Seating Solutions Ltd Data Protection Policy:

General Data Protection Regulations (GDPR) 2018

Under the GDPR, the data protection principles set out the main responsibilities for all organisations.

Article 5 of the GDPR requires that personal data shall be:

“a) processed lawfully, fairly and in a transparent manner in relation to individuals;

b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;

c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;

d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;

e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals; and

f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.”

Advanced Seating Solutions Ltd are committed to ensuring that we adhere to the latest regulations of Data Protection and we are registered with The Information Commissioner’s Office.

We believe in supplying our services in a fair and transparent manner. We aim to ensure that, where necessary, we have requested your consent to safely use your personal information for any purposes other than for a basic commercial transaction for products supplied, for example when providing services such as ongoing Occupational Therapy and Training.

Privacy Statement:

At Advanced Seating Solutions Ltd we take protection of your personal data very seriously.

Your personal and/or sensitive data is being collected for the following reasons:

  1. Contractual reasons – this enables us to provide a service to you e.g. provision of assessment, equipment or Therapy Services. We will only collect the necessary data to enable us to perform the contracted service. Some of your data is of a highly sensitive nature e.g. medical information and we ensure this data is stored safely in line with our Data Protection Policy. This data is essential in order for us to provide a service to you.
  2. Contractual reasons – where we are entering into a business arrangement with you as a supplier of equipment, Professional Services or Therapy Services.
  3. Consent – Where we use your data to send you information, leaflets and resources you will be given the opportunity to withdraw your consent for us to use that data. We may use your data to send you additional, relevant information that we feel would be of interest and use to you. You will have the right to unsubscribe at any time.
  4. Your data will be collected by documented telephone calls, email, website enquiries, letter and hand-written documents. This is safely stored on secure, password protected devices and Cloud storage or, if handwritten, in a locked filing cabinet. Please see our policy for further details.
  5. Your data will only be shared with a third party if it is required for an essential service to be performed e.g. delivery of equipment. Where sensitive data may need to be shared we will always seek your permission to do so.
  6. All our data is securely held for 7 years, in line with our insurance policy guidelines, professional body guidelines and for the purposes of warranty, repair and maintenance of equipment.
  7. For more detailed information on our Policy and contact details please see our Data Protection Policy on our website www.advancedseatingsolutions.com/advanced-seating-solutions-ltd-data-protection-policy/

Why this policy exists:

Advanced Seating Solutions Ltd needs to gather and use certain information about individuals and organisations (data subjects). These can include customers, suppliers, business contacts, employees and other people the organisation has a relationship with or may need to contact. This policy describes how this personal data must be collected, handled and stored to meet the company’s data protection standards – and to comply with the law.

This data protection policy ensures Advanced Seating Solutions Ltd • Complies with data protection law and follows good practice
• Protects the rights of staff, customers and partners
• Is open about how it stores and processes individual’s data

• Protects itself from the risks of a data breach

Policy scope:

This policy applies to:
• The Directors of Advanced Seating Solutions Ltd
• All employees of Advanced Seating Solutions Ltd
• All contractors, agents, suppliers and other people working on behalf of

Advanced Seating Solutions Ltd

It applies to all data that the company holds relating to identifiable individuals (data subjects), This can include:

  • Names of individuals
  • Postal addresses
  • Email addresses
  • Telephone numbers
  • Dates of Birth
  • Professional roleData protection risks:This policy helps to protect Advanced Seating Solutions Ltd from some very real data security risks, including:
    • Breaches of confidentiality – eg. information being given out inappropriately • Failing to offer choice. For instance, all individuals should be free to choose how the company uses data relating to them and to have clear instruction on how to opt out.• Reputational damage. For instance, the company could suffer if hackers successfully gained access to sensitive data

Responsibilities:

Everyone who works for or with Advanced Seating Solutions Ltd has some responsibility for ensuring data is collected, stored and handled appropriately. Each team that handles personal data must ensure that it is handled and processed in line with this policy and data protection principles.

However, the Directors, Martin and Katherine Coles, are ultimately responsible for ensuring that Advanced Seating Solutions Ltd meets its legal obligations with regards to data protection compliance.

The Directors are responsible for:

  • Keeping themselves updated about data protection responsibilities, risks and issues
  • Reviewing all data collection procedures and related policies, in line with an agreed schedule
  • Arranging data protection training and advice for the people covered by this policy
  • Handling data protection questions from staff and anyone else covered by this policy
  • Dealing with requests from individuals to see the Advanced Seating Solutions Ltd holds about them (also called ‘subject access requests’)
  • Checking and approving contracts or agreements with third parties that may handle the company’s sensitive data
  • Ensuring all systems, services and equipment used for storing data meet acceptable security standards
  • Ensuring regular checks and scans are completed to ensure security hardware and software is functioning properly
  • Evaluating any third party services the company is considering using to store or process data. For instance, cloud computing services
  • Approving any data protection statements attached to communications such as emails and letters
  • Addressing any data protection queries from journalists or media outlets like newspapers
  • Where necessary, working with other staff to ensure marketing initiatives abide by data protection principlesResponsibility of all staff working for Advanced Seating Solutions Ltd:

• The only people able to access data covered by this policy should be those who need it for their work

  • Data should not be shared informally. When access to confidential information is required, employees can request it from their line managers
  • Employees should keep all data secure by taking sensible precautions and following the guidelines below
  • In particular, strong passwords must be used and they should never be shared
  • Personal data should not be disclosed to unauthorised people, either within the company or externally
  • Data should regularly be reviewed and updated if it is found to be out of date. If no longer required, it should be deleted and disposed of
  • Employees should request help from their line manager or the data protection officer if they are unsure about any aspect of data protectionData Storage:These rules describe how and where data should be safely stored:
  • When data is stored on paper, it should be kept in a secure place where unauthorised people cannot see it
  • These guidelines also apply to data that is usually stored electronically but has been printed out for some reason:
  • When not required, the paper files should be kept in a locked drawer or filing cabinet
  • Employees should make sure paper printouts are not left where unauthorised people could see them, like on a printer
  • Data printouts should be shredded and disposed of securely when no longer required
  • When data is stored electronically, it must be protected from unauthorised access, accidental deletion and malicious hacking attempts.
  • Data should be protected by strong passwords that are changed regularly and never shared between employees
  • If data is stored on removable media (like a DVD or USB), these should be locked away securely when not being used
  • Data should only be stored on designated drives and servers, and should only be uploaded to approved cloud computing services
  • Servers containing personal data should be sited in a secure location, away from general office space
  • Data should be backed up frequently. Those backups should be tested regularly, in line with the company’s standard backup procedures
  • Data should never be saved directly to laptops or other mobile devices like tablets or smart phones
  • All servers and computers containing data should be protected by approved security software and a firewall

Data use:

Personal data is of no value to Advanced Seating Solutions Ltd unless the business can make use of it. However, it is when personal data is accessed and used that it can be at the greatest risk of loss, corruption of theft

  • When working with personal data, employees should ensure the screens of their computers are always locked when left unattended
  • Personal data should not be shared informally. In particular, it should never be sent by email, as this form of communication is not secure
  • Data must be encrypted before being transferred electronically. The IT manager can explain how to send data to authorised external contacts
  • Personal data should never be transferred outside of the European Economic Area
  • Employees should not save copies of personal data to their own computers. They should always access and update the central copy of any dataData accuracy:The law requires Advanced Seating Solutions Ltd to take reasonable steps to ensure data is kept accurate and up to date. It is the responsibility of all the employees who work with data to take reasonable steps to ensure it is kept as accurate and up to date as possible
  • Data will be held in as few places as necessary. Staff should not create any unnecessary additional data sets
  • Staff should take every opportunity to ensure data is updated. For instance, by confirming a customer’s details when they call
  • Data should be updated as inaccuracies are discovered. For instance, if a customer can no longer be reached on their stored number, it should be removed from the database.

Accountability and governance

Advanced Seating Solutions Ltd Code of Conduct: We aim to provide:

  • Fair and transparent processing of your personal information, with your consent.
  • Assurance that your data will only be used for legitimate purposes to allow for our daily business.
  • Assurance that your data will not be shared with third parties for marketing purposes.
  • Communication with you and consent from you should we need to share your information with a third party for the purposes of your Occupational Therapy intervention.
  • Information to individuals on the individuals’ rights with relation to data protection.
  • Information to and for the protection of children (including mechanisms for obtaining parental consent for Occupational Therapy).
  • Technical and organisational measures, including data protection by design and by default and robust security measures.
  • Hand written Occupational Therapy Client progress notes, ie those that are not kept at the client’s house, which will be recorded within 24 hours of last contact and will be stored in a locked filing cabinet in a secure location on our premises.
  • A consent form for any client identifiable photographic records, which will only be used for the purposes outlined in the consent form and will be stored securely in the patient notes.
  • A system whereby Occupational Therapy Client records will be securely held for a minimum of 7 years, from the point of last contact, in our locked Archive files.
  • Breach notification and an outline of the course of action that will be taken.
  • Provide information on dispute resolution procedures.Advanced Seating Solutions Ltd. Dec 2017
    Unit 75, Basepoint Gosport, Aerodrome Road, Gosport, Hampshire PO13 0FQ Company Reg No: 10303273 VAT Reg No: 201 9431 45

The GDPR provides the following rights for individuals:

1. The right to be informed

As we hold personal information about our clients, employees and suppliers, we are legally obliged to keep you informed on how we use and protect that information. Under the Data Protection Act, we must:

  • only collect information that we need for a specific purpose;
  • keep it secure;
  • ensure it is adequate, relevant, accurate and up to date;
  • only hold as much as we need, and only for as long as we need it.
  • allow the subject of the information to see it on request.
  • Not transfer the data to countries outside the European Economic AreaShould we need to use your information for anything other than a basic transaction for products supplied we will provide to you a copy of this document and may also ask you to sign a Privacy Notice or Consent to Occupational Therapy treatment, Consent to Share Information or Consent for Photographs form, as appropriate to the individual situation.2. The right of accessInformation must be provided without delay and at the latest within one month of receipt of the request. There will be no fee for the initial request.We may extend the period of compliance by a further two months where requests are complex or numerous. If this is the case, we will inform the individual within one month of the receipt of the request and explain why the extension is necessary.

    Where requests are manifestly unfounded or excessive, in particular because they are repetitive, we can:

    • charge a reasonable fee taking into account the administrative costs of providing the information; or
    • refuse to respond.Where we refuse to respond to a request, we will explain why to the individual, informing them of their right to complain to the supervisory authority and to a judicial remedy without undue delay and at the latest within one month.We will verify the identity of the person making the request, using ‘reasonable means’.

3. The right to rectification

Individuals are entitled to have personal data rectified if it is inaccurate or incomplete.

If we have disclosed the personal data in question to third parties, we will inform you of the rectification where possible and provide details of the third parties to whom the data has been disclosed where appropriate.

We will usually respond within one month.

This can be extended by two months where the request for rectification is complex.

Where we are not taking action in response to a request for rectification, we will explain why to the individual, informing them of their right to complain to the supervisory authority and to a judicial remedy.

4. The right to erase

When does the right to erasure apply?

The right to erasure does not provide an absolute ‘right to be forgotten’. However, individuals have a right to have personal data erased and to prevent processing in specific circumstances:

  • Where the personal data is no longer necessary in relation to the purpose for which it was originally collected/processed.
  • When the individual withdraws consent.
  • When the individual objects to the processing and there is no overridinglegitimate interest for continuing the processing.
  • The personal data was unlawfully processed (ie otherwise in breach of the GDPR).
  • The personal data has to be erased in order to comply with a legal obligation.
  • The personal data is processed in relation to the offer of information societyservices to a child.Under the GDPR, this right is not limited to processing that causes unwarranted and substantial damage or distress. However, if the processing does cause damage or distress, this is likely to make the case for erasure stronger.There are some specific circumstances where the right to erasure does not apply and you can refuse to deal with a request.

5. The right to restrict processing

When does the right to restrict processing apply?

We are required to restrict the processing of personal data in the following circumstances:

  • Where an individual contests the accuracy of the personal data, we should restrict the processing until we have verified the accuracy of the personal data.
  • Where an individual has objected to the processing (where it was necessary for the performance of a public interest task or purpose of legitimate interests), and we are considering whether your organisation’s legitimate grounds override those of the individual.
  • When processing is unlawful and the individual opposes erasure and requests restriction instead.
  • If we no longer need the personal data but the individual requires the data to establish, exercise or defend a legal claim.If we have disclosed the personal data in question to third parties, we must inform them about the restriction on the processing of the personal data, unless it is impossible or involves disproportionate effort to do so.We will inform individuals when you decide to lift a restriction on processing.6. The right to data portabilityWhen does the right to data portability apply?

    The right to data portability only applies:

    • to personal data an individual has provided to a controller;
    • where the processing is based on the individual’s consent or for the performance of a contract; and
    • when processing is carried out by automated means. How do we comply?We must provide the personal data in a structured, commonly used and machine readable form. Open formats include CSV files. Machine readable

means that the information is structured so that software can extract specific elements of the data. This enables other organisations to use the data.

The information must be provided free of charge.

If the individual requests it, we may be required to transmit the data directly to another organisation if this is technically feasible. However, we are not required to adopt or maintain processing systems that are technically compatible with other organisations.

If the personal data concerns more than one individual, we must consider whether providing the information would prejudice the rights of any other individual.

We must respond without undue delay, and within one month.

This can be extended by two months where the request is complex or we receive a number of requests. We must inform the individual within one month of the receipt of the request and explain why the extension is necessary.

7. The right to object

How do we comply with the right to object if we process personal data for the performance of a legal task or our organisation’s legitimate interests?

Individuals must have an objection on “grounds relating to his or her particular situation”.

We must stop processing the personal data unless:

  • We can demonstrate compelling legitimate grounds for the processing, which override the interests, rights and freedoms of the individual; or
  • the processing is for the establishment, exercise or defence of legal claims.We must inform individuals of their right to object in our Code of Conduct.

Where we are not taking action in response to a request, we will explain why

to the individual, informing them of their right to complain to the supervisory

authority and to a judicial remedy without undue delay and at the latest

within one month.

8. Rights in relation to automated decision making and profiling.

The GDPR provides safeguards for individuals against the risk that a potentially damaging decision is taken without human intervention.

We have assessed whether any of our processing operations constitute automated decision making and consider that this is not the case within Advanced Seating Solutions Ltd.

12th April 2018