Data Protection Policy, including Key Procedures

Aims of this Policy

Masterfix Domestic Appliance Repairs Limited needs to keep certain information on its customers, employees and service users to
carry out its day to day operations, to meet its objectives and to comply with legal obligations.

The organisation is committed to ensuring any personal data will be dealt with in line with the Data Protection Act 1998. To comply
with the law, personal information will be collected and used fairly, stored safely and not disclosed to any other person unlawfully. 

The aim of this policy is to ensure that everyone handling personal data is fully aware of the requirements and acts in accordance
with data protection procedures. This document also highlights key data protection procedures within the organization.

This policy covers clients, customers, employees, and service users 

Definitions

In line with the Data Protection Act 1998 principles, Masterfix Domestic Appliance Repairs Limited will ensure that personal data will:

· Be obtained fairly and lawfully and shall not be processed unless certain conditions are met
· Be obtained for a specific and lawful purpose
· Be adequate, relevant but not excessive
· Be accurate and kept up to date
· Not be held longer than necessary
· Be processed in accordance with the rights of data subjects
· Be subject to appropriate security measures
· Not to be transferred outside the European Economic Area (EEA)

The definition of ‘Processing’ is obtaining, using, holding, amending, disclosing, destroying and deleting personal data. This includes
some paper based personal data as well as that kept on computer.

The Personal Data Guardianship Code suggests five key principles of good data governance on which best practice is based. The
organisation will seek to abide by this code in relation to all the personal data it processes, i.e.

· Accountability: those handling personal data follow publicised data principles to help gain public trust and safeguard
personal data.

· Visibility: Data subjects should have access to the information about themselves that an organisation holds. This includes
the right to have incorrect personal data corrected and to know who has had access to this data.

· Consent: The collection and use of personal data must be fair and lawful and in accordance with the DPA’s eight data
protection principles. Personal data should only be used for the purposes agreed by the data subject. If personal data is to
be shared with a third party or used for another purpose, the data subject’s consent should be explicitly obtained.

· Access: Everyone should have the right to know the roles and groups of people within an organisation who have access to
their personal data and who has used this data.

· Stewardship: Those collecting personal data have a duty of care to protect this data throughout the data life span.

Type of information processed

Masterfix Domestic Appliance Repairs Limited processes the following personal information:
Potential and actual customers, employees, service users and clients.
Examples may include, but are not exhaustive: applications and references for employment.
Employee details: contact, financial (including bank details), payroll, appraisal and performance details.
Customers: contact, instructions and notes, appliance details.
Clients & service users: contact, personnel and positions, financial including bank details.

Personal information is kept in the following forms: computer data files and filed paper documents.

Groups of people within the organisation who will process personal information are: employed and seconded staff following equality,
security, privacy and data policies.
Clients and service users to perform requested tasks following equality, security, privacy and data policies.

Notification

The need we have for processing personal data are recorded on the public register maintained by the Information Commissioner. 
We notify and renew our notification on an annual basis as the law requires. 

If there are any interim changes, these will be notified to the Information Commissioner within 28 days.

The name of the Data Controller within our organisation as specified in our notification to the Information Commissioner is the
Managing Director

Responsibilities

Under the Data Protection Guardianship Code, overall responsibility for personal data in the case of Masterfix Domestic Appliance
Repairs Limited, is the Managing Director.

The Managing Director is the Data Controller and is responsible for:

· understanding and communicating obligations under the Act
· identifying potential problem areas or risks
· producing clear and effective procedures
· notifying and annually renewing notification to the Information Commissioner, plus notifying of any relevant interim changes

All employed and seconded staff who process personal information must ensure they not only understand but also act in line with
this policy and the data protection principles. Any queries must be raised with their immediate supervisor.

Breach of this policy will result in disciplinary proceedings and could result in dismissal for any employed or seconded staff or the
prohibiting of the person working for or on behalf of Masterfix Domestic Appliance Repairs Limited or its clients or service users.

Policy Implementation

To meet our policy rules any employed and seconded staff or clients and service users will:
· Ensure any personal data is collected in a fair and lawful way;
· Explain why it is needed at the start;
· Ensure that only the minimum amount of information needed is collected and used;
· Ensure the information used is up to date and accurate;
· Review the length of time information is held;
· Ensure it is kept safely;
· Ensure the rights people have in relation to their personal data can be exercised

We will ensure that:
· Everyone managing and handling personal information is trained to do so.
· Anyone wanting to make enquiries about handling personal information, whether an employed, seconded staff or service
user, knows what to do;
· Any disclosure of personal data will be in line with our procedures.
Queries about handling personal information will be dealt with swiftly and politely.

Training

Training and awareness raising about the Data Protection Act and how it is followed in this organisation will take the following forms:

On induction: Policy documents are provided to explain process and are signed for as part of contracts of employment. Documents
are available for reference in staff area of website.

Employees are advised regarding the change and non-disclosure of password and the importance of keeping files locked and keys
safe.

General training/ awareness raising: Data Protection is raised annually to stress importance at appraisal meetings.

Gathering and checking information

Before personal information is collected, we will consider what Information is recorded to allow performance of our, and our client’s,
services to give the best customer service in line with continued research into customer’s requirements and data held as long as
necessary to satisfy ongoing customer needs.

We will inform people whose information is gathered about the following: We will collect Data to allow the performance of the
services requested both now and in the future and not disclosed to any third party unless required to perform the services
requested.

We will take the following measures to ensure that personal information kept is accurate: Information about ethnic origin, political
opinions, religious beliefs, membership of a trade union, physical or mental health, criminal convictions etc. The information will
have been captured for a specific purpose and will only be used for this purpose. We will seek to keep the information accurate and
up to date by confirming such information during reviews with the owner of the information.

Personal sensitive information will not be used apart from the exact purpose for which permission was given.

Data Security

The organisation will take steps to ensure that personal data is kept secure at all times against unauthorised or unlawful loss or
disclosure. The following measures will be taken: only authorised persons will be able to access data for the purposes of performing
services by Masterfix Domestic Appliance Repairs Limited which are stored in password protected files or via secured documents
on Masterfix’s premises.

Examples include:
· Using lockable cupboards (restricted access to keys)
· Password protection on personal information files
· Computer systems only allow restricted access to certain areas
· In general No personal data will be taken off site (as hard copy, on laptop or on memory stick) except by management.
· Any personal data that is viewed off site, (paper, smartphone, memory stick, laptop) must follow all policy rules
· Back up of data on computers (onto a separate hard drive both on and off site) is performed

Any unauthorised disclosure of personal data to an unauthorised third party by an employee or seconded staff member may result
in disciplinary and/or legal proceedings taken against them.

Any unauthorised disclosure of personal data to a third party by a client or service user may result in system disconnect and/or legal
proceedings taken against them.

Subject Access Requests

Anyone whose personal information we process has the right to know:
· What information we hold and process on them
· How to gain access to this information
· How to keep it up to date
· What we are doing to comply with the Act.

They also have the right to prevent processing of their personal data in some circumstances and the right to correct, rectify, block or
erase information regarded as wrong.

Individuals have a right under the Act to access certain personal data being kept about them on computer and certain files.  Any
person wishing to exercise this right should apply in writing to Data Requests, Masterfix Domestic Appliance Repairs Limited,
Markham Vale Environment Centre, Markham Lane, Markham Vale, Chesterfield, S44 5HY.

We may make a charge of £10 on each occasion access is requested.

· The following information will be required before access is granted: Full name and contact details of the person making the
request
· Their relationship with the Masterfix Domestic Appliance Repairs Limited (e.g. former/ current member of staff, service user,
customer or client)
· The date of the last contact with Masterfix Domestic Appliance Repairs Limited and the nature of the contact.

We may also require proof of identity before access is granted. Two of the following forms of ID will be required: (passport, birth
certificate, 2 x utility bills or ID card)

Queries about handling personal information will be dealt with swiftly and politely.
We will aim to comply with requests for access to personal information as soon as possible, but will ensure it is provided within the
40 days required by the Act from receiving the written request and the £10 fee. 

Review

This policy will be reviewed at intervals of one year to ensure it remains up to date and compliant with the law.

Data Protection Policy of
MASTERFIX DOMESTIC APPLIANCE REPAIRS LIMITED