Feet & Co
Feet & Co
  • Home
  • Meet the Team
  • Our Treatments
  • FAQs
  • Contact Us
  • More
    • Home
    • Meet the Team
    • Our Treatments
    • FAQs
    • Contact Us
  • Home
  • Meet the Team
  • Our Treatments
  • FAQs
  • Contact Us

Privacy Policy


1. Introduction

This Policy sets out the obligations of Feet & Co Podiatry Ltd, a company

registered in Scotland under Number SC726888, whose registered office is at 3

Engine Road, Loanhead EH20 9RF (“the Company”) regarding the handling

and reporting of data breaches and personal data breaches in accordance with

the UK Data Protection Legislation. “Data Protection Legislation”, in this Policy,

means all legislation and regulations in force from time to time regulating the

use of personal data including, but not limited to, the retained EU law version of

the General Data Protection Regulation ((EU) 2016/679) (THE “UK GDPR”), as

it forms part of the law of England and Wales, Scotland, and Northern Ireland

by virtue of section 3 of the European Union (withdrawal) Act 2018, the Data

Protection Act 2018, and any successor legislation.

The UK GDPR defines “personal data” as any information relating to an

identified or identifiable natural person (a “data subject”); an identifiable natural

person is one who can be identified, directly or indirectly, in particular by

reference to an identifier such as a name, an identification number, location

data, an online identifier, or to one or more factors specific to the physical,

physiological, genetic, mental, economic, cultural, or social identity of that

natural person.

The UK GDPR defines a “personal data breach” as a breach of security leading

to the accidental or unlawful destruction, loss, alteration, unauthorised

disclosure of, or access to, personal data transmitted, stored, or otherwise

processed.

The Company is under a duty to report certain types of personal data breach

directly to the Information Commissioner’s Office (“ICO”). The Company is also

required to inform individual data subjects in the case of breaches that present

a high risk of adversely affecting their rights and freedoms.

All personal data collected, held and processed by the Company will be

handled in accordance with the Company’s Data Protection Policy.

The Company has in place procedures for the detection, investigation, and

reporting of data breaches. This Policy applies to all data breaches (including

Data Protection Policy - Feet & Co Podiatry Ltd - 2022


1


personal data breaches) within the Company and is designed to assist in both

the handling of such breaches and in determining whether or not they must be

reported to the ICO and/or to data subjects.

The Company’s Data Protection Officer, Lynsey Watson, Director, is

responsible for the implementation of this Policy, for overseeing the handling of

all data breaches, and for ensuring that this Policy is adhered to by all staff.

2. Scope of Policy

2.1 This Policy relates to all formats of data (including personal data and

sensitive personal data (known as “special category” under the Data Protection

Legislation) collected, held and processed by the Company.

2.2 This Policy applies to all staff of the Company, including but not limited

to employees, agents, contractors, consultants, temporary staff, casual or

agency staff, or other suppliers or data processors working for or on behalf of

the Company.

2.3 This Policy applies to all data breaches, whether suspected or

confirmed.

3. Data Breaches

3.1 For the purposes of this Policy, a data breach means any event or

action (accidental or deliberate) which presents a threat to the security,

integrity, confidentiality, or availability of data.

3.2 Incidents to which this Policy applies may include, but not limited to:

a) the loss or theft of a physical data record;

b) the loss or theft of computer equipment (e.g. laptop), mobile devices

(e.g. smartphone or tablet), portable data storage devices (e.g. USB

drive), or other data storage devices;

c) equipment failure;

d) unauthorised access to, use of, or modification of data (or inadequate

access controls allowing unauthorised access, use, or modification);

e) unauthorised disclosure of data;

f) human error (e.g. sending data to the wrong recipient);

g) unforeseen circumstances such as fire or flood;

h) hacking, phishing, and other offences whereby information is obtained

by deception;


Data Protection Policy - Feet & Co Podiatry Ltd - 2022


2


4. Internal Reporting

4.1 If a data breach is discovered or suspected, members of staff should

complete a Data Breach Report Form (available from the Company Shared

Admin Drive Folder ‘GDPR & Data Privacy’) and send the completed form to

the Data Protection Officer.

4.2 A completed Data Breach Report Form should include full and accurate

details about the incident including, but not limited to (where applicable):

a) the time and date of the breach;

b) the time and date the breach was discovered;

c) whether the data relates to the Company or one of its clients;

d) the type(s) of data involved;

e) where the breach involves personal data, the categories(s) of data

subject to which the personal data relates (e.g. customers, employees

etc.);

f) whether or not any sensitive personal data is involved;

g) how many data subjects are likely to be affected (if known);


4.3 Where appropriate, members of staff should liaise with the Data

Protection Officer when completing a Data Breach Report Form.

4.4 If a data breach occurs or is discovered outside of normal working soon

as is reasonably practicable.

4.5 Unless and until instructed to by the Company’s Data Protection Officer

or Director, members of staff should not take any further action with respect to

a data breach. In particular, individual members of staff should not take it upon

themselves to notify affected data subjects, the ICO, or any other individuals or

organisations.

5. Initial Management and Recording

5.1 Upon receipt of a Data Breach Report Form (or upon being notified of a

data breach in any other way), the Company’s Data Protection Officer shall

begin by determining whether the data breach is still occurring. If this is the

case, appropriate steps shall be taken immediately to minimise the effects of

the data breach and to stop it.

5.2 Having established the above, the following steps shall then be taken

with respect to the data breach:


3


a) undertake an initial assessment of the data breach, liaising with the

relevant staff and clients where appropriate, to establish the severity of

the data breach;

b) contain the data breach, or restrict the availability of (e.g. by changing

or revoking access permissions or by temporarily making the data

unavailable electronically) the affected data;

c) determine whether anything further can be done to recover the data

and/or other losses, and to limit the damage caused by the breach;

d) establish who needs to be notified initially (including, if physical records

or equipment have been lost or stolen, the police) as part of the initial

containment;

e) determine, in liaison with the relevant staff and clients, the best course

of action to resolve and remedy the data breach; and

f) record the breach and the initial steps taken above in the Company’s

Data Breach Register.

5.3 Having completed the initial steps described above, the Company’s

Data Protection Officer shall proceed with investigating and assessing the data

breach as described in Part 6, below.

6. Investigation and Assessment

6.1 The Company’s Data Protection Officer shall begin an investigation of a

data breach as soon as is reasonably possible after receiving a Data Breach

Report Form (or being notified in any other way) and, in any event, within 24

hours of the data breach being discovered and/or reported.

6.2 Investigations and assessments must take the following into account:

a) the type(s) of data involved (and, in particular, whether the data is

personal data or sensitive data);

b) the sensitivity of the data (both commercially and personally);

c) what the data breach involved;

d) what organisational and technical measures were in place to protect the

data;

e) what might be done with the data as a result of a breach (including

unlawful or otherwise inappropriate misuse);

f) where personal data is involved, what the personal data could tell a

third party about the data subjects to whom the data relates;

g) the category or categories of data subject to whom any personal data

relates;

h) the number of data subjects (or approximate number if calculating an

exact number is not reasonably practicable) likely to be affected by the

data breach;

Data Protection Policy - Feet & Co Podiatry Ltd - 2022


4


i) the potential effects effects on the data subjects involved;

j) the potential consequences for the Company;

k) the broader consequences of the data breach, both for data subjects

and for the Company;

6.3 The results of the investigation and assessment described above must

be recorded in the Company’s Data Breach Register.

6.4 Having completed the investigation and assessment described above,

the Company Data Protection Officer shall determine the parties to be notified

of the breach as described in Part 7, below.

7. Notification

7.1 The Company’s Data Protection Officer shall determine whether to

notify one or more of the following parties of the breach:

a) affected data subjects;

b) the ICO;

c) the police

d) the Company’s insurers;

e) affected commercial partners and clients;

7.2 When considering whether (and how) to notify individual data subjects

in the

event of a personal data breach, the following should be considered:

a) the likelihood that data subjects’ rights and freedoms as set out in the

Data Protection Legislation (and the Company’s Data Protection Policy)

will be adversely affected;

b) whether there is a legal or contractual requirement to notify;

c) whether measures in place to protect the affected personal data (e.g.

pseudonymisation or encryption) have been applied, thereby rendering

the data unusable to and unauthorised parties;

d) whether measures have been taken following the data breach that will

ensure that a high risk to the rights and freedoms of affected data

subjects is no longer likely to occur;

e) the benefits to data subjects’ of being notified (e.g. giving them the

opportunity to mitigate the risks posed by the data breach);

f) whether notifying individuals will involve disproportionate effort (in which

case a public communication or other widely available notice may

suffice, provided that affected data subjects will still be informed

effectively);


5


g) the best way of notifying data subjects, taking into account the urgency

of the situation and the security of the possible methods;

h) any special considerations applicable to certain categories of data

subject (e.g. children or vulnerable people);

i) the information that should be provided to affected data subjects;

j) how to make it easy for affected data subjects to contact the Company

to find out more about the data breach;

k) further assistance that the company should provide to the affected data

subjects, where appropriate;

l) the risks of over-notifying - not all data breaches require notification and

excessive notification may result in disproportionate work and number

of enquiries from individuals;

7.3 When individual data subjects are to be informed of a data breach,

those individuals must be informed of the breach without undue delay.

Individuals shall be provided with the following information:

a) a user-friendly description of the data breach, including how and when it

occurred, the personal data involved, and the likely consequences;

b) clear and specific advice, where relevant, on the steps individuals can

take to protect themselves;

c) a description of the measures taken (or proposed to be taken) to

address the data breach including, where relevant, measures taken to

mitigate any possible adverse effects;

d) contact details for the Company’s Data Protection Officer from whom

affected individuals can obtain further information about the data

breach.

7.4 When considering whether (and how) to notify the ICO of a data breach,

the following should be considered:

a) the risk and potential harm to data subjects, their rights, and freedoms -

harm can can include (but is not limited to) financial harm, physical

harm, loss of control over personal data, discrimination, identity theft or

fraud, damage to reputation, and emotional distress;

b) the volume of personal data involved - the ICO should be notified if a

large volume of data is involved and there is a real risk of data subjects

suffering harm as a result, however it may also be appropriate to notify

the ICO if a smaller amount of high-risk data is involved;

c) the sensitivity of the daa involved - the more sensitive the personal data

is, the less the volume of it is relevant and if the data breach presents a

significant risk of data subjects suffering substantial detriment or

distress, the ICO should be notified.


6


7.5 If the ICO is to be notified of a data breach, this must be done within 72

hours of becoming aware of the breach, where feasible. This time limit applies

even if complete details of the data breach are not yet available. The ICO must

be provided with the following information:

a) the category or categories and the approximate number of data subject

whose personal data is affected by the data breach;

b) the category or categories and the approximate number of personal

data records involved;

c) the name and contact details of the Company Data Protection Officer

from which the ICO can obtain further information about the data

breach;

d) a description of the likely consequences of the data breach; and

e) a description of the measures taken (or proposed to be taken) to

address the data breach including, where relevant, measures taken to

mitigate any possible adverse effects.

7.6 The police may have been contacted at an earlier point in the data

breach procedure (see 5.2), however further investigation may reveal that the

data breach resulted from a criminal act, in which case the police should be

further informed.

7.7 Records must be kept of all data breaches, regardless of whether

notification is required. The decision-making process surrounding notification

should be documented and recorded in the Company’s Data Breach Register.

8. Evaluation and Response


8.1 When the steps set out above have been completed, the data breach

has been contained, and all necessary parties notified, the Company’s Data Protection

Officer shall conduct a complete review of the causes of the data breach, the

effectiveness of the measures taken in response, and whether any systems, policies,

or procedures can be changed to prevent data breaches from occurring in the future.

8.2 Such reviews shall, in particular, consider the following with respect to

data (and in particular, personal data) collected, held, and processed by the

Company:


a) where and how data is held and stored;

b) the current organisational and technical security measures in

place to protect data and the risks and possible weakness of

those measures;


7


c) the methods of data transmission for both physical and

electronic data and whether or not such methods are secure;

d) the level of data sharing that takes place and whether or not that

level is necessary;

e) whether any data protection impact assessments need to be

conducted or updated;

f) staff and client awareness and training concerning data

protection;


8.3 Where possible improvements and/or other changes are identified, the

Company’s Data Protection Office shall liaise with the relevant staff and

clients with respect to the implementation of such improvements and/or

changes.


9. Policy Review and Implementation

9.1 This Policy will be updated as necessary to reflect current best practice,

official

guidance, and in line with current legislation.

This Policy shall be deemed effective as of 29th September 2022. No

part of this Policy shall have retroactive effect and shall thus apply only

to matters occurring on or after this date.


This Policy has been approved and authorised by:

Name: Lynsey Watson

Position: Director

Date: 29th September 2022





                           Data Protection Policy - Feet & Co Podiatry Ltd - 2022

Copyright © 2023 Feet & Co Podiatry Ltd - All Rights Reserved.

Powered by GoDaddy

  • Privacy Policy

This website uses cookies.

We use cookies to analyze website traffic and optimize your website experience. By accepting our use of cookies, your data will be aggregated with all other user data.

DeclineAccept