Task 2 - Personal Information Handling Policy Statement for Members of Staff OnlyPurpose & ObjectivesThis policy covers all standards and procedures consisting of 'Processing and Controlling' personal data, staff understanding their roles and responsibilities, staff training, following the Health and Safety policy during beauty treatments, monitoring and reviewing individuals and the eight data principles that governs all use of personal information which the Spa must comply unless an exemption applies.The policy helps to promote the business by attracting all types of customers in all advertising and marketing purposes, all client database is protected, making sure that each employee understands all terms and conditions of the Spa. The risk assessment carried out must ensure all products and safety procedures are used correctly within the organisation as this helps to reduce the possible chances by having to pay fines, being sued or even breaching an act under the Health and Safety at Work Act 1974 . (UK Hairdressers (2000) Health and Safety. Para. 3, pg.2).The key performance for this policy is to make sure our staff are aware about allHealth and Safety procedures, regular monitoring staff, reviewing the performance of the whole organisation and updating personal data. The Health and Safety rules are fundamental to achieve for continual improvement of the organisation and providing feedback from all customers who understand all terms of conditions of the Spa to build up an effective relationship between others (Bali Spa & Wellness (2006a) Objectives & Programs, para. 1-7 pg.1).improving staff knowledge, technical skills and professionalism when undertaking high standards of training that involves first aid training and moremonitoring all systems on a check list provided ensures controlling the correct temperatures of all facilities (e.g. saunas, steam rooms) (Bali Spa & Wellness (2006a) para. 1-7 pg.1)Data Protection Act (1998) and DefinitionsThe purpose of the Data Protection Act (1998) is to protect the rights and privacy of all individuals and to ensure that data about individuals are not processed without their knowledge and are processed with their consent whereas possible (http://www.soas.ac.uk/infocomp/dpa/policy/overview/ pg.1). The act also covers personal data stored electronically on a database with all client confidential details. The Data Protection Act 1998 has been replaced by DPA 1984 which officially came in the legislation on the 1st March 2000. This act applies on processing personal information manually on paper records and storing personal data electronically on the system (Fda Managing Research Information - DPA Handout (pdf) pg.1).This legislation sets out requirements and rules for processing data. The key terms are written in bold text. These are:'Personal Data' is information about individuals stored manually on paper records, the same use as they are stored electronically on computer systems. 'Data Subject' is the main person of the personal data.Those who decide how and why the personal data is stored and processed are the 'data controllers'. Data controllers must comply with good information handling which are outlined in the eight 'data protection principles'.Personal data covers both facts and opinions about an individual. This includes information about the intentions of the data controller towards the individual. (University of London (2008) para.1 pg. 1)'Processing' means obtaining, holding and disclosing personal data. Processing data is necessary for the performance of a contract with the individual and to protect the information (Fda Managing Research Information - DPA Handout (pdf) pg. 2). Data Protection Principles 1. Processed fairly and lawfully - Processing data depends on how efficient the business is and how you should store the information by law and accurately. 2. Held and used only for specified and lawful purposes - Data must be used for business purposes unless this is done with the consent of the data subject. 3. Adequate, relevant and not excessive - When booking treatments as packages, family names will be only processed into one data only or separate if it is relevant and to those who have paid their balances and deposits. 4. Accurate - The spa must ensure that all personal data is up-to-date by the customers to help reduce errors and legally inform the client about the changes made. The possible checks can be made such as pilot testing, validation checks (restricting the minimum characters and the order the data should be in, verification check (verifying the password) 5. Not to be kept for any longer than necessary - Organisations must ensure that personal data are not kept for longer than that is required. 6. Processed in accordance with the rights of the individual (the data subject) - Organisations will ensure that personal data are processed under the DPA. This includes one of the rights to prevent processing for the purpose of direct marketing and suing for compensation if it has caused or suffered any damage through contravention of the Act. 7. Data user shall keep the information secure - When processing data on the system, each individual data must be secure to prevent any loss or damage and access to all personal data must be restricted. 8. Not be transferred to countries without adequate data protection - Personal data must not be sent outside of any countries providing given consent by the individual unless this will be transferred under the DPA to the Information Commissioner. (FdA Managing Research Information lecture notes, 2011) (University of London (2008) para.1-8 pg.3). Rights of Data Subjects are: 1. Access to data - This allows all individuals to access information about themselves on the system and some paper records. 2. Prevent processing likely to cause damage or distress (and to take action in event of some) - If data has been processed without the customers consent then the customer has the right to complain to the company. 3. Prevent processing for direct marketing - A data subject has the right to ask the data controller to stop or not to begin processing data about themselves for direct marketing purposes. 4. To prevent purely automated decision taking - The spa should set clear policies, share responsibilities between staff and must change passwords often. 5. Right to compensation for inaccuracy of data / loss or destruction of disclosure of data to unauthorised people - Compensation can be claimed by the data subject from a data controller for any damage or distress caused by the breach of the act. 6. Right to get inaccuracies put right and sometimes to have it erased - This allows the individual to take action on the organisation if data has inaccurate information and this may be destroyed by applying to the Court to take action. (FdA Managing Research Information lecture notes, 2011) (Fda Managing Research Information - DPA Handout (pdf) pg. 4).Roles and ResponsibilitiesThe job roles and their responsibilities within the Organisation of the Spa are: - Data Controller: Within the Spa organisation, data controllers have a responsibility under the DPA (1998) to ensure that they hold appropriate and sufficient security on personal data of customers and staff as much as they can. If the Data Controller breaches this policy in loss, damage or corruption of any personal data, the Commissioner Officer would face penalties by the Manager. - Manager: The important part of being a spa manager is selecting the right candidates for the organisation. They would take a lot of time dealing with the whole of the organisation e.g. advertising, staff rota, health and safety, meetings etc. It is up to the manager whether the role of a member of staff face penalties depending what has been occurred (The Good Spa Guide (2002) para.3 pg.1). - Administration Staff: Within the Spa Organisation, administrative takes on the role of office support activities on behalf of the manager. In absence of the Spa Manager, maintain the procedures manually to ensure the day-to-day running of the spa is running efficiently e.g. handling all inquiries, arranging call-backs, supervise all the staff, booking in clients. In appropriate usage would give the administrative a dismissal. - Treatment Staff: Providing a pleasant atmosphere, excellent knowledge on retail products to all clients, making sure all treatments are carried out effectively and booking in clients accurately. If any breach is made regards to inaccurate data or insufficient customer service, a verbal warning may be given or the preventing any damage can persist to suing the employee.Standards and ProceduresAll legal rules will stay the same online and face-to-face, making sure the business does not overstep federal and state statutes and regulations which therefore makes them (the business) legally binding on all customers (Steingold. F, 2011 pg.325). To check how well the business is going, summarising a report shows the difference between products and services including costs and total spending's (view Appendix 6). The report will show how well the Spa is doing including all top services and the services that may need to be improved. The business can be monitored and reviewed annually to check on the performance. When customers are booking in for their treatments, the main details will be processed on the system in the customer booking form (view Appendix 3). All customers name and full address, treatment, dates and payment is electronically transferred on the system and to secure the data this should be protected with a password to ensure any loss or damage. As staff access information in the database, the system will be monitored and recorded on a day-to-day basis by the manager. Making regular checks on the data, customers can be contacted via email or letters to confirm their details and if any details are changed, they should contact the Spa to avoid any errors, as this is the responsibility of the customer (view Appendix 5). Staff will be trained once or twice a week to update their knowledge and skills by guest speakers from professional spas and bodies including the manager just to gear the staff to strive for excellence and business. Customer's data will be kept on the database for as long as is necessary.ReferencesBali Spa & Wellness (2006a) Objectives & Programs http://www.balispawellness-association.org/objectives-programs.html - accessed 10/11/11 [i.p. 1]FdA Managing Research Information - DPA Handout (pdf) Semester 1 [i.p. 2 - 3]FdA Managing Research Information lecture notes, Semester 1 2011 (24/10/11) [i.p. 3 - 5]Steingold, F (2011) Legal Guide for Starting & Running a Small Business [i.p. 6]The Good Spa Guide (2002) Working in the Spa Industry http://www.goodspaguide.co.uk/questions/Working-in-the-spa-industry/116-What-is-the-role-of-a-spa-manager.cfm - accessed 10/11/11 [i.p. 6]Turn 2 Us (2009) The Data Protection Act (DPA) 1998 - Definitions http://www.turn2us.org.uk/confidentiality__privacy/data_protection_policy.aspx - accessed 10/11/11 [i.p. 3]UK Hairdressers (2000) Health and Safety. http://www.ukhairdressers.com/starting%20your%20own%20salon/Health%20and%20Safety.asp - accessed 10/11/11 [i.p. 1 - 2]University of London (2008) Data Protection Policy: Overview of the Data Protection Act 1998 http://www.soas.ac.uk/infocomp/dpa/policy/overview - accessed 10/11/11 [i.p. 2 - 3]