Chrysalis Holidays

Chrysalis Holidays – Data Protection Policy

THE DATA COLLECTION PROCESS

• Care profile data is collected via email, post and in person. Once transferred to the main database any written notes are shredded and emails are deleted.
  • Guest personal expenditure & Medication Administration records are created throughout a holiday. Paper copies are scanned to computer at the end of the holiday. All paper & digital copies are destroyed after six years.
  • Staff contact details, employment history and references are collected during recruitment.

DATA IS HELD SECURELY

• On a password protected database, and company computers.
  • One Care Profile paper copy is printed and stored in a locked cupboard between holidays.
  • Personnel files are stored both electronically and in paper form (as above). 
  • Staff are made aware that breaches of confidentiality amount to gross misconduct and may lead to disciplinary procedures and possible dismissal.
  • All customers and staff have a right to request copies of any data we are holding relevant to them and we will aim to provide them with this within 72 hours of the request being made.

WHY THE DATA IS NEEDED AND WHAT IT WILL BE USED FOR

• Fields of customer data collected: Contact, medical, abilities, support needs, interests.  
  • Data collected for the purpose of publicising our holiday programme, relaying necessary information and providing safe & enjoyable holidays.
  • Information will be kept up to date through regular reviews.
  • If no contact has been made within 6 years, data will automatically be deleted. 
  • Staff details are used solely for the purpose of effective employment. They are deleted one year after the cessation of employment.

HOW TO IDENTIFY IF A BREACH HAS BEEN MADE AND WHAT TO DO

• A breach can be assumed if the following has taken place (list not exhaustive): 
  • A company computer/tablet has been stolen or infected by a virus/malware
  • A USB stick, used to transfer company data has been lost
  • The locked office cabinet has been stolen or broken in to
  • If the event of a breach, report situation to the Information Commissioner’s Office (ICO) within 72 hours on 0303 123 1113 or go to https://ico.org.uk/for-organisations/report-a-breach/personal-data-breach/
  • The designated person within Chrysalis responsible for data protection is Andy Hammond

DATA CAPTURE STATEMENT (CUSTOMERS)

‘Chrysalis Holidays will only use this data for the purpose of providing a safe and effective supported holiday service, and to inform of future holidays through the annual brochure. Data will be securely held and deleted if 6 years elapse without contact. Information will not be shared with any 3rd party, with the exception of to medical professionals when necessary.’

DATA CAPTURE STATEMENT (STAFF)

‘Chrysalis Holidays will only use your data for the purpose of providing effective employment. Data will be securely held and deleted 1 year after employment has ceased. Your information will not be shared with any 3rd party. 

As an employee you will have access to personal customer information. Disclosing this information recklessly or unnecessarily can amount to gross misconduct.’