MAD Academy needs to collect and use certain types of information about customers and other individuals who come into contact with us. This personal information may, at times, also be sensitive, such as regarding health matters. This personal information must be dealt with properly, however it is collected, recorded and used – whether on paper, in a computer, or recorded on other material. To do this MAD Academy and MAD Academy Franchisees must comply with the Data Protection Principles which are set out in the Data Protection Act 1998.

Statement of Policy

MAD Academy regards the lawful and correct treatment of personal information as very important and therefore ensures that personal information is treated lawfully and correctly.

Roles and Responsibilities

MAD Academy franchisees are considered to be data controllers, as well as MAD Academy Head Office. As Franchisees own their own businesses and are self-employed, they determine the purpose for which they collect personal data and control how that data is processed. Franchisees are responsible for ensuring their agents collect, process and store personal information in accordance with this policy.

Procedures

MAD Academy Head Office and MAD Academy Franchisees must:

  • Process all personal information fairly and lawfully
  • Use personal information only for the purpose it was originally collected. Head Office will ensure all data collection forms will make it clear why and how the data will be used.
  • Collect and use only relevant information required for the effective running of the business
  • Keep personal information accurate and up to date. Franchisees are responsible for checking that any information that they provide to the MAD Academy Head Office in connection with their franchise contract is accurate and up to date. They are also responsible for informing Head Office of any changes to information that they have provided, e.g. changes of address.
  • Only keep personal information for as long as the purpose it was collected requires
  • Take reasonable measures to ensure against accidental loss of personal data, such as using password protection on the computer and only keeping a limited number of copies of the customer database in a secure place.
  • Not transfer personal data to a third party without the express consent of the person involved. When emailing customers, email addresses must always be blind carbon copied so no other recipients can see the email distribution list.
  • To destroy personal data when it no longer is required in a secure manner, such as shredding it.
  • Upon request, provide all franchisees, agents, customers and other relevant people with a statement regarding the personal data held about them. This will state all the types of data held and processed about them, and the reasons for which they are processed. All requests for personal information will be complied with as quickly as possible, and within the 40 days stipulated by the 1998 Act.
  • This policy will be updated as necessary to reflect best practice in data management, security and control and to ensure compliance with any changes or amendments made to the Data Protection Act 1998.