Confidentiality And Privacy Manager

Confidentiality and Client Privacy - Manager Reference

Data Breach Response

A data breach is any incident where client or business information may have been accessed, disclosed, or lost without authorization. Act quickly - delays increase harm and legal exposure.

Response Checklist

  • Assess scope - determine what information was affected, how many clients are impacted, and whether the breach is ongoing
  • Contain - take immediate action to stop the breach (change passwords, revoke access, secure physical records, disconnect compromised devices)
  • Preserve evidence - do not delete logs, emails, or records related to the breach
  • Notify the salon owner immediately
  • Document everything: what happened, when it was discovered, what data was affected, what actions were taken, and timeline
  • Determine notification obligations (see CCPA section below)
  • Notify affected clients if required - use clear, plain language explaining what happened, what data was involved, and what the salon is doing about it
  • Report to law enforcement if the breach involves theft, unauthorized access, or criminal activity
  • Implement corrective measures to prevent recurrence
  • Conduct a post-incident review within one week - what went wrong, what can be improved

CCPA Obligations

The California Consumer Privacy Act (CCPA) applies to businesses that meet certain thresholds. Even if the salon falls below the CCPA's revenue and data volume thresholds, California's general data breach notification law (Civil Code § 1798.82) requires notification when unencrypted personal information is compromised.

When Client Notification Is Required

You must notify affected California residents when there is an unauthorized acquisition of unencrypted personal information, including:

  • Name combined with Social Security number, driver's license number, or financial account/credit card number
  • Login credentials (username + password)
  • Medical or health insurance information

Notification Requirements

  • Notify affected individuals in the most expedient time possible and without unreasonable delay
  • Notification must include: what happened, what information was involved, what the salon is doing, what the individual can do, and contact information
  • If more than 500 California residents are affected, also notify the California Attorney General

When in doubt about notification obligations, consult legal counsel immediately. The cost of a brief legal consultation is far less than the cost of failing to notify.

Auditing SalonBiz Access

Periodically audit who has access to SalonBiz and what they are doing with it.

What to Check

CheckFrequency
Active user accounts - deactivate separated employeesAt every employee separation and monthly
Password last changed - flag accounts unchanged for 90+ daysQuarterly
Access levels - confirm each user's role matches their job dutiesQuarterly
Unusual activity - client record lookups with no corresponding appointmentAs reported or monthly spot-check

Deactivation at Separation

When an employee leaves the salon:

  • Deactivate their SalonBiz account on their last day of work - do not wait
  • Change any shared passwords they had access to (Wi-Fi, front desk devices, vendor portals)
  • Collect any devices, keys, or materials that provide access to salon systems
  • Confirm deactivation by attempting to log in with their credentials

See Technology and Equipment - Manager Reference for the full separation checklist.

Handling Accidental Disclosures

Accidental disclosures happen - an employee discusses a client's service within earshot of another client, or leaves a client file open on a screen. How you respond matters.

Response Process

  1. Address it immediately - if you witness the disclosure, intervene to stop it
  2. Speak with the employee privately - explain what happened and why it is a concern
  3. Assess the impact - was any sensitive information (health details, payment info) disclosed? To whom?
  4. If a client's sensitive information was disclosed to another client: consider whether you need to inform the affected client. Use your judgment - if the information was minor (e.g., appointment time), a proactive notification may cause more concern than the disclosure itself. If it was health or financial information, notify the client.
  5. Document the incident - even for minor disclosures, create a brief written record
  6. Coach or discipline based on severity - first-time unintentional disclosure warrants coaching; repeated carelessness warrants progressive discipline

Client Photo Consent

Tracking Consent

  • Signed photo release forms are available at the front desk
  • File signed release forms in the client's record (physical file or scanned into SalonBiz notes)
  • Note in SalonBiz whether the client has a release on file and what it covers (personal portfolio, salon social media, both)

Unauthorized Posts

If you discover a photo posted without proper consent:

  1. Have the employee remove the post immediately
  2. If it was posted on a salon account, remove it yourself
  3. Contact the client to apologize and confirm the photo has been removed
  4. Document the incident
  5. Issue a written warning - posting without consent is a serious violation of client trust
  6. If the client requests further action (written apology, confirmation of deletion from all platforms), comply promptly

Consent Withdrawal

If a client contacts the salon to withdraw consent for a previously authorized photo:

  • Remove the photo from all salon-controlled platforms within 24 hours
  • Notify the employee who posted it to remove it from their personal accounts
  • Update the client's consent record
  • Confirm removal to the client

Intake Form and Health Information Management

Storage

  • Paper intake forms: Stored in a locked filing cabinet accessible only to the salon manager and the service provider assigned to the client
  • Digital intake forms: Password-protected in SalonBiz or the salon's secure system - access limited to the service provider and management

Retention

Retain client intake forms and health information for a minimum of three years after the client's last visit. This supports continuity of care and provides documentation if a liability claim arises.

Destruction

When destroying client records past the retention period:

  • Paper records: Cross-cut shred. Do not place in regular recycling or trash.
  • Digital records: Delete from all systems, including backups if accessible
  • Document what was destroyed, the date, and who performed the destruction

Shredding and Document Disposal

Any printed document containing client or employee personal information must be shredded before disposal. This includes:

  • Client intake forms, consultation notes, and printed appointment lists
  • Printed receipts with client names or payment details
  • Employee applications, personnel documents, and pay stubs
  • Any printed reports from SalonBiz containing client or financial data

Shredding protocol:

  • Use the cross-cut shredder located at [designated location]
  • Shred documents the same day they are identified for disposal - do not accumulate a pile of documents awaiting shredding
  • If the shredder is broken, store documents in a locked container until it is repaired

Privacy violations carry legal and reputational consequences. If you suspect a data breach or are unsure whether a disclosure triggers notification obligations, consult the salon owner and legal counsel immediately.

Last reviewed: March 2026