Document:     Data Protection Policy

Status              Published

 

Responsibility:

It is the responsibility of the Directors to ensure procedures are in place to ensure that the Stayfree Music Ltd complies with Data Protection legislation e.g. including but not limited to the General Data Protection Regulation (GDPR) and current UK Data Protection legislation.

 

Contents:

 1. Introduction

2. Scope

3. Responsibilities

4. The Requirements

5. Notification

6. Privacy Notices

7. Conditions for Processing

8. Data Protection Officer

9. Data Protection Impact Assessments

10. Data Breaches

11. Contracts

12. Consent

13. Information Society Services

14. Direct Marketing

15. Provision of Data

16. The Individual’s Right

17. Provision of Data to Children

18. Parents’ Rights

19. Information Security

20. Maintenance of Up to Date Data

21. Inaccurate Data

22. Recording of Data

23. Photographs

24. Breach of the Policy

25. Further Information

26. Review of the Policy

27. Glossary

 

1. Introduction

 

In order to operate efficiently Stayfree Music Ltd has to collect and use information about people with whom it works and customers it provides services to. These may include members of the public, current, past and prospective employees, clients and customers, and suppliers. In addition it may be required by law to collect and use information in order to comply with the requirements of central government.

 

Stayfree Music Ltd is committed to ensuring personal data is properly managed and that it ensures compliance with current data protection legislation. Stayfree Music Ltd will make every effort to meet its obligations under the legislation and will regularly review procedures to ensure that it is doing so.

 

2. Scope

 

This policy applies to all employees, contractors, agents and representatives, volunteers and temporary staff working for or on behalf of Stayfree Music Ltd.

 

This policy applies to all personal data created or held by Stayfree Music Ltd in whatever format (e.g. paper, electronic, email, microfiche, film) and however it is stored, (for example ICT system/database, shared drive filing structure, workbooks, email, filing cabinet, shelving and personal filing drawers).

 

Personal data is information about living, identifiable individuals, or an identifier or identifiers that can be used to identify a living individual.  It covers both facts and opinions about the individual.  Such data can be part of a computer record or manual record.

 

Current data protection legislation does not apply to access to information about deceased individuals. However, the duty of confidentiality may continue after death.

 

3. Responsibilities

 

Overall responsibility for ensuring that Stayfree Music Ltd meets the statutory requirements of any data protection legislation lies with the board of directors on behalf of the Company.  They have delegated the day-to-day responsibility of implementation to Caroline Wright

 

Ian Redhead is responsible for ensuring compliance with data protection legislation and this policy within the day-to-day activities of Stayfree Music Ltd. Caroline Wright is responsible for ensuring that appropriate training is provided for all staff.

 

All contractors who hold or collect personal data on behalf of Stayfree Music Ltd by way of written contract are responsible for their own compliance with data protection legislation and must ensure that personal information is kept and processed in line with data protection legislation and only upon instruction from Stayfree Music Ltd via a contract.

 

4. The Requirements

 

Data protection legislation stipulates that anyone processing personal data must comply with principles of good practice; these principles are legally enforceable. The 6 principles require that personal data:

 

1. Shall be processed fairly and lawfully and transparently;

2. Shall be obtained only for one or more specified and lawful purposes and shall not be further processed in any manner incompatible with that purpose or those purposes;

3. Shall be adequate, relevant and not excessive in relation to the purpose or purposes for which it is processed;

4. Shall be accurate and where necessary, kept up to date;

5. Shall not be kept for longer than is necessary for that purpose or those purposes;

6. Shall be kept secure i.e. protected by an appropriate degree of security;

 

In addition the data shall be processed in accordance with the rights of data subjects. (See Part 9.)

 

Personal data shall also not be transferred to a country unless that country or territory ensures an adequate level of data protection or another secure method of transfer is guaranteed.

 

5. Notification

 

The Digital Economy Act 2017 requires every data controller who is processing personal data, to notify and renew their notification, on an annual basis.  Failure to do so is a criminal offence. The Information Commissioner maintains a public register of data controllers, in which Stayfree Music Ltd must be registered.

 

Stayfree Music Ltd will review the Data Protection Register (https://ico.org.uk/esdwebpages/search) annually, prior to renewing its notification to the Information Commissioner.

 

6. Privacy Notices

 

Whenever information is collected about individuals they must be made aware of the following at that initial point of collection:

 

• The identity of the data controller, e.g. Stayfree Music Ltd

• Contact details of the Data Protection Officer (if one is required by law);

• The purpose that the information is being collected for;

• Any other purposes that it may be used for;

• What the lawful basis is for processing the data;

• Who the information will or may be shared with;

• If the data is transferred outside of the EU, and if yes, how is it kept secure;

• How long the data will be kept for; and

• How data subjects can exercise their rights.

 

Stayfree Music Ltd will review its Privacy Notice every three years and alert customers to any major updates.

 

7. Conditions for Processing

 

Processing of personal information may only be carried out where one of the conditions of Article 6 of the GDPR has been satisfied.

 

Processing of special category (sensitive) personal data may only be carried out if a condition in Article 9 of the GDPR is met as well as one in Article 6.

 

8. Data Protection Officer

 

Stayfree Music Ltd shall appoint a Data Protection Officer in line with the requirements of the GDPR if one is required by law.

 

9. Data Protection Impact Assessments

 

Stayfree Music Ltd shall undertake high risk Data Protection Impact Assessments in line with the requirements of the GDPR and as per the Information Commissioner’s Office (ICO) guidance.

 

10. Data Breaches

 

All employees, governors, contractors, agents and representatives, volunteers and temporary staff shall report a security incident or data breach immediately to senior management.

 

Stayfree Music Ltd shall report any personal data breach to the ICO in line with the requirements of the GDPR.

 

11. Contracts

 

Stayfree Music Ltd shall ensure that a legally binding contract is in place with all of its data processors in line with the requirements of the GDPR.

 

12. Consent

 

Where Stayfree Music Ltd processes data with consent (for example, to publish photographs of customers, to send direct marketing emails) it will ensure that the consent is freely given, specific, informed and unambiguous, and the consent is recorded.

 

13. Information Society Services

 

Where Stayfree Music Ltd offers Information Society Services (online services with a commercial element) targeted at children, it will take reasonable steps to seek the consent of the child’s parent or guardian if the child is under 13 years of age.

 

14. Direct Marketing

 

Where Stayfree Music Ltd sends any direct marketing (the promotion of aims and ideals as well as selling goods and services) via electronic communications e.g. email, SMS text, fax or recorded telephone messages, it will only do so if the recipient has given explicit consent to receive them e.g. has ticked a box to ‘opt in’.

 

15. Provision of Data

 

It is a criminal offence to knowingly or recklessly obtain or disclose information about an individual without legitimate cause.

 

Stayfree Music Ltd should not disclose anything about individuals which would be likely to cause serious harm to their physical or mental health or that of anyone else.

 

When giving information to an individual, particularly by telephone, it is most important that the individual’s identity is verified.  If in doubt, questions should be asked of the individual, to which only he/she is likely to know the answers.  Information should not be provided to other parties, even if related.

 

16. The Individual’s Rights

 

Any person whose details are held by Stayfree Music Ltd is entitled to ask for a copy of information held about them (or child for which they are responsible).  They are entitled to see if the data held are accurate, and who it is shared with.

 

When a request is received it must be dealt with promptly; a response must be provided as soon as possible and within one month unless it is manifestly unfounded or excessive.  All staff must recognise and log such a request with senior management.

 

Stayfree Music Ltd cannot charge for responding to a subject access request unless the request is repeated manifestly unfounded or excessive.

 

When providing the information Stayfree Music Ltd must also provide a description of why the information is processed, details of anyone it may be disclosed to and the source of the data.

 

Staff of Stayfree Music Ltd must also recognise and log the following requests with senior management, and all must be answered within one month:

 

• Right to Rectification

• Right to Erasure

• Right to Restriction

• Right to Portability

• Right to Object

• Right to Prevent Automated Processing

• Right to Complain

 

17. Provision of Data to Children

 

In relation to the capacity of a child to make a subject access request, guidance provided by the Information Commissioner’s Office has been that by the age of 12 a child can be expected to have sufficient maturity to understand the nature of the request.  A child may of course reach sufficient maturity earlier; each child should be judged on a case by case basis.

 

If the child does not understand the nature of the request, someone with parental responsibility for the child, or a guardian, is entitled to make the request on behalf of the child and receive a response.

 

18. Parents’ Rights

 

An adult with parental responsibility can access the information about their child, as long as the child is not considered to be sufficiently mature. They must be able to prove their parental responsibility and Stayfree Music Ltd is entitled to request relevant documentation to evidence this as well as the identity of the requestor and child. Stayfree Music Ltd has the right to ask the Child if they object to release of information to the Parent if the Child is deemed mature enough to make such a decision.

 

19. Information Security

 

All members of staff should be constantly aware of the possibility of personal data being seen by unauthorised personnel.  For example, possibilities may arise when computer screens are visible to the general public; files may be seen by the cleaners if left on desks overnight (all papers must be locked in cabinets when not in use).

 

The use of computer passwords is a requirement of Stayfree Music Ltd to avoid unauthorised access.  All removable devices e.g. laptops, USB sticks, personal mobile phones and digital cameras must not be used to store personal data unless they comply with a BYOD policy, and should be encrypted and passworded wherever possible.

 

All members of staff should take care when transporting paper files between sites. No personal data is ever to be left unattended off site e.g. in a car overnight, on view to family members when working at home.

 

All members of staff should take care when emailing personal data and always check the email address is correct and the right attachment has been attached. When copying to several people externally, all members of staff should always use the BC field and not the CC field or create a group.

 

20. Maintenance of Up to Date Data

 

Out of date information should be discarded if no longer relevant.  Information should only be kept as long as needed, for legal or business purposes.  In reality most relevant information should be kept for the period during which the person is associated with the Stayfree Music Ltd plus an additional period which the Stayfree Music Ltd has determined. Under GDPR Stayfree Music Ltd must produce a Retention and Disposal Policy to clarify this.

 

21. Inaccurate Data

 

If an individual complains that the personal data held about them is wrong, incomplete or inaccurate, the position should be investigated thoroughly including checking with the source of the information.  This must be answered within one month. In the meantime a caution should be marked on the person’s file that there is a question mark over the accuracy.  An individual is entitled to apply to the court for a correcting order and it is obviously preferable to avoid legal proceedings by working with the person to correct the data or allay their concerns.

 

22. Recording of Data

 

Records should be kept in such a way that the individual concerned can inspect them.  It should also be borne in mind that at some time in the future the data may be inspected by the courts or some legal official.  It should therefore be correct, unbiased, unambiguous, factual and clearly decipherable/readable.  Where information is obtained from an outside source, details of the source and date obtained should be recorded.

 

Any person whose details, or child’s details, are to be included on Stayfree Music Ltd website will be required to give written consent unless it is a legal requirement. At the time the information is included all such individuals will be properly informed about the consequences of their data being disseminated worldwide.

 

23. Photographs

 

Whether or not a photograph comes under the data protection legislation is a matter of interpretation and quality of the photograph.  However, Stayfree Music Ltd takes the matter extremely seriously and seeks to obtain permission for the use of photographs outside Stayfree Music Ltd and, in particular, to record their wishes if they do not want photographs to be taken.

 

24. Breach of the Policy

 

Non-compliance with the requirements of data protection legislation by the members of staff could lead to serious action being taken by third parties against Stayfree Music Ltd.  Non-compliance by a member of staff is therefore considered a disciplinary matter which, depending on the circumstances, could lead to dismissal.  It should be noted that an individual can commit a criminal offence under the law, for example, by obtaining and/or disclosing personal data for his/her own purposes without the consent of the data controller.

 

25. Further Information

 

Further advice and information about data protection legislation, including full details of exemptions, is available from the ICO website at www.ico.org.uk.

 

26. Review of the Policy

 

This policy is to be reviewed every three years.

 

27. Glossary

 

Data Controller  - A data controller is the individual or the legal person who controls and is responsible for the keeping and use of personal information on computer or in structured manual files.

Data Subject - The individual who the data or information is about

Information Commissioner  - The independent regulator who has responsibility to see that the data protection legislation is complied with.  They can give advice on data protection issues and can enforce measures against individuals or organisations who do not comply with the law.

Notified Purposes   - The purposes for which Stayfree Music Ltd is entitled to process that data under its notification with the Office of the Information Commissioner.

Personal Data - Defined as ‘data which relates to a living individual who can be identified from that data, or from that data and other information which is in the possession of, or is likely to come into the possession of, the data controller’ or an identifier (Stayfree Music Ltd is a data controller), and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other in respect of the individual.

Processing  - covers a broad range of activities such that virtually any use of personal information or data will amount to processing. Just holding or storing the data constitutes processing.

Processed fairly and lawfully - Data must be processed in accordance with the provisions of data protection legislation.  These include the data protection principles, the rights of the individual and notification.

Special Category (sensitive) Data  - Information about racial or ethnic origin, sexual life, religious beliefs (or similar), physical or mental health/condition, membership of a trade union, political opinions or beliefs, or biometric or genetic data.

Subject Access Request - An individual’s request for personal data under the General Data Protection Regulation.