Document: Data Protection Policy
Status Published
Responsibility:
It is the responsibility of the Directors to ensure procedures are in place to ensure that the Stayfree Music Ltd complies with Data Protection legislation e.g. including but not limited to the General Data Protection Regulation (GDPR) and current UK Data Protection legislation.
Contents:
1. Introduction
2. Scope
3. Responsibilities
4. The Requirements
5. Notification
6. Privacy Notices
7. Conditions for Processing
8. Data Protection Officer
9. Data Protection Impact Assessments
10. Data Breaches
11. Contracts
12. Consent
13. Information Society Services
14. Direct Marketing
15. Provision of Data
16. The Individual’s Right
17. Provision of Data to Children
18. Parents’ Rights
19. Information Security
20. Maintenance of Up to Date Data
21. Inaccurate Data
22. Recording of Data
23. Photographs
24. Breach of the Policy
25. Further Information
26. Review of the Policy
27. Glossary
1. Introduction
In order to operate efficiently Stayfree Music Ltd has to collect and use information about people with whom it works and customers it provides services to. These may include members of the public, current, past and prospective employees, clients and customers, and suppliers. In addition it may be required by law to collect and use information in order to comply with the requirements of central government.
Stayfree Music Ltd is committed to ensuring personal data is properly managed and that it ensures compliance with current data protection legislation. Stayfree Music Ltd will make every effort to meet its obligations under the legislation and will regularly review procedures to ensure that it is doing so.
2. Scope
This policy applies to all employees, contractors, agents and representatives, volunteers and temporary staff working for or on behalf of Stayfree Music Ltd.
This policy applies to all personal data created or held by Stayfree Music Ltd in whatever format (e.g. paper, electronic, email, microfiche, film) and however it is stored, (for example ICT system/database, shared drive filing structure, workbooks, email, filing cabinet, shelving and personal filing drawers).
Personal data is information about living, identifiable individuals, or an identifier or identifiers that can be used to identify a living individual. It covers both facts and opinions about the individual. Such data can be part of a computer record or manual record.
Current data protection legislation does not apply to access to information about deceased individuals. However, the duty of confidentiality may continue after death.
3. Responsibilities
Overall responsibility for ensuring that Stayfree Music Ltd meets the statutory requirements of any data protection legislation lies with the board of directors on behalf of the Company. They have delegated the day-to-day responsibility of implementation to Caroline Wright
Ian Redhead is responsible for ensuring compliance with data protection legislation and this policy within the day-to-day activities of Stayfree Music Ltd. Caroline Wright is responsible for ensuring that appropriate training is provided for all staff.
All contractors who hold or collect personal data on behalf of Stayfree Music Ltd by way of written contract are responsible for their own compliance with data protection legislation and must ensure that personal information is kept and processed in line with data protection legislation and only upon instruction from Stayfree Music Ltd via a contract.
4. The Requirements
Data protection legislation stipulates that anyone processing personal data must comply with principles of good practice; these principles are legally enforceable. The 6 principles require that personal data:
1. Shall be processed fairly and lawfully and transparently;
2. Shall be obtained only for one or more specified and lawful purposes and shall not be further processed in any manner incompatible with that purpose or those purposes;
3. Shall be adequate, relevant and not excessive in relation to the purpose or purposes for which it is processed;
4. Shall be accurate and where necessary, kept up to date;
5. Shall not be kept for longer than is necessary for that purpose or those purposes;
6. Shall be kept secure i.e. protected by an appropriate degree of security;
In addition the data shall be processed in accordance with the rights of data subjects. (See Part 9.)
Personal data shall also not be transferred to a country unless that country or territory ensures an adequate level of data protection or another secure method of transfer is guaranteed.
5. Notification
The Digital Economy Act 2017 requires every data controller who is processing personal data, to notify and renew their notification, on an annual basis. Failure to do so is a criminal offence. The Information Commissioner maintains a public register of data controllers, in which Stayfree Music Ltd must be registered.
Stayfree Music Ltd will review the Data Protection Register (https://ico.org.uk/esdwebpages/search) annually, prior to renewing its notification to the Information Commissioner.
6. Privacy Notices
Whenever information is collected about individuals they must be made aware of the following at that initial point of collection:
• The identity of the data controller, e.g. Stayfree Music Ltd
• Contact details of the Data Protection Officer (if one is required by law);
• The purpose that the information is being collected for;
• Any other purposes that it may be used for;
• What the lawful basis is for processing the data;
• Who the information will or may be shared with;
• If the data is transferred outside of the EU, and if yes, how is it kept secure;
• How long the data will be kept for; and
• How data subjects can exercise their rights.
Stayfree Music Ltd will review its Privacy Notice every three years and alert customers to any major updates.
7. Conditions for Processing
Processing of personal information may only be carried out where one of the conditions of Article 6 of the GDPR has been satisfied.
Processing of special category (sensitive) personal data may only be carried out if a condition in Article 9 of the GDPR is met as well as one in Article 6.
8. Data Protection Officer
Stayfree Music Ltd shall appoint a Data Protection Officer in line with the requirements of the GDPR if one is required by law.
9. Data Protection Impact Assessments
Stayfree Music Ltd shall undertake high risk Data Protection Impact Assessments in line with the requirements of the GDPR and as per the Information Commissioner’s Office (ICO) guidance.
10. Data Breaches
All employees, governors, contractors, agents and representatives, volunteers and temporary staff shall report a security incident or data breach immediately to senior management.
Stayfree Music Ltd shall report any personal data breach to the ICO in line with the requirements of the GDPR.
11. Contracts
Stayfree Music Ltd shall ensure that a legally binding contract is in place with all of its data processors in line with the requirements of the GDPR.
12. Consent
Where Stayfree Music Ltd processes data with consent (for example, to publish photographs of customers, to send direct marketing emails) it will ensure that the consent is freely given, specific, informed and unambiguous, and the consent is recorded.
13. Information Society Services
Where Stayfree Music Ltd offers Information Society Services (online services with a commercial element) targeted at children, it will take reasonable steps to seek the consent of the child’s parent or guardian if the child is under 13 years of age.
14. Direct Marketing
Where Stayfree Music Ltd sends any direct marketing (the promotion of aims and ideals as well as selling goods and services) via electronic communications e.g. email, SMS text, fax or recorded telephone messages, it will only do so if the recipient has given explicit consent to receive them e.g. has ticked a box to ‘opt in’.
15. Provision of Data
It is a criminal offence to knowingly or recklessly obtain or disclose information about an individual without legitimate cause.
Stayfree Music Ltd should not disclose anything about individuals which would be likely to cause serious harm to their physical or mental health or that of anyone else.
When giving information to an individual, particularly by telephone, it is most important that the individual’s identity is verified. If in doubt, questions should be asked of the individual, to which only he/she is likely to know the answers. Information should not be provided to other parties, even if related.
16. The Individual’s Rights
Any person whose details are held by Stayfree Music Ltd is entitled to ask for a copy of information held about them (or child for which they are responsible). They are entitled to see if the data held are accurate, and who it is shared with.
When a request is received it must be dealt with promptly; a response must be provided as soon as possible and within one month unless it is manifestly unfounded or excessive. All staff must recognise and log such a request with senior management.
Stayfree Music Ltd cannot charge for responding to a subject access request unless the request is repeated manifestly unfounded or excessive.
When providing the information Stayfree Music Ltd must also provide a description of why the information is processed, details of anyone it may be disclosed to and the source of the data.
Staff of Stayfree Music Ltd must also recognise and log the following requests with senior management, and all must be answered within one month:
• Right to Rectification
• Right to Erasure
• Right to Restriction
• Right to Portability
• Right to Object
• Right to Prevent Automated Processing
• Right to Complain
17. Provision of Data to Children
In relation to the capacity of a child to make a subject access request, guidance provided by the Information Commissioner’s Office has been that by the age of 12 a child can be expected to have sufficient maturity to understand the nature of the request. A child may of course reach sufficient maturity earlier; each child should be judged on a case by case basis.
If the child does not understand the nature of the request, someone with parental responsibility for the child, or a guardian, is entitled to make the request on behalf of the child and receive a response.
18. Parents’ Rights
An adult with parental responsibility can access the information about their child, as long as the child is not considered to be sufficiently mature. They must be able to prove their parental responsibility and Stayfree Music Ltd is entitled to request relevant documentation to evidence this as well as the identity of the requestor and child. Stayfree Music Ltd has the right to ask the Child if they object to release of information to the Parent if the Child is deemed mature enough to make such a decision.
19. Information Security
All members of staff should be constantly aware of the possibility of personal data being seen by unauthorised personnel. For example, possibilities may arise when computer screens are visible to the general public; files may be seen by the cleaners if left on desks overnight (all papers must be locked in cabinets when not in use).
The use of computer passwords is a requirement of Stayfree Music Ltd to avoid unauthorised access. All removable devices e.g. laptops, USB sticks, personal mobile phones and digital cameras must not be used to store personal data unless they comply with a BYOD policy, and should be encrypted and passworded wherever possible.
All members of staff should take care when transporting paper files between sites. No personal data is ever to be left unattended off site e.g. in a car overnight, on view to family members when working at home.
All members of staff should take care when emailing personal data and always check the email address is correct and the right attachment has been attached. When copying to several people externally, all members of staff should always use the BC field and not the CC field or create a group.
20. Maintenance of Up to Date Data
Out of date information should be discarded if no longer relevant. Information should only be kept as long as needed, for legal or business purposes. In reality most relevant information should be kept for the period during which the person is associated with the Stayfree Music Ltd plus an additional period which the Stayfree Music Ltd has determined. Under GDPR Stayfree Music Ltd must produce a Retention and Disposal Policy to clarify this.
21. Inaccurate Data
If an individual complains that the personal data held about them is wrong, incomplete or inaccurate, the position should be investigated thoroughly including checking with the source of the information. This must be answered within one month. In the meantime a caution should be marked on the person’s file that there is a question mark over the accuracy. An individual is entitled to apply to the court for a correcting order and it is obviously preferable to avoid legal proceedings by working with the person to correct the data or allay their concerns.
22. Recording of Data
Records should be kept in such a way that the individual concerned can inspect them. It should also be borne in mind that at some time in the future the data may be inspected by the courts or some legal official. It should therefore be correct, unbiased, unambiguous, factual and clearly decipherable/readable. Where information is obtained from an outside source, details of the source and date obtained should be recorded.
Any person whose details, or child’s details, are to be included on Stayfree Music Ltd website will be required to give written consent unless it is a legal requirement. At the time the information is included all such individuals will be properly informed about the consequences of their data being disseminated worldwide.
23. Photographs
Whether or not a photograph comes under the data protection legislation is a matter of interpretation and quality of the photograph. However, Stayfree Music Ltd takes the matter extremely seriously and seeks to obtain permission for the use of photographs outside Stayfree Music Ltd and, in particular, to record their wishes if they do not want photographs to be taken.
24. Breach of the Policy
Non-compliance with the requirements of data protection legislation by the members of staff could lead to serious action being taken by third parties against Stayfree Music Ltd. Non-compliance by a member of staff is therefore considered a disciplinary matter which, depending on the circumstances, could lead to dismissal. It should be noted that an individual can commit a criminal offence under the law, for example, by obtaining and/or disclosing personal data for his/her own purposes without the consent of the data controller.
25. Further Information
Further advice and information about data protection legislation, including full details of exemptions, is available from the ICO website at www.ico.org.uk.
26. Review of the Policy
This policy is to be reviewed every three years.
27. Glossary
Data Controller - A data controller is the individual or the legal person who controls and is responsible for the keeping and use of personal information on computer or in structured manual files.
Data Subject - The individual who the data or information is about
Information Commissioner - The independent regulator who has responsibility to see that the data protection legislation is complied with. They can give advice on data protection issues and can enforce measures against individuals or organisations who do not comply with the law.
Notified Purposes - The purposes for which Stayfree Music Ltd is entitled to process that data under its notification with the Office of the Information Commissioner.
Personal Data - Defined as ‘data which relates to a living individual who can be identified from that data, or from that data and other information which is in the possession of, or is likely to come into the possession of, the data controller’ or an identifier (Stayfree Music Ltd is a data controller), and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other in respect of the individual.
Processing - covers a broad range of activities such that virtually any use of personal information or data will amount to processing. Just holding or storing the data constitutes processing.
Processed fairly and lawfully - Data must be processed in accordance with the provisions of data protection legislation. These include the data protection principles, the rights of the individual and notification.
Special Category (sensitive) Data - Information about racial or ethnic origin, sexual life, religious beliefs (or similar), physical or mental health/condition, membership of a trade union, political opinions or beliefs, or biometric or genetic data.
Subject Access Request - An individual’s request for personal data under the General Data Protection Regulation.
REHEARSAL ROOMS
EQUIPMENT HIRE
RECORDING
PRODUCTION
EDUCATION
EXAMS
SERVICES
CONTACT