1.1 Background and Legal Framework
The General Data Protection Regulation (GDPR) protects the rights and freedoms of individuals with regard to the use of their personal data by regulating how organisations may use it.
Churchdown Players are committed to protecting the personal information it collects and uses for members and supporters (the data subjects) to comply with the law.
Churchdown Players regards personal data as critical to our ability to stage drama and like entertainments in Churchdown. The protection of personal data is part of our commitment to the protection of children, young people and adults. Churchdown Players are committed to supporting committee members to operate in compliance with the GDPR, to protect against the risks to individuals and the organisation of a data breach.
The Policy outlines how Churchdown Players will ensure compliance with the GDPR and related legislation.
The Policy applies to all members (full or temporary members) and anyone who processes personal data.
Processing data is a broad term. It encompasses obtaining, recording or collecting. It also includes organising, adding or altering the data, retrieving (viewing), consulting or using the data, disclosing it or transmitting it (e.g. in an email or posting it), and also erasing or destroying data.
Personal data means any information relating to an identifiable person who can be directly or indirectly identified. There are many obvious examples, such as name and address. Some perhaps less obvious examples include: email addresses and photographs and video recordings.
The Policy applies to all personal data that Churchdown Players processes, as a Data Controller and as a Data Processor.
3. Policy Statement
Anyone who processes or uses any personal information must ensure that they follow at all times the six data protection principles established in the GDPR. These are that personal data shall be:
• Processed lawfully, fairly and in a transparent manner in relation to individuals
• Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes
• Adequate, relevant and limited to what is necessary
• Accurate and where necessary kept up to date
• Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which those data are processed
• Processed in a manner that ensures appropriate security of the personal data
In addition, personal data shall not be transferred to a country outside of the European Economic Area unless it meets the requirements for ensuring an equivalent level of protection, safeguards or other derogation.
Churchdown Players must respect the rights of data subjects regarding the processing of their data.
Churchdown Players must demonstrate its compliance with the GDPR principles through comprehensive, proportionate governance.
Where a member of the group makes an unauthorised disclosure of data in breach of this policy, this will be treated as a serious matter.
Members, in some circumstances, can also be held criminally liable if data is unlawfully disclosed.
4. Roles and Responsibilities
4.1 How Churchdown Players will manage Data Protection
The Committee is responsible for ensuring that the group is fully compliant with the law and best practice for handling personal information. The Committee will:
• Approve group policies and procedures for handling personal information, including privacy statements
• Review developments in good practice and Codes of Practice issued by the Information Commissioner having a bearing on group activities, updating group policies and procedures, as appropriate
• Allocate resources to enable the Data Protection Policy to be practically and proactively applied within the group.
• Ensure that the groups policies are matched to its business needs and that the appropriate links are made between Data Protection, Information Security, Records Management and Freedom of Information and that a
co-ordinated approach to these issues is adopted and maintained.
The key to achieving high standards in handling personal information is recognising that the primary responsibility lies with the Members who are responsible for deciding how the personal information is used. Committee members of each area of the group will:
• Ensure they are satisfied with the legality of holding and using the information
• Ensure that the use of personal data complies with all appropriate group policies
• Ensure that members comply with this policy
• Refer any non-routine requests for disclosure, subject access requests and other data protection requests to the Data Protection Officer immediately, being aware of the time limits for responding to the requests
All members are likely to have access to some personal information in the course of their planning and staging a production. They will:
• Act in accordance with this policy and associated procedures
• Report all potential data breaches immediately
• Respect the privacy and confidentiality rights of all data subjects
• Be careful that personal information is not disclosed either orally or in writing, accidentally or otherwise, to any unauthorised third party; this includes making sure that casual access to data is not possible on screen or otherwise
• Only use personal information for approved purposes and ensure that they comply with any instructions and guidelines about the use of personal data
• Consult the Data Protection Officer regarding any proposed new uses of personal data
• Keep all personal data secure
• Check that the information they provide to the group in connection with their membership is accurate and up-to-date and inform the group of changes to or errors in information held
4.2 Data Protection Controls
• When not required hard copy data should be kept in a locked drawer or filing cabinet
• Members should make sure hard copy records are not left where unauthorised people could see them, such as on a printer
• Hard copy records should be shredded and disposed of securely when no longer required
• The length of time data will be held is defined by a Data Retention audit schedule
When data is stored electronically it must be protected from unauthorised access, accidental deletion and malicious hacking attempts:
• Data should be protected by strong passwords that are regularly changed and never shared between Members
• If data is stored on removable media these should be stored securely when not being used
• Data should only be stored on designated drives and servers and should only be uploaded to an approved cloud computing service
• Data should be backed up frequently, with regular testing of backups in line with the groups standard backup procedures
• Data should never be saved directly to laptops or other mobile devices
• All servers and computer containing data should be protected by approved security and a firewall
• When working with personal data, Members should ensure their screens are locked when left unattended
• Personal data should not be shared informally
• Personal data should never be transferred outside of the European Economic Area
• Members should not save copies of personal data to their own computers
It is the responsibility of all members who work with data to take reasonable steps to ensure it is kept as accurate and up to date as possible:
• Data will be held in as few places as necessary, members should not create any unnecessary additional data sets
• Data should be updated as inaccuracies are discovered
To ensure that this policy is effective, we will:
• Review it at least every 3 years, or when there are changes to legislation and/or significant changes to our operation
• Make any such changes known to members and other service users