The Data Protection Act 1998 regulates the processing of information relating to individuals. This includes obtaining, holding, using and disclosing such information. The Act covers computerised records, manual filing systems and card indexes. The policy maintains its guidelines with the GDPR 2018.
TTPAC will hold the minimum personal information necessary to enable it to perform its functions. All such information is confidential and needs to be treated with care to comply with the law.
All paid staff and volunteers will be made aware of this policy and procedure as part of their induction. It will be made freely available to all TTPAC users via our website.
TTPAC paid staff and volunteers – This includes all full and part time paid staff as well as volunteers which includes freelance contracted staff.
This Data Protection Policy will be reviewed every 2 years by the Artistic Director of TTPAC, to ensure that its operation is satisfactory. This policy was created in December 2017. Next review date December 2019.
The use of personal data
TTPAC holds personal data on a variety of individuals including:
- Those who have registered and/or subscribed to, or become members of, TTPAC on behalf of themselves or their organisation.
- Other individuals and organisations with an interest in the organisation.
- Prospective, current and former staff.
- Theatre, charity and funding contacts.
This data is held in both electronic and paper-based formats.
Personal information must be dealt with properly irrespective of how it is collected, recorded, used and disposed of and there are safeguards to ensure this in the Data Protection Act 1998.
For employees and volunteers this will include (but not be restricted to) the conduct of normal business management and employment matters. For others this will include (but not be restricted to) the conduct of TTPAC’s normal business operations.
Data protection principles
TTPAC will process all personal information in accordance with the Data Protection Act and will adhere to the principles of data protection as detailed in the Act. The eight principles require personal information is:
- Accurate and up-to-date.
- Adequate, relevant and not excessive.
- Kept secure, using locked systems for paper work and passcodes for electronic information
- Not be kept for longer than 6 months.
- Not transferred to countries outside the European Economic Area, unless the information is adequately protected.
- Processed in line with the rights of individuals.
- Processed fairly and lawfully.
- Processed for specified purposes.
In addition, TTPAC will ensure that:
- Anyone that wants to make enquiries about handling personal information knows how to do so.
- Employees managing and handling personal information understand they are responsible for following good data protection practice and are appropriately supervised and trained to do so.
- Methods of handling personal information are clearly described.
- Queries about handling personal information are dealt with promptly and courteously.
TTPAC seeks to use personal data only for the purposes of legitimate interests and, where practicable, with consent. Individuals have the right to know what personal data TTPAC holds about them and for this to be correct. Please see the “accessing personal data” section for more information.
It is a condition of employment that staff consent to TTPAC processing their personal data. This is stated in their contract so by signing they signify their agreement. For other individuals and registered groups, TTPAC may gather data during the course of its normal activities. It will be used only for legitimate purposes.
Sensitive personal data
Sensitive personal data is defined under the Act to include matters such as race, gender, health needs, disabilities or family details. Sometimes it is necessary to process sensitive information to ensure TTPAC can operate policies on matters such as sick pay, equal opportunities and protect the health and safety of the individual. Because this information is considered sensitive, and it is recognised that the processing of it may cause particular concern or distress to individuals, employees and others affected will be asked to give express consent for TTPAC to do this.
If an individual has a query regarding the accuracy of their personal data, that query will be dealt with fairly and impartially. Individuals have the following rights regarding data processing, and the data that are recorded about them:
- Not to have significant decisions that will affect them taken solely by automated process.
- To be informed about mechanics of automated decision-taking process that will significantly affect them.
- To make subject access requests regarding the nature of information held and to whom it has been disclosed.
- To prevent processing for purposes of direct marketing.
- To prevent processing likely to cause damage or distress.
- To request the Commissioner to assess whether any provision of the Act has been contravened.
- To sue for compensation if they suffer damage by any contravention of the Act.
- To take action to rectify, block, erase or destroy inaccurate data.
Third party access
Third parties given access to the organisation’s data must demonstrate compliance with TTPAC’s IT Security, Data Protection and Data Retention policies. If appropriate, TTPAC will require third parties to sign a confidentiality declaration. Third party access is not to be entered into lightly and must never be done without authorisation from the Information Manager.
Accessing personal data
Individuals have the right to see the personal data that TTPAC holds about them and for that data to be corrected if it is wrong. Minor requests may be dealt with informally in the course of normal administration, at the discretion of TTPAC. Formal requests for access to personal data should be in writing to:
The Tinderbox Performing Arts Centre
There may be a fee for this service which will be payable in advance.
The following policies and procedures support this policy:
Data Retention Policy
IT Security Policy
Please see Safeguarding and Child Protection Policy and Procedure for Use of internet, mobile telephone and social networks with young people.