DATA PROTECTION POLICY FOR
A48 THEATRE COMPANY LIMITED
SCOPE OF THE POLICY
This policy applies to the work of A48 Theatre Company Limited hereafter called ‘A48’. The policy details how personal information will be gathered, stored and managed in line with data protection principles and the General Data Protection Regulation. The policy is reviewed on an ongoing basis by the A48 Steering Group to ensure that A48 is compliant.
WHY THIS POLICY EXISTS
This data protection policy ensures that A48:
• Complies with data protection law and follows good practice.
• Protects the rights of members, staff, customers and partners.
• Is open about how it stores and processes members data.
• Protects itself from the risks of a data breach.
GENERAL GUIDELINES FOR DIRECTORS AND STEERING GROUP MEMBERS
• The only people able to access data covered by this policy should be those who need to communicate with or provide a service to the members of A48.
• Data should not be shared informally or outside of A48.
• A48 will provide training to members to help them understand their responsibilities when handling personal data.
• A48 Directors and Steering Group Members should keep all data secure, by taking sensible precautions and following the guidelines below.
• Strong passwords must be used and they should never be shared.
• Personal data should not be shared outside of A48 unless with prior consent and/or for specific and agreed reasons.
• Member information should be reviewed and consent refreshed periodically via the membership renewal process or when policy is changed.
The General Data Protection Regulation identifies 8 data protection principles:
Principle 1 – Personal data shall be processed lawfully, fairly and in a transparent manner
Principle 2 – Personal data can only be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
Principle 3 – The collection of personal data must be adequate, relevant and limited to what is necessary compared to the purpose(s) data is collected for.
Principle 4 – Personal data held should be accurate and, where necessary, kept up to date. Every reasonable step must be taken to ensure that personal data that are inaccurate are erased or rectified without delay.
Principle 5 – Personal data which is kept in a form which permits identification of individuals shall not be kept for longer than is necessary.
Principle 6 – Personal data must be processed in accordance with the individuals’ rights.
Principle 7 – Personal data must be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
Principle 8 – Personal data cannot be transferred to a country or territory outside the European Union unless that country or territory ensures an adequate level of protection for the rights and freedoms of individuals in relation to the processing of personal data.
Lawful, fair and transparent data processing:
A48 requests personal information from potential members, members and audiences for the purpose of sending communications about their involvement with A48. The forms used to request personal information will contain a privacy statement informing potential members, members and audience members as to why the information is being requested and what the information will be used for. Members will be asked to provide consent for their data to be held and a record of this consent along with member information will be securely held. A48 members will be informed that they can, at any time, remove their consent and will be informed as to who to contact should they wish to do so. Once an A48 member requests not to receive certain communications this will be acted upon promptly and the member will be informed as to when the action has been taken.
Processed for Specified, Explicit and Legitimate Purposes:
Members will be informed as to how their information will be used and the Directors of A48 will seek to ensure that member information is not used inappropriately.
Appropriate use of information provided by members will include:
• Communicating with members about A48s events and activities.
• Communicating with members about their membership and/or renewal of their membership.
Inappropriate communication would include sending A48 members marketing and/or promotional materials from external service providers.
A48 will ensure that members’ information is managed in such a way as to not infringe an individual members rights which include:
• The right to be informed.
• The right of access.
• The right to rectification.
• The right to erasure.
• The right to restrict processing.
• The right to data portability.
• The right to object.
Adequate, Relevant and Limited Data Processing:
Members of A48 and their audiences will only be asked to provide information that is relevant for membership purposes. This will include:
• Postal address.
• Email address.
• Telephone number.
Where additional information may be required, such as health-related information, this will be obtained with the specific consent of the member who will be informed as to why this information is required and the purpose that it will be used for.
Where A48 organises a trip that requires next of kin information to be provided, A48 will require the member to gain consent from the identified next of kin. The consent will provide permission for the information to be held for the purpose of supporting and safeguarding the member in question. Were this information to be needed as a one off for a particular trip or event then the information will be deleted once that event or trip has taken place unless it was to be required – with agreement – for a longer purpose. The same would apply to carers who may attend either a one-off event or on an ongoing basis to support an A48 member.
There may be occasional instances where a members’ data needs to be shared with a third party due to an accident or incident involving statutory authorities. Where it is in the best interests of the member of A48 or in those instances where A48 has a substantiated concern then consent does not have to be sought from the member.
Accuracy of Data and Keeping Data up to Date:
A48 has a responsibility to ensure members’ information is kept up to date. The membership renewal forms will provide an opportunity for members to resubmit their personal information and reconfirm their consent for A48 to communicate with them on an annual basis.
Accountability and Governance:
The A48 Steering Group is responsible for ensuring that A48 remains compliant with data protection requirements and can evidence that it has. For this purpose, those from whom data is required will be asked to provide written consent. The evidence of this consent will then be securely held as evidence of compliance. Those who need to communicate with members on a regular basis will:
• Use password protection on laptops and PCs that contain or access personal information.
• Use password protection or secure cloud systems when sharing data members.
Data Breach Notification:
Were a data breach to occur action shall be taken to minimise the harm by ensuring all Steering Group members are aware that a breach has taken place and how the breach has occurred. The Directors shall then seek to rectify the cause of the breach as soon as possible to prevent any further breaches.
Policy review date: