General Data Protection Regulations (GDPR) Policy
Under the new General Data Protection Regulations (GDPR) and the Data Protection Bill (DPB) 2018. We are required to have transparency on the way we collate, store and use any personal information pertaining to members, employees, volunteers and their families. All have the right to ask that personal data be destroyed or deleted once they have left Fixation Academy of Performing Arts (FPA) providing that deleting the material does not impact on legal regulations. Please refer to FPA’s Privacy Agreement.
This policy applies to all children, young people, parents/carers (known as clients) employees and volunteers of FPA.
The purpose of this policy is to enable FPA to:
- Comply with the law in respect of the data it holds about individuals;
- Follow good practice;
- Protect children, young people, parents/carers, employees, volunteers and other individuals
- Protect FPA from the consequences of a breach of its responsibilities.
The Data Protection Act 2018
The Data Protection Act gives individuals the right to know what information is held about them. It provides a framework to ensure that personal information is handled properly.
The Act works in two ways. Firstly, it states that anyone who processes personal information must comply with eight principles, which make sure that personal information is:
- Fairly and lawfully processed
- Processed for limited purposes
- Adequate, relevant and not excessive
- Accurate and up to date
- Not kept for longer than is necessary
- Processed in line with the rights of Data Subjects
- Not transferred to other countries without adequate protection
The second area covered by the Act provides individuals with important rights, including the right to find out what personal information is held on computer and most paper records.
- Comply with both the law and good practice
- Respect individuals’ rights
- Be open and honest with individuals whose data is held
- Provide training and support for employees and volunteers who handle personal data, so that they can act confidently and consistently
FPA recognises that its first priority under the Data Protection Act is to avoid causing harm to individuals. Information about employees, volunteers and clients will be used fairly, securely and not disclosed to any person unlawfully.
Secondly, the Act aims to ensure that the legitimate concerns of individuals about the ways in which their data may be used are taken into account. In addition to being open and transparent, FPA will seek to give individuals as much choice as is possible and reasonable oversight of data is held and how it is used.
The Director, Laura Davitt is the Data Controller and if required, is registered under the Data Protection Act 1998. All processing of personal data will be undertaken in accordance with the data protection principles.
The Data Subject is the individual whose personal data is being processed. Examples include:
- Employees – current and past
- Job applicants
- Service Users
Processing means the use made of personal data including:
- Obtaining and retrieving
- Holding and storing
- Making available within or outside the organisation
- Printing, sorting, matching, comparing, destroying.
The Data Controller is the legal ‘person’, or organisation, that decides why and how personal data is to be processed. The data controller is responsible for complying with the Data Protection Act.
The Data Protection Officer is the name given to the person in organisations who is the central point of contact for all data compliance issues.
The Director, Laura Davitt recognises its overall responsibility for ensuring that FPA complies with its legal obligations.
The Data Protection Officer is currently the Director, Laura Davitt who has the following responsibilities:
- Reviewing Data Protection and related policies
- Advising other employees/volunteers on Data Protection issues
- Ensuring that Data Protection induction and training takes place
- Handling subject access requests
- Approving unusual or controversial disclosures of personal data
- Ensuring contracts with Data Processors have appropriate data protection clauses (if relevant).
- Electronic security
- Approving data protection-related statements on publicity materials and letters
Each employee and volunteer at FPA who handles personal data will comply with the organisation’s operational procedures for handling personal data (including induction and training) to ensure that good Data Protection practice is established and followed.
All employees and volunteers are required to read, understand and accept any policies and procedures that relate to the personal data they may handle in the course of their work.
Significant breaches of this policy will be handled under FPA’s disciplinary procedures.
This section of the policy only addresses security issues relating to personal data. It does not cover security of the building, business continuity or any other aspect of security.
Any recorded information on clients, volunteers and employees will be:
- Kept in locked cabinets
- Protected by the use of passwords if kept on computer
- Destroyed confidentially if it is no longer needed
Access to information on the main organisation database is controlled by a password and only those needing access are given the password. Employees and volunteers should be careful about information that is displayed on their computer screen and make efforts to ensure that no unauthorised person can view the data when it is on display.
Notes regarding personal data of clients should be shredded or destroyed
Data Recording and Storage
FPA has database/spreadsheets holding basic information about clients, employees and volunteers. This is back-up by an external hard drive. Names and Contact numbers are also kept in a password protected phone and registration forms on a protected cloud server.
FPA will regularly review its procedures for ensuring that its records remain accurate and consistent and, in particular:
- The database system is reviewed and re-designed, where necessary, to encourage and facilitate the entry of accurate data.
- Data on any individual will be held in as few places as necessary, and all employees and volunteers will be discouraged from establishing unnecessary additional data sets.
- Effective procedures are in place so that all relevant systems are updated when information about any individual changes.
- Employees and volunteers who keep more detailed information about individuals will be given additional guidance on accuracy in record keeping.
- Data will be corrected if shown to be inaccurate
FPA stores archived paper/electronic records of clients, employees and volunteers securely within locked cabinets and also via a secure cloud called Google Drive, which is all password protected.
Access to Data <
All clients have the right to request access to all information stored about them. Any subject access requests will be handled by the Data Protection Officer within the required time limit (within 30 working days of receiving request).
Subject access requests must be in writing. All employees and volunteers are required to pass on anything which might be a subject access request to the Data Protection Officer without delay.
Where the individual making a subject access request is not personally known to the Data Protection Officer their identity will be verified before handing over any information.
The required information will be provided in easy to use formats e.g. PDF, XLS & CSV.
FPA will provide details of information to clients who request it unless the information may cause harm to another person.
Employees have the right to access their file to ensure that information is being used fairly. If information held is inaccurate, the individual must notify the Data Protection Officer so that this can be recorded on file.
FPA is committed to ensuring that in principle Data Subjects are aware that their data is being processed and
- For what purpose it is being processed;
- What types of disclosure are likely; and
- How to exercise their rights in relation to the data.
Consent will normally not be sought for most processing of information about employees, although employees details will only be disclosed for purposes unrelated to their work with FPA (e.g. financial references) with their consent.
Information about clients will only be made public with their consent or in case of Safeguarding or a medical emergency. (This includes photographs.)
‘Sensitive’ data about clients will be held only with the knowledge and consent of the individual’s parent/guardian/carer.
Consent should be given in writing, although for some services it is not always practicable to do so. In these cases, verbal consent will always be sought to the storing and processing of data. In all cases it will be documented on the database that consent has been given.
FPA acknowledges that, once given, consent can be withdrawn, but not retrospectively. There may be occasions where Fixation Theatre Company has no choice but to retain data for a certain length of time, even though consent for using it has been withdrawn.
FPA will treat the following unsolicited direct communication with individuals as marketing:
- Seeking donations and other financial support;
- Promoting any FPA services;
- Promoting FPA events;
- Promoting the service to client;
- Promoting sponsored events and other fundraising exercises;
Whenever data is first collected which might be used for any marketing purpose, this purpose will be made clear, and the Data Subject will be given a clear opt out. If it is not possible to give a range of options, any opt-out which is exercised will apply to all FPA marketing. FPA does not have a policy of sharing lists, obtaining external lists or carrying out joint or reciprocal mailings.
Whenever e-mail addresses are collected, any future use for marketing will be identified, and the provision of the address made optional.
Employee/volunteer training and acceptance of responsibilities
All employees/volunteers who have access to any kind of personal data will be given copies of all relevant policies and procedures during their induction process and the operational procedures for handling personal data. All employees will be expected to adhere to all these policies and procedures.
- Data Protection will be included in the induction training for all.
- FPA will provide opportunities for employees/volunteers to explore Data Protection issues through training, team meetings, and supervisions.
Client Data Protection
All personal data shall be obtained, maintained, stored, used and shared only in strict accordance with the Data Protection Act 1998.
Information relating to individuals supported by FPA through the work of the organisation will be dealt with in the following manner:
- attendance and attainment records will be de-personalised within 12 months
- all other information, will be kept for no longer than 3 years.
- Information that is of vital importance to the future protection of an individual / (or young people) will be securely archived and stored as long as express agreement is obtained from the data subject (or as felt appropriate).
All personal data must be protected by appropriate security measures to safeguard against unauthorised or unlawful processing of personal data: – (e.g. locked filing cabinet). All employees/volunteers and representatives of Fixation Theatre Company must:
- only access and use data that is relevant to and necessary to the performance of their job function.
- Make yourself familiar with FPA data protection policy and procedures.
Photographs / Video / Media
FPA frequently take photographs and videos of children and young people participating in activities, rehearsals, performances and events. All members are asked to complete a Photo and Media consent form. Which offers opt in and opt out options. For members to take part in shows Photo and Media Consent will need to be given.
At all times written permission from parents/guardians/carers must be obtained before any photographic material is used in the public domain.
It is FPA responsibility to ensure that, photographs of children/young people without consent do not get saved to a computer. All photographs and videos are stored on a password protected computer and external hard drive.
Any photographs used for publicity purposes (brochures, leaflets, website etc.) should not be accompanied by any personal information (first names only, avoid school badges).
FPA hires in Photographers to take pictures and videos of the shows. These photographers are vetted, insured and follow a strike data protection policy. They WILL NOT be able to sell or use any FPA Photos or Videos. Unless written request to parents/carers is followed.
Photographs and Videos of members, staff and volunteers will either be taken on equipment agreed with subcontractors or FPA’s Work phone, tablet or camera are password stored on file. These images are stored indefinitely. There are opportunities for parents and carers to purchase the photographs and videos for a fee.
During the course of employment/volunteering with FPA staff/Volunteers may have access to and be entrusted with information in respect of children/young people and members, plus the business and financing of FPA and its affairs, all of which is, or may be confidential.
Staff/Volunteers shall not (except in the proper course of your duties) during or after the period of your employment/volunteering divulge to any person, or otherwise make use of (and shall use your best endeavours to prevent the publication or disclosure of) any confidential information concerning any children/young people or the business and finances of FPA or any such confidential information concerning any of its clients.
Changes to this notice
We may change our Data Protection Policy from time to time so please check back periodically.
Signed: L. Davitt
Date: 6th September 2021
Date to be reviewed: September 2022