ARUNDEL PLAYERS: Data Protection Policy
Overview
Arundel Players takes its responsibilities regarding the management of the requirements of the Data Protection Act 2018 (UK GDPR) very seriously. This policy sets out how we manage our responsibilities, in accordance with the Act, to protect the information we collect as part of our business.
This policy should be read alongside our Privacy Policy. Introduction
Arundel Players obtains, uses, stores and otherwise processes personal data relating to potential, current and former participants, external contacts and contractors collectively referred to in this policy as “data subjects”.
When processing personal data, we are obliged to fulfil individuals’ reasonable expectations of privacy by complying with GDPR and other relevant data protection legislation (data protection law).
This policy therefore seeks to ensure that we:
​
-
Are clear about how personal data must be processed and the expectations for all those who process personal data on our behalf
-
Comply with the data protection law and with good practice
-
Protect our reputation by ensuring the personal data entrusted to us is processed in accordance with data subjects’ rights
-
Protect us from risks of personal data breaches and other breaches of data protection law.
The main terms used are explained in the glossary at the end of this policy (Appendix 1)
Personal data protection principles
When processing personal data, Arundel Players is responsible for, and must demonstrate compliance with, the following data protection principles. Personal data will be:
​
-
Processed lawfully, fairly and in a transparent manner (Lawfulness, fairness and transparency – see Appendix 1)
-
Collected only for specified, explicit and legitimate purposes and not further processed in a manner incompatible with those purposes (Purpose limitation)
-
Adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed (Data minimisation)
-
Accurate and where necessary kept up to date (Accuracy).
-
​
Data subjects’ rights
​
Data subjects have rights in relation to the way we handle their personal data, including:
​
-
Not kept in a form which permits identification of data subjects for longer than is necessary for the purposes for which the personal data is processed (Storage limitation)
-
Processed in a manner that ensures its security, using appropriate technical and organisational measures to protect against unauthorised or unlawful processing and against accidental loss, destruction or damage (Security, integrity and confidentiality).
-
Where the legal basis of our processing is consent, to withdraw that consent at any time
-
To ask for access to the personal data that we hold (see below)
-
To prevent our use of the personal data for direct marketing purposes
-
To object to our processing of personal data in limited circumstances
-
To ask us to erase personal data without delay:
-
If it is no longer necessary in relation to the purposes for which it was collected or otherwise processed
-
If the only legal basis of processing is consent and that consent has been withdrawn and there is no other legal basis on which we can process that personal data
-
If the data subject objects to our processing where the legal basis is the pursuit of a legitimate interest or the public interest and we can show no overriding legitimate grounds or interest
-
If the data subject has objected to our processing for direct marketing purposes
-
If the processing is unlawful.
Arundel Players must verify the identity of an individual requesting data under any of the rights listed. Requests (including for data subject access – see below) must be complied with, usually within one month of receipt. Any Data Subject Access Requests received must be forwarded to secretary.arundelplayers@gmail.com
​
-
To ask us to rectify inaccurate data or to complete incomplete data
-
To be notified of a personal data breach which is likely to result in high risk to their rights and freedoms
-
To make a complaint to the Information Commissioner’s Office (ICO)
Accountability
​
Arundel Players must implement appropriate technical and organisational measures in an effective manner to ensure compliance with data protection principles. We are responsible for, and must be able to demonstrate compliance with, the data protection principles.
We must therefore apply adequate resources and controls to ensure and to document GDPR compliance, including:
-
Appointing a suitably qualified DPO
-
Completing a Data Protection Impact Assessment (DPIA) where processing presents a high risk to the privacy of data subjects
-
Integrating data protection into our policies and procedures, in the way personal data is handled by us and by producing required documentation such as Privacy Notices,
-
Records of Processing and records of Personal Data Breaches
-
Training staff on compliance with Data Protection Law and keeping a record accordingly
-
Regularly testing the privacy measures implemented and conducting periodic reviews and audits to assess compliance, including using results of testing to demonstrate compliance improvement effort.
Responsibilities
​
Arundel Players legal responsibilities
As the Data Controller, Pitchy Breath is responsible for establishing policies and procedures in order to comply with data protection law.
We must ensure that:
​
-
All personal data is kept securely
-
No personal data is disclosed either verbally or in writing, accidentally or otherwise, to any unauthorised third party
-
Personal data is kept in accordance with our retention schedule
-
Any queries regarding data protection, including subject access requests and complaints, are promptly directed to the DPO
-
Any data protection breaches are swiftly brought to the attention of the DPO
-
Where there is uncertainty around a data protection matter, advice is sought from the DPO.
-
A data processor must be chosen which provides sufficient guarantees about its security measures to protect the processing of personal data
-
Reasonable steps must be taken that such security measures are in place
-
A written contract establishing what personal data will be processed and for what purpose must be set out
-
A data processing agreement must be signed by both parties.
Data subject access requests
​
Data subjects have the right to receive copy of their personal data which is held by Arundel Players. In addition, an individual is entitled to receive further information about the processing of their personal data as follows:
​
-
The purposes
-
The categories of personal data being processed
-
Recipients/categories of recipient
-
Retention periods
-
Information about their rights
-
The right to complain to the ICO
-
Details of the relevant safeguards where personal data is transferred outside the EEA
-
Any third-party source of the personal data.
The entitlement is not to documents per se (which may however be accessible by means of the Freedom of Information Act, subject to any exemptions and the public interest), but to such personal data as is contained in the document. The right relates to personal data held electronically and to limited manual records.
​
Reporting a personal data breach
​
The UK GDPR requires that we report to the Information Commissioner’s Office (ICO) any personal data breach where there is a risk to the rights and freedoms of the data subject. Where the Personal data breach results in a high risk to the data subject, he/she also has to be notified. We have put in place procedures to deal with any suspected personal data breach and will notify data subjects or the ICO where we are legally required to do so.
​
Record keeping
The UK GDPR requires us to keep full and accurate records of all our data processing activities. We must keep and maintain accurate corporate records reflecting our processing, including records of data subjects’ consents and procedures for obtaining consents, where consent is the legal basis of processing. Records of personal data breaches must also be kept, setting out the facts surrounding the breach, its effects and the remedial action taken.
​
Direct marketing
​
We are subject to certain rules and privacy laws when marketing to our participants and any other potential users of our services.
For example, a data subject’s prior consent is required for electronic direct marketing (e.g. by email, text or automated calls). The limited exception for existing customers (e.g. current participants) known as "soft opt in" allows organisations such as ours to send marketing texts or emails if they have obtained contact details in the course of a sale to that person, they are marketing similar services and they gave the person an opportunity to opt out of marketing when first collecting the details and in every subsequent message.
We will comply with this right to object to direct marketing by explicitly offering to data subjects in an intelligible manner clearly distinguishable from other information. A data subject’s objection to direct marketing will be promptly honoured. If a data subject opts out at any time, their details will be suppressed as soon as possible (this involves retaining just enough information to ensure that marketing preferences are respected in the future).
​
Sharing personal data
​
In the absence of consent, a legal obligation or other legal basis of processing, personal data will not generally be disclosed to third parties unrelated to Arundel Players.
Some bodies have a statutory power to obtain information (e.g. regulatory bodies and government agencies) but we will seek confirmation of any such power before disclosing personal data in response to a request (it should also be noted that without a warrant, the police have no automatic right of access to records of personal data, though voluntary disclosure may be permitted for the purposes of preventing/detecting crime or for apprehending offenders. In these cases, we will seek written assurances from the police that the relevant exemption applies). Some additional sharing of personal data for research purposes may also be permissible, subject to certain safeguards.
Policy review
​
Appendix 1
​
Principle 1 of UK GDPR – Processing personal data lawfully, fairly and transparently
​
Lawfulness and fairness
​
You may only process personal data fairly and lawfully and for specified purposes. These restrictions are not intended to prevent processing, but to ensure that we process personal data for legitimate purposes without prejudicing the rights and freedoms of data subjects.
Legal bases for processing non-sensitive personal data:
​
-
the data subject has given his or her consent
-
the processing is necessary for the performance of a contract with the data subject
-
to meet legal compliance obligations
-
to protect the data subject’s vital interests (i.e. matters of life or death)
-
to pursue our legitimate interests (or another’s legitimate interests) which are not overridden because the processing prejudices the interests or fundamental rights and freedoms of data subjects. This ground can only be relied upon for private functions.
You must identify the legal basis that is being relied on for each processing activity, which will be included in the Privacy Notice provided to data subjects.
​
Consent
​
-
You should only obtain a data subject’s Consent if there is no other legal basis for the processing.
-
A data subject consents to processing of his/her personal data if he/she indicates agreement clearly either by a statement or positive action to the processing. Silence, pre-ticked boxes or inactivity are therefore unlikely to be sufficient.
-
If Consent is given in a document that deals with other matters, you must ensure that the Consent is separate and distinct from those other matters.
-
Data subjects must be able to withdraw Consent to processing easily at any time. Withdrawal of Consent must be promptly honoured.
-
Consent may need to be renewed if you intend to process personal data for a different and incompatible purpose which was not disclosed when the data subject first consented, or if the Consent is historic.
-
You will need to ensure that you have evidence of Consent and you should keep a record of all Consents obtained so that we can demonstrate compliance.
-
Consent is required for some electronic marketing and some research purposes. Legal bases for processing Sensitive or Special Category personal data
Special Category Personal Data is data revealing:
​
-
racial or ethnic origin
-
political opinions
-
religious or philosophical beliefs
-
trade union membership
-
genetic data
-
biometric data for the purpose of uniquely identifying a natural person
-
data concerning health
-
data concerning a natural person’s sex life or sexual orientation.
-
​
The processing of sensitive personal data must be based on one of the following (together with one of the legal bases for processing non-sensitive personal data as listed above):
​
-
the data subject has given explicit Consent (requiring a clear statement, not merely an action)
-
the processing is necessary for complying with employment law
-
the processing is necessary to protect the vital interests of the data subject or another person where the data subject is physically or legally incapable of giving
-
​
Consent
​
-
the processing relates to personal data which are manifestly made public by the data subject
-
the processing is necessary for the establishment, exercise or defence of legal claims
-
the processing is necessary for reasons of substantial public interest (provided it is proportionate to the particular aim pursued and takes into account the privacy rights of the data subject)
-
the processing is necessary for the purposes of preventive or occupational medicine, etc. provided that it is subject to professional confidentiality
-
the processing is necessary for reasons of public interest in the area of public health, provided it is subject to professional confidentiality
-
the processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes if it is subject to certain safeguards.