Data protection policy

In this Policy and its Procedures, the term “Stroud Fringe staff and volunteers” refers to any person who Stroud Fringe has appointed to help deliver events/exhibitions/activities, whether volunteer or paid, and all relevant contractors.
POLICY STATEMENTS:
  • All information sought or gathered or held by Stroud Fringe will meet the requirements of the 8 Data Principles of the Data Protection Act 1998 and will be gathered and used solely for the purposes of running the Festival
  • Where relevant to the duties of the role, contracts and agreements will state that compliance with this DP Policy and Procedures is required
  • Where Stroud Fringe forms request contact information, they will state that it should be provided by an adult
  • Any Personal or Sensitive Personal information received will either be destroyed or held in passworded electronic files
  • Passwords will be issued only to personnel with enhanced DBS disclosures
  • Directors will regularly review whether the work being undertaken requires DP registration
PROCEDURES:
  • ‘Personal’ and ‘Personal Sensitive’ data is defined by the Act
  • team members in charge of filing information should check that anything they place on a file that can be accessed widely does not constitute Personal or Personal Sensitive data
  • where information is assessed to be Personal or Personal Sensitive data, it should be placed on an electronic file accessible only by password and any paper copies destroyed by shredding
  • if Personal or Personal Sensitive data is provided unsolicited and is not required, it should be destroyed by shredding or double-deleting where electronic
  • name and address files with brief information on the interests of those listed, for the purposes of attending events or volunteering are not Personal data
  • results of performance reviews; training sessions; decisions made on leadership or responsibilities given, and why; concerns for welfare, illness records, etc (the sort of thing often referred to as HR material) are Personal data
  • details of people’s finances, expenses or pay are Personal data
  • details of people’s personal circumstances, including any home difficulties, duties as a carer, etc, are Personal and possibly Sensitive Personal data
  • explicit consent must be given for the processing/holding of Personal or Sensitive Personal information eg tick box on contract or agreements
  • information provided by an adult about a child – eg a child’s own email address or which schools s/he attends, should be regarded as Personal, even when provided by a parent/guardian/carer
APPENDIX re DATA PROTECTION The 8 Data Protection Principles

The Data Protection Act controls how personal information is used by organisations, businesses or the government. Everyone responsible for using data has to follow the 8 Data Protection Principles. They must make sure the information is:
The data subject must give permission for data to be gathered/processed/held in the way that is described to them at the time. Explicit consent must be given for the processing/holding of Personal or Sensitive Personal information.

  • used fairly and lawfully
  • used for limited, specifically stated purpose(s)
  • used in a way that is adequate, relevant and not excessive
  • accurate and up-to-date
Data Protection Policy
  • kept for no longer than is absolutely necessary for the stated purpose(s) handled according to people’s data protection rights
  • kept safe and secure to avoid loss or damage
  • not transferred outside the UK without adequate protection

PERSONAL DATA means data which relate to a living individual who can be identified from those data, including images, or from those data and other information which is in the possession of, or is likely to come into the possession of, the Data Controller, and includes any expression of opinion about the individual (as in a job review, for example) or information about what is going to happen to that person.

Personal data may be processed:
SENSITIVE PERSONAL DATA means personal data, including images, consisting of information as to ethnic origin, political opinions, religious beliefs, trade union membership, physical/mental health/ condition, sexual life, criminal records

  • with the consent of the data subject
  • to establish or perform a contract with the data subject
  • to comply with a legal obligation
  • to protect the vital interests of the data subject
  • for the exercise of certain functions of a public interest nature
  • for the legitimate interests of the data controller unless outweighed by the interests of the data subject

Sensitive Personal data may be processed:
For the purposes of Stroud Fringe, Sensitive Personal data may be held because some of our laws require organisations to ask questions when people work or volunteer for them and because funders ask for quotas of people by ethnicity.

  • with the explicit consent of the data subject
  • to perform any right or obligation under employment law
  • to protect the vital interests of the data subject or another person for the legitimate activities of certain not-for-profit bodies
  • when the data have been made public by the data subject
  • in connection with legal proceedings
  • for the exercise of certain functions of a public interest nature for medical purposes
  • for equal opportunity ethnic monitoring

Another type of Sensitive Personal data may be where the name and address of a child, together with details of where s/he goes to school or to leisure activities has been provided for whatever reason. This type of data should either be destroyed (if not required) or, as good practice, be password protected.

The Act does not simply relate to electronically-held information

Policy ratified by the Stroud Fringe CIC Directors on April 25 2016. Signed: Lotte Lyster, Julie Howe
Policy to be reviewed April 2017