Data Protection Act Code of Practice

Data Protection Act Code of Practice

Introduction

The fundamental principle of data protection is to protect the privacy of the individual in relation to their personal information. Proper information handling procedures are a key requirement of the modern business environment and the privacy requirements of data protection legislation will…be essential to create trustworthy systems for the information age (Elizabeth France, Data Protection Registrar).

The Data Protection Act 1998 (“The Act”) came into force on the 1st March 2000 and replaced the 1984 Act. The new act includes a wider definition of data to include non-computerised records of all kinds held within a “relevant filing system.”

The data protection legislation puts responsibilities and limitations on organisations and gives rights to individuals in respect of personal information. Promoting best practice and encouraging high standards is a key role of the ABTT. The ABTT has used the same values in devising this code of practice to ensure the ABTT fulfils its obligations under the act.

Scope of the Code

This code applies to the ABTT (a registered charity) and to its two wholly owned subsidiary companies:

Theatrical Trading Limited (“TTL”)

Theatrical Events Limited (“TEL”)

Each if these three organisations are registered separately with the Information Commissioner’s Office (“ICO”). The Act considers that a “data controller” will usually be an organisation. Therefore the ABTT, TTL and TEL are each considered a data controller. Where one organisation acts with another organisation they are considered “joint data controllers”. The responsibility to comply with The Act is therefore shared. This will be the case when any of the above three organisations work together and equally when any one or more of the three work jointly with another organisation (for example the ABTT may carry out a survey with the Stage Management Association).

Who must comply with this Code of Practice?

Full time employees of the ABTT, TTL and TEL

Part-time, contract and temporary employees of the ABTT, TTL and TEL

Officers of the ABTT

Any member who processes or stores personal data which has been entrusted to them as aresult of them being a member of the ABTT and which is likely to be covered by the ActThe ABTT is a members’ organisation with a small permanent staff. It therefore relies on the voluntary work of its officers, members and others. The Act makes no distinction between employees and volunteers therefore anyone processing or storing data on a temporary or permanent basis has a responsibility to comply with the Act. Should any member be unsure if any personal data does fall within the act they should first consult the Chief Executive of the ABTT.

Note that for the purposes of this Code of Practice “members” refers to all members, whether Full Members, Associate Members, Student Members, Fellows and Honorary Members and nominated individuals of Affiliated Organisation Members.

All employees should familiarise themselves with this Code of Practice. All officers should familiarise them

selves with this Code of Practice.

The Data Protection Principles

These eight principles are the core of The Act and embody the spirit of The Act. This code of practice is based on complying with these eight principles. Each is covered in turn together with the actions required to meet the principle.

1. Personal data shall be processed fairly and lawfully and shall not be processed unless certain conditions are met.

There are two parts to meeting the requirements of this principle. The first relates to fair obtaining which requires that certain information be made available at the time of obtaining information i.e. who is obtaining the data, what it is to be used for, how to opt out from receiving marketing communications, access to personal data. The second part relates to the conditions for legitimising processing, one of which must be met. These include:

a) The data subject consenting to the processing

b) Processing for various contractual or legal and statutory purposes

c) Processing for the pursuit of the legitimate interests of the data controller (subject to conditions).

The majority of the personal data held by the ABTT and its subsidiaries are gathered when a person applies for membership, changes category of membership or updates their details. Membership application forms carry a data protection statement and include a “consent to process”. Such data are not shared with any other organisation or company.

All members and subscribers to regular ABTT publications e.g. Sightline, shall annually receive a privacy policy statement.

Other personal data are gathered, stored and processed by the ABTT and its subsidiaries as part of its operations, for example training activities, sales of publications, events such as the ABTT Theatre Show, the recruitment of staff and employee records. Where necessary a data protection statement, opt-outs and how to obtain access to this Code of Practice will be included on both printed and electronic forms.

Conditions for the processing of sensitive data are separately specified and are more rigorous and extensive. See “Definition of Terms” for a precise definition of sensitive data.

The ABTT, TEL and TTL will not normally collect sensitive data. Where it is deemed necessary, those persons supplying such information will be warned in advance, told why the information is needed and have the option of opting out of such data gathering unless this is required by law or by a statutory authority.

2. Personal data should be obtained only for one or more specified and lawful purposes and shall not be further processed in any manner incompatible with that purpose or those purposes.

Personal data obtained for one purpose may not be used for a completely different one without prior reference to the individual. Although the ICO gives examples of what may not be acceptable, this principle has not been much tested in law. Therefore the tests of fairness and common sense should be used.

Before processing data or instructing others to do so on behalf of the ABTT, TTL or TEL, those doing so must consider whether such processing follows this principle. If it does not they should seek further advice before continuing. For example, data could be processed to print a members’ mailing list in order to mail out an offer of gardening products. The ICO would consider this unacceptable because this would generally be considered outside the organisation’s remit.

3. Personal data shall be adequate, relevant and not excessive in relation to the purpose.

The ABTT, TEL and TTL will strive to collect only the minimum for efficient management of its services to members and to the wider community. How much data is collected will depend on the purpose of collection. For example, only a small amount of data would be needed for the purchase of a book. Much more data may needed for biographical records of those considered to have made an important contribution to organisations or the aims of the organisations such as those considered for Technician of the Year. Again fairness and common sense should be key determinants.

As part of a data audit which shall take place annually we will determine:

a) Which if any records should be safely destroyed

b) Stored data is not excessive

4. Personal data shall be accurate and where necessary kept up to date.

Information quality and reliability are critical factors in effective data protection. We rely primarily on information updates from our members.

The ABTT, TEL and TTL will update their records whenever new information is received and normally within thirty days. The privacy statement sent out annually includes a request for members to inform us any changes to contact details and other relevant information. The organisations shall consider other such requests in any suitable contact, for example email newsletters.

5. Personal data processed for any purpose shall not be kept for longer than is necessary for that purpose or those purposes.

A schedule of how long different types of data will normally be retained is listed in the Appendix. Much of this is determined by law other than The Act e.g. regulations for retaining financial information. For a members’ organisation, some personal data of our members will be held in perpetuity as a valuable historical record. In general we will follow the guidance of the National Archives which have issued “Guide for records management and archivists” and a “Code of Practice”.

As part of a data audit which shall take place annually we will determine:

a) Which if any records should be safely destroyed in accordance with the schedule listed in

the appendix

For specific biographical material of living persons, permission shall be sought before publication in any form or allowance of access for research or other purposes. This agreement should be in writing and retained on file. Again fairness and common sense should prevail.

6. Personal data (data relating to a living individual who can be identified) shall be processed in accordance with the rights of data subjects under the Act. These include the rights to:

a. Subject access – that is the right to a copy of personal data held.

Note that there are restrictions on sensitive data, on data that also concerns other living persons, making requests on behalf of others, data held on children, repeated requests for copies of similar data and where collecting such data would be disproportionately onerous. Further guidance can be found on the ICO website at the section titled: “Access to personal data”.

Prevent processing likely to cause damage or distress.

Prevent processing for the purposes of direct marketing.

Take action for compensation if damage is suffered by any contravention of The Act by the data controller.

Take action to rectify, block, erase or destroy inaccurate data.

Any person whose personal data is recorded or processed may obtain a copy of that data within 40 calen

dar days. A fee of £5 will be charged. Application should be made by letter, email or FAX. Should any of this data need correcting we will undertake to do say as soon as practicable.

No employee, officer or member shall divulge any personal information on a living individual collected on behalf of the ABTT, TEL or TTL that might cause damage or distress to the said individual. In case of doubt the Chairman or Chief Executive of the ABTT shall be consulted.

Any person, not only members, may request an opt out from any direct marketing undertaken by or on behalf of the ABTT, TEL or TTL at any time. This includes all forms of electronic, postal and telephonic communication.

7. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.

Security should be appropriate to the situation. For example a small amount of personal information held on a member’s laptop will need different level of security to computer systems at the ABTT office. Note that processing includes all operations: from collecting and acquiring through to disposal.

As part of a data audit which shall take place annually the following will be reviewed:

a) Levels of physical security at the ABTT offices

b) Levels of electronic security at the ABTT offices e.g. firewalls, virus protection etc

c) Prevention of physical data loss e.g. by fire

d) Prevention of electronic data loss i.e. back-up procedure

e) Procedures for the safe destruction of physical data e.g. shredding

f) Procedures for safe destruction of electronic data e.g. data overwriting

g) The use of third parties for data processing and storage to ensure such companiescompliance with The Act e.g. mailing houses

h) If any sensitive data as defined by the Act is held, procedures for the safe protection,storing and destruction shall be separately reviewed as part of the annual data audit

Where data is stored or processed away from the office, appropriate measures should be taken including: password protection of documents as well as at log-in, regular changes of secure passwords and shredding of physical documents when no longer needed.

EVERYONE WHO STORES OR PROCESSES DATA, BOTH PHYSICAL AND ELECTRONIC, HAS A DUTY OF CARE TO ALL MEMBERS OF THE ABTT AND ITS EMPLOYEES.

8. Personal data shall not be transferred to a country or territory outside the European Economic Area or other countries the European Commission has decided have an adequate level of protection for personal data, unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.

There are certain exceptions to this, the most important of which is when the data subject has given consent to the transfer. Note that the ICO website should be consulted for the most up-to-date list of countries the European Commission has decided have an adequate level of protection for personal data. It is unlikely that the ABTT, TEL or TTL will transfer data outside counties on this list. Should this ever be the case, measures would be taken to ensure all affected persons are contacted in advance of such an action.

Definition of terms

Members refers to all members of the ABTT, whether Full Members, Associate Members, Student Members, Fellows, Honorary Members or nominated individuals of Affiliated Organisation Members.

Data Controller is the organisation which must determine the purposes for which, and the manner in which, any personal data are processed. In this case it will be, singularly or jointly the ABTT, TEL or TTL.

Data Subject: an identifiable or identified living individual who is the subject of the personal data.

Personal Data: data which relates to a living individual who can be identified from that data. In this code of practice “data” specifically refers to personal data held by or held on behalf of the ABTT, TEL or TTL and to personal data processed by or on behalf of the ABTT, TEL or TTL.

Sensitive Personal Data: some personal data is known as “sensitive personal data” and is subject to special rules. The Act defines sensitive personal data as:

a) the racial or ethnic origin of the data subject;

b) his political opinions;

c) his religious beliefs or other beliefs of a similar nature;

d) whether he is a member of a trade union (within the meaning of the Trade Union and Labour Relations (Consolidation) Act 1992);

e) his physical or mental health or condition;

f) his sexual life;

g) the commission or alleged commission by him of any offence or

h) any proceedings for any offence committed or alleged to have been committed by him, the disposal of such proceedings and the sentence of court in such proceedings.

Relevant filing System: The term “relevant filing system” is defined in The Act as:

Any set of information relating to individuals to the extent that, although the information is not processed by means of equipment operating automatically …. The set is structured, either by reference to individuals or by reference to criteria relating to individuals, in such a way that specific information relating to a particular individual is readily accessible.

Appendices

1. 2. 3. 4.

Privacy Policy Statement and opt out

Privacy Policy Statement and opt out for websites Data Retention Schedule

Further Information

APPENDIX 1

Association of British Theatre Technicians

Privacy Policy Statement

This privacy policy explains how we use any personal information we collect about you. It applies not only to the ABTT but its two wholly owned subsidiaries TTL and TEL. (TTL administer the annual ABTT Theatre Show).

What information do we collect about you?

For members, we collect information about you when you apply for membership, apply to change class of membership (e.g. from Associate Member to Full Member) when you voluntarily complete surveys, when you purchase goods or services from the ABTT, TTL or TEL, and also when you communicate with us, for

example to update your postal address, make a request for information or make a complaint.

For non-members, records will primarily be related to purchases or goods or services, information requests etc.

How will we use the information about you?

Keeping accurate records of our members ensures that we may communicate with them effectively. When we sent out information about upcoming meetings, events, industry news etc, we want make sure it gets to the right person as soon as possible. We also keep records of goods and services that are purchased in case of any problem or dispute with the transaction.

Are the records you keep about me accurate?

We endeavour to keep all records up to date. Please inform us is you change your contact details or any other information that may be held such as professional position if relevant. For example if you move from being a production manager in Manchester to a theatre consultant in Liverpool.

Can I choose how you communicate with me and what marketing material you send me?

In general terms, yes you can although this is limited. The ABTT and its subsidiaries do not share your personal details with any other organisation so you will only receive communications from us. If you are a member of the ABTT it is assumed that you will want to receive our mailings, such as our magazine Sightline, news of members’ visits and administrative information such as notice of meetings and subscriptions. These are currently sent by post. You can elect not to receive Sightline if you wish. Please contact the office.

If you supply us with your email address we will assume that you wish to receive communications by email. As stated above, the ABTT and its subsidiaries do not share your personal details with any other organisation so you will only receive communications from us. If you do not wish to be contacted by email, please let us know and we will record your preference and remove your email address from our list.

We may in the future use other forms of communication such as SMS. If we decide to do so, we will give members adequate notice and offer suitable opt-outs.

Non-members may also receive communications from us if they have made a purchase, registered for an event or in some other way registered an interest in our activities. When we collect personal data, we will ask your permission to send you further information about the ABTT’s activities and you may at any time opt out of further communications by contacting us.

How do I contact you?

Association of British Theatre Technicians Fourth Floor

55 Farringdon Road

London

EC1M 3JB

email: info@abtt.org.uk

Telephone: +44 (0)20 7242 9200 Facsimile: +44 (0)20 7242 9303

APPENDIX 2

Association of British Theatre Technicians

Privacy Policy statement and opt-out for websites

The ABTT, Theatrical Trading Ltd and Theatrical Events Ltd respect your privacy and actively conform to the Data Protection Act. Below we clarify how we treat personal data collected from websites under our control.

What information do we collect about you?

We collect information about you when you register with us, place an order for products such as publications, and services such as educational programmes. We also collect information if you voluntarily complete surveys, provide feedback and participate in competitions. Website usage information may be collected using cookies.

How will we use the information about you?

Collected information is used to process your order, manage your purchase or to send you the information you have requested. If you agree, we will also send you information about other products or services you may be interested in. You may opt out at any time.

We may use your information to personalise your repeat visits to the website.

If you agree we may also pass on your details to other charitable and non-charitable bodies relevant to the theatre and entertainment industries. You may opt out at any time.

I wish to receive further information from the ABTT 

I wish to receive further information other relevant organisations and companies 

Do I have access to my personal information and can I correct any errors?

You have the right to request a copy of some or all of your personal information we hold about you. Please contact us by email or at the address below. We may make a small charge for this service.

We want to make sure your personal information is accurate and up to date. You may ask us to correct or remove information you think is inaccurate.

Cookies

Cookies are text files placed on your computer to collect standard internet log information. This information is used to track visitor use of websites and to complete statistical reports on website activity.

You can set your browser not to accept cookies should you wish to do so.

Other websites

Our website contains links to other websites that you may find useful. This privacy policy only applies to this website so when you link to another website you should read their privacy policies.

How do I contact you?

Association of British Theatre Technicians Fourth Floor

55 Farringdon Road

London

EC1M 3JB

email: info@abtt.org.uk

Telephone: +44 (0)20 7242 9200 Facsimile: +44 (0)20 7242 9303

APPENDIX 3

Association of British Theatre Technicians Retention of Personal Data

Type of Data

Personnel files including training records and notes of disciplinary and grievance hearings

Application forms/interview notes

Facts relating to redundancies where less than 20 redundancies

Facts relating to redundancies where 20 or more redundancies

Income Tax and NI returns, including correspondence with tax office

Statutory Maternity Pay records and calculations

Statutory Sick Pay records and calculations

Wages and salary records

Maximum retention period

6 years from the end of employment

At least 8 months from the date of the interviews

3 years from the date of redundancy

12 years from date of redundancies

At least 3 years after the end of the financial year to which the records relate

As Above

As Above

6 years

Reason for Length of Period

References and potential litigation

Time limits on litigation As above

Limitation Act 1980

Income Tax (Employment) Regulations 1993

Statutory Maternity Pay (General) Regulations 1982

Statutory Sick Pay (General) Regulations 1982

Taxes Management Act 1970

Accident books, and records and reports of accidents

Health records

Health records where reason for termination of employment is connected with health, including stress related illness

Medical records kept by reason of the Control of Substances Hazardous to Health Regulations 1994

Examination marksheets Examination results

Financial records

Membership records Gift Aid records General enquiries

3 years after the date of the last entry

During employment

3 years

40 years

In perpetuity In perpetuity

6 Years

In perpetuity

6 years after last donation 1 year

Social Security (Claims and Payments) Regulations 1979; RIDDOR 1985

Management of Health and Safety at Work Regulations

Limitation period for personal injury claims

Control of Substances Hazardous to Health Regulations 1999

Recommended current practice

Recommended current practice

In line with current practice

As above As above As above

APPENDIX 4

Association of British Theatre Technicians

Further Information

Information Commissioner’s Office Wycliffe House

Water Lane

Wilmslow

Cheshire SK9 5AF

Tel: 0303 123 1113 (or 01625 545745 if you would prefer not to call an ‘03’ number, or +44 1625

545745 if calling from overseas) Fax: 01625 524510

Email: casework@ico.gsi.gov.uk

National Archives www.nationalarchives.gov.uk