DATA PROTECTION POLICY
Smashing Times Theatre and Film Company needs to gather and use certain information about individuals attending their events, workshops and performances.
These can include partner organisations, funding organisations, stakeholders, business contacts, employees, community groups, audience members and individuals attending workshops, events and performance produced by Smashing Times. This can also include other people the organisation has a relationship with or may need to contact.
This policy will ensure that all personal data under the control of Smashing Times is stored, processed and used in compliance with the Irish Data Protection Acts 1988 and 2003 and European Union Data Protection Directive 1995.
Data protection Law
The policy should set down the arrangements in place to ensure that all personal data records held by the company are obtained, processed, used and retained in accordance with the following eight rules of data protection (based on the Data Protection Acts):
- Obtain and process information fairly
- Keep it only for one or more specified, explicit and lawful purposes
- Use and disclose it only in ways compatible with these purposes
- Keep it safe and secure
- Keep it accurate, complete and up-to-date
- Ensure that it is adequate, relevant and not excessive
- Retain it for no longer than is necessary for the purpose or purposes
- Give a copy of his/her personal data to that individual on request
The minimum age at which consent can be legitimately obtained for processing and disclosure of personal data under rules 1 and 3 above is not defined in the Data Protection Acts. However, guidance material published on the Data Protection Commissioner’s website states the following:
“As a general rule in the area of education, a student aged eighteen or older may give consent themselves. A student aged from twelve up to and including seventeen should give consent themselves and, in addition, consent should also be obtained from the student’s parent or guardian. In the case of students under the age of twelve consent of a parent or guardian will suffice.”
This policy applies to:
- All staff and contractors at Smashing Times
- All project partners, business partner and funding organisations
- All individuals attending workshops, events and performance produced by Smashing Times.
It applies to all data, this can include:
- Names of individuals, postal addresses, email addresses, telephone numbers, bank account numbers, age range (Under 30, between 30 and 65, over 65) and any other information
This policy helps to protect Smashing Times from data security risks including:
- Breaches of confidentiality
- Reputational damage
As with any legislation, certain terms have particular meaning. The following are some important definitions:
Data means information in a form which can be processed. It now includes both automated data and manual data. However, the application of certain parts of the Act to existing manual data is deferred until October 2007.
Automated data means, broadly speaking, any information on computer, or information recorded with the intention of putting it on computer.
Manual data means information that is kept as part of a relevant filing system, or with the intention that it should form part of a relevant filing system.
Relevant filing system means any set of information that, while not computerised, is structured by reference to individuals, or by reference to criteria relating to individuals, so that specific information relating to a particular individual is readily accessible.
Personal data means data relating to a living individual who is or can be identified either from the data or from the data in conjunction with other information that is in, or is likely to come into, the possession of the data controller
Processing means performing any operation or set of operations on data, including: – obtaining, recording or keeping the data – collecting, organising, storing, altering or adapting the data – retrieving, consulting or using the data – disclosing the data by transmitting, disseminating or otherwise making it available – aligning, combining, blocking, erasing or destroying the data
Each staff member who handles personal data must ensure that it is handled and processed in line with this policy and data protection principle and also take reasonable steps to ensure it is stored securely and kept as accurate and up to date as possible.
When obtaining data it is important that the subject must be made aware of the following:
- For what purposes the data is being collected
- Of any persons or categories of persons to who, the data may be disclosed
- The existence of the right of access to their personal data
- The right to rectify their data if inaccurate or processed unfairly
If personal data is not obtained from the data subject, all of the above information must be provided to the data subject and they must also be informed of the identity of the original data controller from whom the information was obtained.
- Data must be kept only for specific, explicit and lawful purposes
- The use and disclosure of data must be necessary for the purpose(s) or compatible with the purposes(s) for which it is held
- Appropriate security measures must be in place depending on the level of confidential and sensitive data being held
- Data is accurate and up-to-date
- Only the minimum amount of personal data required for propose is requested
- Data is retained for no longer than necessary i.e. Personal data collected for one purpose cannot be retained once that initial purpose has ceased.
- Smashing Times will make it easy for subjects to update the information Smashing Times holds about them
- The electronic transfer of any sensitive data (financial records etc) must always be password protected
The Smashing Times Data Protection Officer is responsible for:
- Reviewing all data protection procedures and related policies
- Arranging data protection training and advice
- Handling data protection questions/requests from individuals covered by this policy
The Digital Manager and Developer is responsible for:
- Liaising with IT specialists to ensure all systems, services and equipment used for storing data meet acceptable security standards.
- Performing regular checks and scans to ensure security hardware and software is functioning properly
- Evaluating any third-party services the company is considering using to store or process data
All individuals who are the subject of personal data held by Smashing Times are entitled to:
- Ask what information the company holds about them and why
- Ask how to gain access
- Be information how to keep it up to date
- Be informed how the company is meeting its data protection obligations
All requests must be received in writing. The data controller will always verify the identity of anyone making a subject access requesting before handing over any information. The data controller will aim to provide the relevant data promptly within 40 days of receiving the request.
Appropriate security measures must be taken against unauthorised access to, or alternation, disclosure or destruction of data and against its accidental loss or destructions.
- When paper or files are not required they should be kept in a locked drawer
- Employees should make sure paper and printouts are not left were unauthorised people can see them
- Data printouts should be shredded
- Data should be protected by strong passwords
- If data is stored on removable media, they should be kept locked away
- Data should never be saved directly to laptops or mobile devices without being encrypted
- All servers and computers containing data should be protected by approved security software and a firewall
- Data should be disposed appropriately when no longer required – confidential waste disposal/shredding
For more information, please contact our Company Manager and Data Protection Officer Freda Manweiler:
Coleraine House, Coleraine Street, Dublin 7
Tel: + 353 (0) 1 865 6613 Tel: + 353 (0) 87 221 4245
Email: firstname.lastname@example.org Website: www.smashingtimes.ie