Data Protection Policy

400dpiLogoSt Philips Dramatic Society (The Cliffites)

Data Protection Policy

Policy statement

St Philips Dramatic Society (the Society) is committed to a policy of protecting the rights and privacy of individuals, voluntary and community group members, volunteers staff and others in accordance with the General Data Protection Regulation (GDPR). The policy applies to all members of the Society. Any breach of Regulations is considered to be an offence and in that event, disciplinary procedures apply.

As a matter of good practice, other organisations and individuals working with the Society, and who have access to personal information, will be expected to have read and comply with this policy. It is expected that any staff who deal with external organisations will take responsibility for ensuring that such organisations sign a contract agreeing to abide by this policy.

Legal Requirements

Data is protected by the General Data Protection Regulation, which came into effect on 25 May 2018.

Article 5 of the GDPR requires that personal data shall be:

  1. a) processed lawfully, fairly and in a transparent manner in relation to individuals;
  2. b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;
  3. c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
  4. d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
  5. e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals; and
  6. f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.”

Article 5(2) requires that:

“the controller shall be responsible for, and be able to demonstrate, compliance with the principles.”

Purpose of data held by The Cliffites:

Data may be held by us for the following purposes:

  • Member Administration
  • Fundraising
  • Realising the Objectives of the Society
  • Accounts & Records
  • Advertising, Marketing & Public Relations
  • Journalism and Media
  • Volunteers

 

Data Protection Principles

In terms of GDPR, we are the ‘data controller’, and as such determine the purpose for which, and the manner in which, any personal data are, or are to be, processed. We must ensure that we have:

  1. Fairly and lawfully processed personal data

We will always put our logo on all paperwork, stating our intentions on processing the data and state if, and to whom, we intend to give the personal data. Also provide an indication of the duration the data will be kept.

  1. Processed for limited purpose

We will not use data for a purpose other than those agreed by data subjects (voluntary and community group members, staff, audience members and others). If the data held by us is requested by external organisations for any reason, this will only be passed if data subjects (voluntary and community group members, staff, audience and others) agree.

  1. Adequate, relevant and not excessive

The Society will monitor the data held for our purposes, ensuring we hold neither too much nor too little data in respect of the individuals about whom the data is held. If data given or obtained is excessive for such purpose, it will be immediately deleted or destroyed.

  1. Accurate and up-to-date

We will provide our members (voluntary and community group members, staff and others) with a copy of their data once a year for information and updating where relevant. All amendments will be made immediately and data no longer required will be deleted or destroyed. It is the responsibility of individuals and organisations to ensure the data held by us is accurate and up-to-date. Completion of an appropriate form ( provided by us) will be taken as an indication that the data contained is accurate. Individuals should notify us of any changes, to enable personnel records to be updated accordingly. It is the responsibility of the Society to act upon notification of changes to data, amending where relevant.

  1. Not kept longer than necessary

We discourage the retention of data for longer than it is required. All personal data of Society members will be deleted or destroyed by us after one year of not being involved in the Society.

  1. Processed in accordance with the individual’s rights

All individuals that the Society holds data on have the right to:

  • Be informed upon the request of all the information held about them within 40 days.
  • Prevent the processing of their data for the purpose of direct marketing.
  • The removal and correction of any inaccurate data about them.
  1. Secure
    Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of data.

Our database can only be accessed by authorised members of the Society as determined by the Committee. All personal and financial data is kept in a locked filing cabinet and/or on a secure password-protected laptop and can only be accessed by the Chair and Secretary.

  1. Not transferred to countries outside the European Economic Area, unless the country has adequate protection for the individual.

Data must not be transferred to countries outside the European Economic Area without the explicit consent of the individual.  The Association takes particular care to be aware of this when publishing information on the Internet, which can be accessed from anywhere in the globe. This is because transfer includes placing data on a website that can be accessed from outside the European Economic Area.

Updated May 2018

Advertisements
%d bloggers like this: