Fluid Motion Theatre Company - GDPR
Fluid Motion Theatre Company needs to process information about employees, volunteers, organisations and individuals who use our services. When we process information, we need to keep to the terms of the Data Protection Act 2018. In particular, we need to make sure that we process information in line with the principles of data protection described in the Act.
The Data Protection Act sets limits on the way we collect, store and use information. The Act controls how:
- We file information
- How we access information
- How we pass information on to other organisations and individuals
- How and when we destroy information we are storing
The Act says that people have a right to access any information that we hold about them. This includes employees, volunteers and people who use our services. The Act says that we must respond to requests for access to information within 1 month at most.
In certain circumstances, for example particularly complex or multiple requests, we may take a further 2 months to provide data. In this case, Fluid Motion must tell the individual within 1 month of their request why there is a delay.
When information can be withheld
There are some situations when organisations are allowed to withhold information, for example if the information is about:
- the prevention, detection or investigation of a crime
- national security or the armed forces
- the assessment or collection of tax
- judicial or ministerial appointments
An organisation does not have to say why they’re withholding information.
How much it costs
Requests for information are usually free. However, Fluid Motion Theatre Company may charge an administrative cost in some circumstances, for example if:
- you’re asking for a large amount of information
- your request will take a lot of time and effort to process
The Act says that organisations that process information needs to register with the Information Commissioner’s Office. There are exceptions to this rule for some not-for-profit organisations. Under these exceptions, Fluid Motion Theatre Company does not have to register with the Information Commissioner.
The Executive and Artistic Directors will deal with day-to-day data protection issues. The Fluid Motion Theatre Company Board of Trustees has overall responsibility for ensuring that the company works in line with the Data Protection Act 2018.
The Fluid Motion Theatre Company Board of Trustees, staff and any others who process personal information on behalf of Fluid Motion Theatre Company must comply with the principles of the Act.
2. FLUID MOTION THEATRE COMPANY’S RESPONSIBILITIES
Fluid Motion Theatre Company wants to protect the right of individuals to privacy:
- We will respect the privacy of individuals when processing personal information
- We will take appropriate measures to make sure that the data we hold is stored securely
- The Fluid Motion Theatre Company Board of Trustees has overall responsibility for making sure that the company meets the terms of the Data Protection Act 2018.
- The Fluid Motion Theatre Company Board of Trustees have a responsibility to make sure that staff process information in line with the terms of the Act.
3. STAFF RESPONSIBILITIES
- Staff are responsible for the security of the information they process
- Staff must not pass on information to anyone who is not entitled to it
- Staff should make sure that any information they give to Fluid Motion Theatre Company about their employment is accurate and up to date.
4. RIGHT OF ACCESS
- Fluid Motion Theatre Company employees, volunteers, and people who use our services have the right to access personal information the company holds about them, whether in electronic or paper form
- People who want to access information held about them should contact the Executive Director
- More information about individuals’ right of access is available in Appendix 2
5. MAKE A COMPLAINT
If you think your data has been misused or that Fluid Motion Theatre Company has not kept it secure, you should contact the Executive Director and tell them.
If you’re unhappy with their response or if you need any advice you should contact the Information Commissioner’s Office (ICO).
6. THE EIGHT PRINCIPLES OF DATA PROTECTION
The Data Protection Act 2018 states that anyone who processes personal information must comply with eight principles. These state that information must be:
- Fairly and lawfully processed
- Processed for limited purposes
- Adequate, relevant and not excessive
- Accurate and up to date
- Not kept for longer than is necessary (See ‘How long we keep your information’ on page 6.)
- Processed in line with individuals’ rights
- Not transferred to other countries without adequate protection