General Data Protection Regulations (GDPR)
Stourbridge Theatre Company Ltd. (STC)
Stourbridge Theatre Company Ltd (an amateur theatre company) is a not for profit company limited by guarantee. We hold personal data about our members, patrons and members of the public who have purchased tickets to see our productions. The company have no paid employees or members.
This policy sets out how we seek to protect personal data and ensure that members understand the rules governing the use of personal data to which they have access in the course of their involvement with STC. In particular, this policy requires members to ensure that the Board of Directors be consulted before any significant new data processing activity is initiated to ensure that relevant compliance steps are addressed.
Personal Data; includes information relating to identifiable Data Subjects. Data Subjects:- Individuals about whom data is held Sensitive personal data; includes data about an individual's racial or ethnic origin, political opinions, religious or similar beliefs, trade union membership (or non-membership), physical or mental health or condition, criminal offences, or related proceedings.
The 6 data protection principles and the rights of individuals:
· a right of access to a copy of the information comprised in their personal data;
· a right to object to processing that is likely to cause or is causing damage or distress;
· a right to prevent processing for direct marketing;
· a right to object to decisions being taken by automated means;
· a right in certain circumstances to have inaccurate personal data rectified, blocked, erased or destroyed:
· a right to claim compensation for damages caused by a breach of the Act.
This policy applies to all members of STC who have access to any data held by the company,
Who is responsible for this policy?
The Chairman of The Board of Directors is responsible for and has overall responsibility for the day-to-day implementation of this policy. The responsibilities include:-
· Keeping up to date about data protection laws and data protection responsibilities, risks and issues.
· Reviewing data protection procedures and policies annually.
· Answering questions on data protection from members, patrons, members of the public and other stakeholders.
· Responding to members, patrons and members of the public who wish to know what data is being held by STC about them.
· Checking and approving third party contracts or agreements that process STC’s data.
· Ensuring that all systems meet acceptable security standards
· Appropriate data protection statements within emails and other marketing copy.
Fair and lawful processing; STC will process personal data fairly and lawfully in accordance with the 6 data protection principles and individuals’ rights. In particular, STC will not process personal data unless the individual has consented to this happening.
The processing of all data must:
· Enable STC to communicate with its members, patrons and other stakeholders.
· Be in the legitimate interests of STC and not unduly prejudice the individual's privacy
· Set out the purposes for which STC hold personal data.
· Ensure that individuals have a right of access to the personal data that is held by STC about them
Sensitive personal data
STC does not hold or process any sensitive personal data
Accuracy and relevance
STC will ensure that any personal data we process is accurate, relevant and not excessive and in accordance with the purpose for which it was obtained. STC will not process / use personal data obtained for one purpose for any unconnected purpose unless the individual concerned has agreed to this or would otherwise reasonably expect this.
STC will keep personal data secure against loss or misuse. Where other organisations process personal data as a service on our behalf, STC will establish what, if any, additional specific data security arrangements need to be implemented in arrangements with third party organisations.
Storing data securely
· In cases when data is stored on printed paper, it will be kept in a secure place where unauthorised personnel cannot access it
· Printed data will be shredded when it is no longer needed
· Data stored on a computer will be password protected.
· No data will be stored on the cloud.
· Data will be regularly backed up.
· Data will not be saved on portable devices, including memory sticks, CDs or other transportable devices unless those devices are password protected.
Data will not be transferred other that between members of STC for the furtherance of STC activities. No data will be transferred to any destination outside of the UK.
Subject access requests:
Individuals are entitled, subject to certain exceptions, to request access to information held about them. If any subject access request is received by any STC member, it will immediately be referred to the Chairman of the Board of Directors who will ensure that the request is actioned. Upon request, anyone will have the right to receive a copy of their data in a structured format. These requests will be processed within one month, provided there is no undue burden and it does not compromise the privacy of other individuals. Anyone may also request that their data is transferred directly to another system. This will be done for free.
Right to be forgotten:
Anyone may request that any information held about them is deleted or removed, and any third parties who process or use that data must also comply with the request.
Processing data in accordance with the individual's rights:
All data will be processed in accordance with the 6 data protection principles. STC will not send promotional advertising to anyone (e.g. via email) unless that person has agreed to receive information about STC and similar activities.
Transparency of data protection:
STC will be transparent and provide accessible information to individuals about how we will use their personal data. The following are details on how we collect data and what we will do with it:
The following data is collected:-
· Data subject name
· Postal address
· Email Address.
· Telephone number
· Ticket purchase history (but not any finance or credit data)
Data is collected at the time an individual joins STC or requests addition to the STC mailing list. Data is checked annually when STC members or Patrons renew their membership.
The data is collected to maintain a register of membership and patronship.
The data will only be used to enable communication with members or patrons about STC and similar organisations activities. The data will only be shared with other STC members for the furtherance of STC activities. The data will be retained for as long as an individual is a member or patron of STC and for a period of no more than 5 years after such membership or patronship ceases.
Consequences of failing to comply:
We take compliance with this policy very seriously. Failure to comply puts individual members and STC both at risk.
Update August 2021:
STC Ltd has registered with the Information Commissioner’s Office as indicated in a letter from The ICO dated 14th June 2021. We have paid a fee of £40. Note:- Advice taken from the ICO advice line, by the Chairman, says that the only reason we are advised to register is because we “advertise other people’s services in our programmes” Maintaining a computer record of membership does not require registration.
This policy was review August 2021