Privacy

EODS Data Protection Policy

Data Protection Policy

Introduction:

The purpose of this policy is to enable Evesham Operatic and Dramatic Society to comply with the law GDPR (May 2018) in respect of the data it holds about individuals.

The Society will:

· follow good practice

· protect all individuals by respecting their rights

· demonstrate an open and honest approach to personal data and

· protect the Society from the consequences of a breach of its responsibilities.

This policy applies to all the information that we control and process relating to identifiable, living individuals including contact details, photographs, audio and digital recording.

Data Storage and processing

Evesham Operatic and Dramatic Society recognises that data is held about its members and Friends of the Society.

This information is always stored securely and access is restricted to those who have a legitimate need to know. We are committed to ensuring that those about whom we store data understand how and why we keep that data and who may have access to it. We do not transfer data to third parties without the express consent of the individual concerned.

Rights of individuals

All individuals who come into contact with Evesham Operatic and Dramatic Society have the following rights under the GDPR:

· a right of access to a copy of their personal data

· a right to object to processing that is likely to cause or is causing damage or distress

· a right to prevent processing for direct marketing

· a right to object to decisions being taken by automated means

· a right, in certain circumstances, to have inaccurate personal data rectified, blocked, erased or destroyed and

· a right to claim compensation for damages caused by a breach of the DPA.

Archived records are stored securely.

The Committee recognise its overall responsibility for ensuring that the Society complies with its legal obligations

Roles and Responsibilities for Committee

· reviewing Data Protection and related policies

· ensuring that Data Protection induction and training takes place

· handling subject access requests.

All Society members are required to read and understand and accept any policies and procedures that relate to the personal data they may handle.

Key risks to the safety of data control and process:

The Committee has identified the following potential key risks:

· breach of confidentiality (information being given out inappropriately)

· individuals being insufficiently informed about the use of their data

· misuse of personal information

· failure to up-date records promptly

· poor IT security and

· direct or indirect, inadvertent or deliberate unauthorised access.

The Committee will review the Society’s procedures regularly, ensuring that the Society’s records remain accurate and consistent and in particular:

· IT systems will be designed, where possible, to encourage and facilitate the entry of accurate data

· data on any individual will be held in as few places as necessary and the Committee will be discouraged from establishing unnecessary additional data sets

· effective procedures will be in place so that relevant systems are updated when information about an individual change.

If a breach of data security is suspected or occurs the Committee/Data Protection Officer should be notified immediately.

Subject Access Requests

Any individual who wants to exercise their right to receive a copy of their personal data can do so by making a Subject Access Request, (‘SAR’) to the Secretary of the Society. The request must be made in writing and the individual must satisfy Evesham Operatic and Dramatic Society of their identity before receiving access to any information.

A SAR must be answered within 40 calendar days of receipt by the Secretary.

Collecting and using personal data

Our legal basis for processing this data is our legitimate interest as an Amateur Dramatic Group. We use the data for the communication of information and the organisation of events and collect it in a variety of ways

Evesham Operatic and Dramatic Society will:

· not use any of the personal data it collects in ways that have unjustified adverse effects on the individuals concerned

· be transparent about how it intends to use the data and give individuals appropriate privacy notices when collecting their personal data

· handle people’s personal data only in ways they would reasonably expect

· not do anything unlawful with the data.

· not post photographs on social websites without permission; we have safeguarding responsibilities

· advise audience members not to take photographs or make recordings

Keeping Data Secure

The Society will take all appropriate measures to prevent unauthorised or unlawful processing of personal data and to protect personal data against loss, damage or destruction. This means that:

· This information will be recorded in our database, which is stored on a secure personal computer.

· Email addresses will be used in a group mailing list and used solely for the legitimate interests described above.

Retention of personal data

The Society will not keep personal data for longer than is necessary.

More information:

Full information about the Data Protection Act, its principles and definitions can be found at www.ico.gov.uk

Authorised by Resolution by the Committee

Date: May 2019

Effective Date of the Policy: May 2019

Effective Date for Review: May 2020