Data Protection Policy

1. Policy statement

1.1 This document sets out West Sussex Music Trust’s [the Trust] Data Protection Policy and how it complies with the Trust’s duties under the Data Protection Act 1998 (the Act).

1.2 The Act regulates the way in which personal information about individuals, whether held on computer or in a manual filing system, is obtained, stored, used, disclosed and destroyed. Individuals have a right to see their personal data, require modification of the data if it is inaccurate and prevent processing of the data.

1.3 The Trust needs to collect and use personal data and sometimes sensitive personal data about people with whom it deals in order to perform its functions.

1.4 The Trust regards the lawful and correct treatment of personal information as critical to successful operations, and to maintaining the confidence of its customers, employees and partners that this is the case. It is essential that it treats personal information lawfully and correctly in accordance with the Act.

1.5 Failure to comply with the Act exposes the Trust and its staff to civil and criminal claims and possible financial penalty.

1.6 This Policy applies to all staff and the Trust expects all of its staff and members to comply fully with this Policy and the principles of the data protection legislation. Disciplinary action may be taken against any employee who breaches any of the instructions or procedures forming part of this policy.

1.7 Third parties or contractors with whom the Trust shares personal data or who hold data on the Trust’s behalf will be expected to enter into and adhere to contractual obligations with the Trust incorporating the principles of this policy and the requirements of Data Protection legislation. Such contracts must define the purposes for which personal data is supplied to or held by the third party and require that contractors take appropriate organisational and technical measures to protect the data.

2. The eight Data Protection Principles

2.1 Personal data shall be processed fairly and lawfully. Individuals should be informed of who is collecting the data, for what purposes and whether there will be any third party disclosures.

2.2 Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.

2.3 Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed. Staff must ensure they comply with the Trust’s retention schedule when disposing of personal data. Staff must update inaccurate data where appropriate. Inaccurate data should be retained.

2.4 Personal data shall be accurate and, where necessary, kept up to date.

2.5 Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.

2.6 Personal data shall be processed in accordance with the rights of data subjects under this Act. Individuals have rights to inspect personal data held on them and to receive a copy of that data.

2.7 Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.

2.8 Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.

3. Allocation of responsibilities under the Data Protection Act

3.1 Each member of the Senior Leadership Team is responsible for implementing good data protection procedures within their areas of responsibility and ensuring the proper security of information held. The leadership team should have regard to this Data Protection and Freedom of Information Policy, the Information Sharing Policy and the IT Security Policy when formulating any related procedures.

3.2 One member of the Senior Leadership Team is the Information Liaison Officer [ILO] and has specific responsibility for Data Protection matters.

3.3 Advice, guidance and training on Data Protection legislation are provided to the Information Liaison Officer through appropriate training opportunities.

3.4 It is the responsibility of all staff considering proposals for the creation of any new databases or significant changes to current databases containing personal data to consult the ILO, or another member of the Senior Leadership Team, at an early stage in the development of such proposals.

3.5 It is the responsibility of all staff to ensure that their working practices comply with the principles of the Data Protection Act and that information held by the Trust is accurate and up-to-date. All new staff will receive basic training on the Act as part of their induction. Managers should liaise to ensure all staff receive appropriate training on the Data Protection legislation, on the application of this policy and on their individual responsibilities.

4. Security of data

4.1 All staff are responsible for ensuring that personal data which they process is kept securely and is not disclosed to any unauthorised third parties. Access to personal data should only be given to those who need access for the purpose of their duties.

4.2 The Trust shall ensure that an Acceptable IT Use Policy is in place that covers all aspects of activity and conduct so as to ensure compliance with the Trust’s obligations in relation to electronically held information and that such a policy is kept up to date and drawn to the attention of all staff. Staff should comply with the Acceptable IT Use Policy, which must be signed as read by all staff before access to information containing personal data is permitted.

4.3 Personal data should not be left where it can be accessed by persons not unauthorised to see it or have access to it by reference to this policy and the Data Protection Principles.

4.4 Personal data which is no longer required must be destroyed appropriately, for example, by shredding or, in the case of computer records, secure deletion. Computers must have all personal information securely deleted using the appropriate software tools when they are disposed of in accordance with the Trust’s policy for IT Asset Management. Personal data must be destroyed in accordance with the Trust’s retention schedule.

4.5 Staff who work from home must have particular regard to the need to ensure compliance with this policy and the policy for Working From Home and the Acceptable IT Use Policy.

5. Data subjects’ rights

5.1 Staff and members of the public have the right to see personal data held about them.

5.2 Requests for access to personal data (Subject Access Requests) are processed by the ILO. Records of all requests shall be maintained and progress on responses to requests logged.

5.3 The Trust aims to respond quickly to a subject access request and in any event within the statutory time limit of 40 days. Subject access requests will be managed and tracked using an electronic system.

5.4 In the event that a person is not satisfied with the response to a subject access request a review or appeal may be made to the Chief Executive of the Trust.

6. Disclosures to third parties

6.1 Individuals who do not handle data as part of their normal work have a responsibility to ensure that any personal data they see or hear is not disclosed to third parties. This includes personal data and information extracted from such data, for example, unauthorised disclosure of data might occur by passing information over the telephone, communicating information contained on a computer print-out or even inadvertently by reading a computer screen.

6.2 Disclosures of information to third parties must be in accordance with the provisions of the Act.

6.3 The Trust also has a Policy for Information Sharing and passes on data for a range of lawful reasons only in accordance with formally agreed arrangements and whilst maintaining compliance with the Act.

6.4 Disclosure within the Trust will be on a need to know basis and in accordance with obligations of confidentiality that will be judged when a request for information is made.

7. Ensuring compliance

The Trust will ensure that:

7.1 There is an appropriately trained member of staff, the information Liaison Officer [ILO], to deal with compliance issues.

7.2 Legal advice, training and guidance are available to all staff.

7.3 The development and promulgation of best practice and co- ordination of data protection policies and procedures in the Trust will be the responsibility of the ILO.

7.4 All new staff will be trained on the Act as part of their induction.

7.5 The Trust will have in place a compliance programme to monitor data processing.

8. Information Commissioner Notification

8.1 The Trust renews the its notification to the Information Commissioner (ICO) each year. The notification details what processing of personal data the Trust carries out.

8.2 The Information Liaison Officer will conduct an annual audit of the systems which process personal data, reporting the outcome to the Chief Executive to ensure compliance with the Data Protection Act principles.

8.3 It is the responsibility of the named lead officer within legal services to process annual renewals with the Information Commissioner.

Appendix 1

Definition of Terms

To aid the understanding of this document and the provisions of the Data Protection Act the following definitions are provided for assistance:-

Data is recorded information held by a public authority.

Data Controller means the Trust as the organisation who determines how data is processed.

Data Processor means any person, other than an employee of the Trust, who processes data on behalf of the data controller e.g. someone contracted to the Trust to print documents containing personal data.

Data subject is the individual about whom personal data is held.

Personal Data means data about a living individual who can be identified from that information (or from that and other information in the possession of the data controller). This includes an expression of opinion about the individual.

Sensitive Personal Data means personal data consisting of information as to:-

  • racial or ethnic origin of the data subject
  • his/her political opinion
  • his or her religious beliefs or other beliefs of a similar nature
  • whether he or she is a member of a trade union
  • his or her physical or mental health or condition
  • his or her sexual life
  • the commission or alleged commission by him or her of an offence
  • any proceedings for any offence committed by him or her, the disposal of such proceedings or the sentence of any court in such proceedings.

Processing is very widely drawn and means obtaining, recording or holding the information or data or carrying out any operation or set of operations on the information or data including organisation, adaptation or alteration, disclosure and destruction of the information or data.