Casting House is fully committed to compliance with the requirements of the Data Protection Act 1998 (“the Act”), which came into force on the 1st March 2000. Casting House will therefore follow procedures that aim to ensure that all employees, contractors, agents, consultants, partners or other servants who have access to any personal data held by or on behalf of the Casting House, are fully aware of and abide by their duties and responsibilities under the Act.
Casting House is registered with the Information Commissioners Office and “Casting House” is the trading name of Casting House Limited (Company Registration Number 07238420)
Scope of Policy
This policy applies to:
· the UK office of Casting House;
· all sessional workers operating on behalf of Casting House;
· all employees, contractors, agents, consultants, partners;
· any other servants who have access to any personal data.
This policy is effective as of 30 June 2010.
This policy is set to be reviewed as often as required, by either law or discretion, and at the very least every 3 years.
Data Protection Principals
The Act stipulates that anyone processing personal data must comply with eight principles of good practice. These principles are legally enforceable.
The principles require that personal information:
1. Shall be processed fairly and lawfully and, in particular, shall not be processed unless specific conditions are met;
2. Shall be obtained only for one or more specified and lawful purposes and shall not be further processed in any manner incompatible with that purpose or those purposes;
3. Shall be adequate, relevant and not excessive in relation to the purpose or purposes for which it is processed;
4. Shall be accurate and where necessary, kept up to date;
5. Shall not be kept for longer than is necessary for that purpose or those purposes;
6. Shall be processed in accordance with the rights of data subjects under the Act;
7. Shall be kept secure i.e. protected by an appropriate degree of security;
8. Shall not be transferred to a country or territory outside the European Economic Area, unless that country or territory ensures an adequate level of data protection.
The Act provides conditions for the processing of any personal data. It also makes a distinction between “personal data” and “sensitive personal data”.
Personal data is defined as, data relating to a living individual who can be identified from:
· that data;
· that data and other information which is in the possession of, or is likely to come into the possession of the data controller and includes an expression of opinion about the individual and any indication of the intentions of the data controller, or any other person in respect of the individual.
Sensitive personal data is defined as personal data consisting of information as to:
· Racial or ethnic origin;
· Political opinion;
· Religious or other beliefs;
· Trade union membership;
· Physical or mental health or condition;
· Sexual life;
· Criminal proceedings or convictions.
This policy applies to information relating to identifiable individuals, or entities of whatever kind, even where it is technically outside the scope of the Data Protection Act, by virtue of not meeting the strict definition of ‘data’ in the Act.
Casting House will:
· comply with both the law and good practice
· respect individuals’ rights
· be open and honest with individuals whose data is held
· provide training and support for staff who handle personal data, so that they can act confidently and consistently
Casting House recognises that its first priority under the Data Protection Act is to avoid causing harm to individuals. In the main this means:
· keeping information securely and in the right hands, and
· holding good quality information.
Secondly, the Act aims to ensure that the legitimate concerns of individuals about the ways in which their data may be used are taken into account. In addition to being open and transparent, Casting House will seek to give individuals as much choice as is possible over what data is held and how it is used.
Data Protection Officer
The Data Protection Officer is currently Charles Clare, who has the following responsibilities:
· Briefing the organization on Data Protection responsibilities
· Reviewing Data Protection and related policies
· Advising other staff on Data Protection issues
· Ensuring that Data Protection induction and training takes place
· Handling subject access requests
· Approving unusual or controversial disclosures of personal data
· Approving contracts with Data Processors
Each team or department where personal data is handled is responsible for drawing up its own operational procedures (including induction and training) to ensure that good Data Protection practice is established and followed.
All staff should be required to read, understand and accept any policies and procedures that relate to the personal data they may handle in the course of their work. (The expression “staff’ this includes both paid staff and any other person working for Casting House.)
Also, the managers must ensure that the Data Protection Officer is informed of any changes in their uses of personal data that might affect the organisation’s Notification.
Because confidentiality applies to a much wider range of information than Data Protection, Casting House has a separate Confidentiality Policy. Some of the things that are likely to be confidential, but may well not be subject to Data Protection, include:
· Information about the organisation (and its plans or finances, for example)
· Information about other organisations, since Data Protection only applies to information about individuals
· Information which is not recorded, either on paper or electronically
· Information held on paper, but in a sufficiently unstructured way that it does not meet the definition of a “relevant filing system” in the Data Protection Act
Normally access will be defined on a “need to know” basis; no one should have access to information unless it is relevant to their work. This may be relaxed in the case of information which poses a low risk.
Casting House will have a privacy statement for Data Subjects, setting out how their information will be used. This will be available on request, and a version of this statement will also be used on the Casting House web site. (See Appendix A.)
Staff and workers will be required to sign a short statement indicating that they have been made aware of their confidentiality responsibilities. (See Appendix B.)
The confidentiality policy is set out below. (See Appendix C.) There will always be cases where the organisation feels it is right to break confidentiality, and there is a procedure for deciding on a case-by-case basis whether this is appropriate.
Where anyone within Casting House feels that it would be appropriate to disclose information in a way contrary to the confidentiality policy, or where an official disclosure request is received, this will only be done with the authorisation of the Data Protection Officer. All such disclosures will be documented.
DATA RECORDING & STORAGE
Casting House has a single database holding basic information about all contacts, candidates, prospects and any other relevant people, organizations or institutions. Staff may not keep separate information about those they are supporting.
Casting House will regularly review its procedures for ensuring that its records remain accurate and consistent and, in particular:
· ICT systems will be designed, where possible, to encourage and facilitate the entry of accurate data.
· Data on any individual will be held in as few places as necessary, and all staff will be discouraged from establishing unnecessary additional data sets.
· Effective procedures will be in place so that all relevant systems are updated when information about any individual changes.
Staff who keep more detailed information about individuals will be given additional guidance on accuracy in record keeping.
Updating & Storage
Casting House uses a two year cycle of disposing of sensitive personal information. All Personal information is stored in a password protected “cloud” based server.
Retention Periods & Archiving
Casting House will establish retention periods for at least the following categories of data:
· Sensitive personal information will be reviewed by the Data Protection Officer after 18 months.
· Initial contact details, which may contain personal data may be kept for up to 2 years.
· Any archived paper records of data are stored securely on site.
A determination will be made by the Data Protection Officer, considering whether that personal information should be either updated or destroyed. After the determination is made, all stored data subject to deletion will be deleted in its entirety and no backup will be kept.
Acceptance & Responsibilities
All staff that has access to any kind of personal data will have their responsibilities outlined during their induction procedures.
Data Protection will be included in foundation training for all staff.
Casting House will provide continuing training opportunities for staff to explore Data Protection issues through training, team meetings, and supervisions.
Responsibility, Procedure & Timing
The Data Protection Officer has responsibility for carrying out the next policy review along with management and in full compliance with the Data Protection Act.
All staff will be consulted in the review, and a formal staff training session will be conducted in order to explore any relevant changes to the Data Protection Policy.
The review has to be started prior to the end of the third year in which this policy becomes effective, in such a manner as to be completed by the required date, or at the very least in a term not to exceed every three years.