1.2. The RAD Data Protection Policy and Procedures is part of the RAD s overall Information Strategy.

Similar documents
Data Protection Policy Information for Clients

Application Form: Receptionist / PA to the Senior Leadership Team

Summary of Data Protection Requirements When transferring Data Outside the UK End Users

Employee eligibility to work in the UK

The Guardianship Service

Data Transfer Policy London Borough of Barnet

Credit transfer to Customer account with AS "Meridian Trade Bank" EUR, USD free of charge * Other countries currency information in the Bank

International Hints and Tips

Personal information, for purposes of this Policy, includes any information which relates to an identified or an identifiable person.

Family benefits Information about health insurance country. Udbetaling Danmark Kongens Vænge Hillerød. A. Personal data

APPLICATION FORM FOR POST OF SENIOR CLINICAL BIOCHEMIST. NB: 5 Curriculum Vitae (unbound) must accompany this Application Form

This factsheet contains help and information for financial advisers who wish to advise their clients who live in Europe.

NEW PASSENGER CAR REGISTRATIONS BY ALTERNATIVE FUEL TYPE IN THE EUROPEAN UNION 1 Quarter

Planned Healthcare in Europe for Lothian residents

ERASMUS+ MASTER LOANS

ROEHAMPTON UNIVERSITY DATA PROTECTION POLICY

ERASMUS+ MASTER LOANS

CABINET OFFICE THE CIVIL SERVICE NATIONALITY RULES

Data Protection Policy

Genuine BMW Accessories. The Ultimate Driving Machine. BMW Trackstar. tracked. recovered. BMW TRACKSTAR.

Data Protection Policy

CIVIL SERVICE NATIONALITY RULES GUIDANCE ON CHECKING ELIGIBILITY

EU Lesson Plan. Name of Teacher: Sharon Goralewski School: Oakland Schools Title of Lesson Plan: The European Union: United in Diversity

Analysis of statistics 2015

Applying for Pension from Abroad. Did you know that you can apply for a pension even for work you did abroad in the 1960s?

Statewatch Briefing ID Cards in the EU: Current state of play

Information for applicants, employers and supervisors. Periods of adaptation

Alcohol Consumption in Ireland A Report for the Health Service Executive

Data Protection Policy and Code of Practice

Keeping European Consumers safe Rapid Alert System for dangerous non-food products 2014

ERASMUS+ MASTER LOANS

1. Perception of the Bancruptcy System Perception of In-court Reorganisation... 4

Labour Force Survey 2014 Almost 10 million part-time workers in the EU would have preferred to work more Two-thirds were women

Crystal Clear Contract Services Limited Application Form CIS/Sole Trader

In May and July 2014 UK Visas and Immigration (UKVI) introduced changes to the right to work checks employers are required to carry out.

Waste. Copenhagen, 3 rd September Almut Reichel Project Manager Sustainable consumption and production & waste, European Environment Agency

for people coming to Scotland to work

How To Understand The Transparent Directive 2

Health care in Scotland for UK passport holders living abroad

Energy prices in the EU Household electricity prices in the EU rose by 2.9% in 2014 Gas prices up by 2.0% in the EU

Pan-European opinion poll on occupational safety and health

EXECUTIVE SUMMARY. Measuring money laundering at continental level: The first steps towards a European ambition. January 2011 EUROPEAN COMMISSION

Single Euro Payments Area

Students: undergraduate and graduate students who are currently enrolled in universities

SURVEY ON THE TRAINING OF GENERAL CARE NURSES IN THE EUROPEAN UNION. The current minimum training requirements for general care nurses

The European Union Savings Tax Directive. An historic guide

DATA PROTECTION POLICY

Equity Release Schemes in the European Union

This form has two parts: PART 1: WORK IN ONE COUNTRY and PART II: WORK IN TWO OR MORE COUNTRIES.

GUIDE TO STUDENTSHIP ELIGIBILITY

Statistics on Requests for data under the Data Retention Directive

Computing our Future Computer programming and coding in schools in Europe. Anja Balanskat, Senior Manager European Schoolnet

MONMOUTHSHIRE COUNTY COUNCIL DATA PROTECTION POLICY

Data Protection Act 1998 The Data Protection Policy for the Borough Council of King's Lynn & West Norfolk

- Assessment of the application by Member States of European Union VAT provisions with particular relevance to the Mini One Stop Shop (MOSS) -

THE ErP DIRECTIVE 2009/125/EC KEY FACTS» REGULATIONS 327/ /2009. ErP. - Version 2.0

Social Security. A Guide to Child Benefit. The Treasury Yn Tashtey

IN AN EMERGENCY / 2016

OUTSOURCING, HOSTING AND DATA PRIVACY ISSUES

2. Is registration with PARAFES free? Yes.

INTERNATIONAL TRACKED POSTAGE SERVICE

GLOSSARY OF PATENT TERMINOLOGY

TREATY MAKING - EXPRESSION OF CONSENT BY STATES TO BE BOUND BY A TREATY

UNIVERSITY OF SOUTHAMPTON DATA PROTECTION POLICY

Car Insurance Policy Summary

Beer statistics edition. The Brewers of Europe

Overseas degree equivalency: methodology

COMMUNICATION FROM THE COMMISSION

DATA PROTECTION POLICY

DATA PROTECTION ACT 1998 COUNCIL POLICY

Guidance on Sponsorship

EBA REPORT ON THE BENCHMARKING OF DIVERSITY PRACTICES. EBA-Op July 2016

RULES FOR THE REIMBURSEMENT OF TRAVEL AND SUBSISTENCE EXPENSES FOR EXCHANGE OF OFFICIALS

Data Protection Policy

Carer s Allowance and Carer s Credit

Size and Development of the Shadow Economy of 31 European and 5 other OECD Countries from 2003 to 2015: Different Developments

Information on insurance tax and fire protection tax for EU/EEA insurers

Access to social housing supports for non-irish nationals including clarification re Stamp 4 holders

VISA AND RESIDENCE PERMIT FOR GERMANY FOR INTERNATIONAL STUDENTS AND Ph.D. STUDENTS

41 T Korea, Rep T Netherlands T Japan E Bulgaria T Argentina T Czech Republic T Greece 50.

CENTRAL BANK OF CYPRUS

187/ December EU28, euro area and United States GDP growth rates % change over the previous quarter

Cash machine withdrawal in the EU (+Norway and Iceland)

168/ November At risk of poverty or social exclusion 2 rate in the EU28, (% of total population)

99/ June EU28, euro area and United States GDP growth rates % change over the previous quarter

The European regulatory system for medicines and the European Medicines Agency

Corporate ICT & Data Management. Data Protection Policy

Terms and Conditions for the EU/EFTA and CEE Non-EU/EFTA Windows Server Hyper-v deployment Cash Back Promotion

The coordination of healthcare in Europe

File Service Agreement ( Agreement ) of Deutsche Börse AG

Car tax refund on export

Visa Information 2012

13 th Economic Trends Survey of the Architects Council of Europe

ENTERING THE EU BORDERS & VISAS THE SCHENGEN AREA OF FREE MOVEMENT. EU Schengen States. Non-Schengen EU States. Non-EU Schengen States.

Adobe Public Relations (PR) Guidelines

New Relationship Service Fee - 20 EUR (one-time) Relationship Maintenance Fee - 20 EUR (yearly) Business Accounts

Data Protection Policy

ARE YOU A EUROPEAN CITIZEN LIVING IN BELGIUM? Come and vote for the European Parliament on 25 May 2014!

DATA PROTECTION POLICY. Examples of personal data which TWM may require from clients include the following and for the reasons ascribed to each;

Transcription:

Data Protection Policy & Procedures 1. Introduction and legal context 1.1. The Royal Academy of Dance (RAD) collects, processes stores and shares information about its employees, members, registered teachers, students, candidates, customers and other contacts, (referred to in this policy as Data Subjects) in order to operate its business and comply with the requirements of the Data Protection Act 1998 (DP Act). 1.2. The RAD Data Protection Policy and Procedures is part of the RAD s overall Information Strategy. 1.3. The RAD Data Protection procedures adopt and comply with the Data Protection Principles as set out in the DP Act which are that personal data shall: 1. be processed 1 fairly 2 and lawfully and where it is clear to data subjects what the RAD is doing with their personal data (see Appendix 1 and 5) 2. be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes (see Appendix 1); 3. be adequate, relevant and not excessive in relation to the purpose or purposes for which it is processed (see Appendix 1); 4. be accurate and, where necessary, kept up to date (see Records Management Policy); 5. not be kept for longer than is necessary for that purpose or those purposes (See Records Management Policy); 6. be processed in accordance with the data subjects rights (see Appendix 4); 7. have in place appropriate technical and organisational measures against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal information (see Appendix 2 and 6); 8. not be transferred to a country or territory outside the EEA 3 unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data (see Appendix 3). 1.4. All employees who process or use personal information on behalf of the RAD must ensure that they follow these principles at all times. 1.5. In order to ensure that this happens, the RAD has developed this Data Protection Policy and Procedures. 1 Processed refers to collecting, using, disclosing, retaining or disposing of personal data 2 fairly refers to being open and transparent 3 EEA refers to Austria, Belgium, Bulgaria, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Liechtenstein, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Romania, Slovakia, Slovenia, Spain and Sweden. Page 1

2. Scope 2.1. This policy and procedures will operate in all of the RAD s national offices both in the UK and internationally and applies to all employees. The policy is based on UK legislation, but it is expected that RAD national offices will comply with the policy s main principles and maintain equivalent standards. 2.2. This policy and procedures applies to all personal data which is collected, processed stored and shared about data subjects. 2.3. It is a condition of employment or engagement that employees abide by the rules, regulations and policies made by the RAD from time to time and which are referred to in the Employee Handbook or Terms and Conditions (freelance workers). Therefore any failure to comply with the Data Protection Policy and procedures will be treated as a disciplinary matter and dealt with in accordance with the appropriate RAD s Disciplinary Procedure, which could lead to dismissal. 3. Aims & Objectives 3.1. The key aims and objectives of this policy are to: 1. protect the rights of individuals by ensuring that all personal data held is used appropriately and lawfully. 2. ensure that all collection, processing, storage and sharing of personal data by the RAD complies with the eight data protection principles and key legislative requirements. 3. maintain the confidence of data subjects. 4. Responsibilities 4.1. The Director of Finance and Administration is the RAD Data Controller for both the Royal Academy of Dance and Royal Academy of Dance Enterprises Ltd (RADE) responsible for the fair and legal processing of data. 4.2. Each Department Head or Manager is a Designated Data Controller who is responsible for handling the day to day matters related to the data held by their respective department(s). 4.3. All data subjects are responsible for ensuring that they provide the appropriate RAD department or regional office in the UK or national office (outside of the UK) with accurate and up to date personal information, and that they inform the RAD of any changes. The RAD cannot be held responsible for errors, unless we have been informed of changes to data. 4.4. All employees are responsible for ensuring that any information that they provide to the RAD in connection with their employment is accurate and up to date and that the Human Resources (HR) Department in the UK or national office (outside of the UK) is informed of any changes via appropriate methods. The RAD cannot be held responsible for errors, unless we have been informed of changes to data. 4.5 Those employees who are responsible for collecting, processing, storing and sharing information about data subjects must comply with the DP Act, this Data Protection Policy and Procedures and the RAD Records Management Policy and Procedures. Page 2

5. Publication & implementation 5.1. The Data Protection Policy & Procedures is given to all new employees at Induction and forms part of their initial briefing. The document is available to all employees via SelectHR and all employees will be alerted to revisions. 5.2. The Data Protection Policy & Procedures is also available on the RAD website for the general public, employees, freelance workers, students and customers. 6. Training 6.1. In addition to induction, RAD employees are given relevant training in Data Protection procedures on a bi-annual basis (or more frequently if legislative or other changes require). 7. Policy Ownership & Review 7.1. This policy is owned by the RAD Data Controller. The RAD is registered with the Information Commissioner in the UK for the processing of personal data. The RAD s registration numbers are Z5872158 (Royal Academy of Dance) and Z4792277 (Royal Academy of Dance Enterprises Ltd). 7.2. The RAD has a Data Protection Committee and the effectiveness of this policy is the responsibility of that Committee (see Data Protection Committee terms of reference for further information). 7.3. The Data Protection Policy & Procedures will be reviewed on a bi-annual basis (or more frequently if legislative or other changes require) by the Data Protection Committee for approval by the Senior Management team and ratification by the Board of Trustees. 8. Authority & signature Chairman On behalf of the Board of Trustees 2014 Royal Academy of Dance, to be reviewed December 2016 First approved 11 December 2014 Related Documents Information Management Strategy (to be published) Records Management Policy & Procedures (to be published) Page 3

Appendices A brief summary of the procedures which support this policy is set out in the following appendices: Appendix 1 Appendix 2 Appendix 3 Appendix 4 Appendix 5 Appendix 6 Procedure for Data collection, Data Protection Notices and Privacy Statement Procedure for Security of Personal Data Procedure for Data Sharing (to be published) Procedure for Data Subject Right to Access Personal Information Procedure for Authorised Publication or Disclosure of Information Procedure for Data Security Breaches Full procedure documents are available at www.rad.org.uk and SelectHR document store. Page 4

Appendix 1 1. The Procedure for Data Collection, Data Protection Notices and Privacy Statement relates to the Data Protection Principles 1, 2 and 3. 2. In most cases data collected by the RAD will be obtained directly from the data subject. As required by the DP Act, a data protection notice/statement will accompany all requests for personal data, such as application or entry forms (hard copy or online). 3. Information on the contents of data protection notices or statements is available in the Procedure for Data collection and Data Protection Notices/Statement. 4. The RAD Privacy Statement is made at all points of contact with data subjects, including via the RAD website. The Privacy Statement outlines what the RAD does with information that it holds, how it is used and how it is stored. The RAD also makes the key points of the Privacy Statement clear to those providing personal sensitive details in person or over the telephone. 5. A statement outlining the types of data collected by Designated Data Controllers and department employees and the business reasons for the collection is available in the Data Protection Information Audit. Please refer to the full Procedure for Data collection, Data Protection Notices and Privacy Statement document for further information available at www.rad.org.uk and on SelectHR document store. Page 5

Appendix 2 1. The Procedure for Security of Personal Data relates to Data Protection Principle 7. 2. All employees responsible for collecting personal information from data subjects take personal responsibility for the security of personal data by following RAD standards on secure storage, processing, transfer and disposal of personal data as set out in the Procedure for Security of Personal Data. 3. Data subjects have the right to expect that their personal data will be kept and processed securely and that no unauthorised disclosures or transfers will take place to anyone either within the RAD (unless appropriate) or outside the RAD to a third party. 4. Transfers of personal data between departments of the RAD in the UK are authorised where it is for legitimate business need and where it is declared at the point of collection to the data subject that it is necessary for their data to be transferred. Precautions for the safety of data being transferred are available in the Procedure for Security of Personal Data. 5. All employees are responsible for ensuring that any personal data that they hold on others is kept, processed, transferred and disposed of securely in accordance with Procedure for Security of Personal Data. 6. Any breaches of the security of personal data will be reported to a Line Manager and the Data Controlled and the Procedure for Data Security Breaches will be followed. Please refer to the full Procedure for Security of Personal Data for further information available at www.rad.org.uk and on SelectHR document store Page 6

Appendix 3 1. The Procedure for Data Sharing refers to Data Protection Principle 8. 2. Through the nature of the RAD s business in a global market it is necessary for data to be shared with third parties in the UK and within and outside of EEA. In order to comply with the Data Protection Policy and to ensure the safety of data shared, a Data Sharing Register of data sharing agreements is maintained. Information on the procedure for the maintenance of the Data Sharing Register is available in the Procedure for Data Sharing. 3. Where it is necessary for data to be shared with a third party (including those inside and outside of EEA) permission is sought from the data subject at the point of collection. 4. All reasonable steps are taken to ensure that where data is shared outside of the UK that there are adequate standards for the protection of data. Where data is shared outside of the UK and EEA, it will mainly be to the RAD s national offices, the management of which are required to sign up to the standards expected in the RAD s Data Protection Policy & Procedures. 5. Where data is shared with other third parties outside of the UK and EEA, it will be with the data subject s agreement and a Data Sharing Agreement will be exchanged. The full Procedure for Data Sharing is work in progress. When the document is available it will be published at www.rad.org.uk and on SelectHR document store Page 7

Appendix 4 1. The Procedure for Data Subject Right to Access Personal Information is related to Data Protection Principle 6. 2. All data subjects are entitled to know what information the RAD holds and processes about them and why. They also have the right to gain access to it and know how to keep it up to date. 3. All data subjects have a right under the DP Act to access certain personal data being kept about them either on computer or paper based systems (referred to in legislation as relevant filing systems ). Any person wishing to exercise this right should email dp@rad.org.uk 4. Data Subject Access Requests (including students) will be dealt with in accordance with the Procedure for Data Subject Access Requests. 5. The RAD will make a charge of 10 per Data Subject Access Request. 6. The RAD aims to comply with Data Subject Access requests for personal information as quickly as possible and will ensure that it is provided within 40 days, as required by the DP Act. Please refer to the full Procedure for Data Subject Right to Access Personal Information available at www.rad.org.uk and on SelectHR document store. Page 8

Appendix 5 1. The Procedure for Authorised Publication or Disclosure of Information is related to Data Protection Principle 1. 2. Whilst the majority of personal data held by the RAD is processed for internal administrative purposes and is never disclosed, some categories of data in some circumstances are authorised for disclosure or publication. 3. The names, images and biographies of Trustees and Directors of the RAD will be published in RAD publications and on RAD websites for marketing purposes and so as to comply with legal requirements. 4. Names of Regional and National staff are also published in RAD publications and on RAD websites to allow the business to function. 5. Biographical details of some employees may be published with the employee s consent for marketing purposes of specific events. 6. Requests for the disclosure of personal data from the police or other organisation with a crime prevention or law enforcement function, will be fulfilled and considered authorised, provided the authenticity of the person making the request is established, the personal information is being requested to prevent or detect a crime or to catch or prosecute an offender and the risk of not releasing the information would be to seriously impede crime prevention or detection. 7. Employees responsible for personal data collection are made aware by their line managers of the purpose for which the data is processed and the legitimate persons (internally) or organisations (externally) to who it can either in whole or in part be disclosed. Employees must not disclosure to any unauthorised third party. Unauthorised disclosure will usually be a disciplinary matter and will be dealt with in accordance with the Disciplinary procedure. Disciplinary action up to and including summary dismissal can be taken. Please refer to the full Procedure for Authorised Publication or Disclosure of information available at www.rad.org.uk and on SelectHR document store Page 9

Appendix 6 1. The Procedure for Data Security Breaches is related to Data Protection Principle 7. 2. The RAD has security measures in place to prevent breaches of data security, but in the event of an incident the Procedure for Data Security Breaches will be followed. 3. A Data Security Breach could include: a. Loss or theft of data or equipment with stored data. b. Unauthorised use through inappropriate access controls c. Equipment failure or human error d. Unforeseen circumstances (such as fire, flood or earthquake), anywhere in the world where data is collated and stored on local servers. e. A hacking attack f. Information obtained by the organisation being deceived. 4. The RAD s Procedure for Data Security Breaches is based on the principles of containment and recovery, assessment of ongoing risk, notification of the breach (where applicable) and evaluation and response. Please refer to the full Procedure for Data Security Breaches available at www.rad.org.uk and on SelectHR document store Page 10

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information