Data Protection Policy

Active Creative adheres to the DATA PROTECTION ACT 1998 and Regulation (EU) 2016/679 (GDPR) and the Privacy and Electronic Communications (EC Directive) Regulations (all as amended, updated or re-enacted from time to time); any law based on or seeking to enact any such provisions in the United Kingdom to the GDPR; and (ii) any applicable guidance or codes of practice issued by Working Party 29, the European Data Protection Board or Information Commissioner from time to time (all as amended, updated or re-enacted from time to time).

For the purposes of the Data Protection Act 1998 and Regulation ( EU) 2016/679 ( GDPR) as above, we ask customers and staff to consent to the holding and processing of personal data provided by you to Active Creative.

1 Introduction and general principle

Active Creative is committed to good practice in the handling of personal data and careful compliance with the requirements of the Data Protection Act.

Active Creative is committed to good data management, in order to protect people from harm. In the main this means:

keeping information securely in the right hands and
holding good quality information

Active Creative also ensures that it takes account of the legitimate concerns of individuals about the ways in which their data may be used. In particular, Active Creative aims to be open and transparent in the way it uses personal data and, where relevant, to give individuals a choice over what data is held and how it is used.

The most important risks which this policy addresses are:

Inappropriate disclosure of personal data about Active Creative Team, or customers that puts an individual at personal risk or contravenes a duty of confidentiality
Negligent loss of data that would cause concern to people whose data was lost and would seriously affect Active Creative’s reputation
Failure to engage Data Processors on legally compliant terms. (Data Processors are external contractors and suppliers of outsourced services)

2 Responsibilities

Active Creative recognises its overall legal responsibility for Data Protection compliance.

Day to day responsibility for Data Protection is delegated to each Franchisee or their nominated Data Protection Officer.

The main responsibilities of the Data Protection Officer are:

Briefing Franchise Teams on their and Active Creative’s Data Protection responsibilities
Reviewing Data Protection and related policies in their Franchise Area
Ensuring our customer database is compliant with al GDPR regulations
Advising staff on Data Protection issues and practices in Active Creative
Ensuring that Data Protection induction and regular training takes place
Approving unusual or controversial disclosures of personal data
Approving contracts with Data Processors (external contractors and suppliers of outsourced services), in agreement with Lorry Edwards as Head of Active Creative
Have understood Notification (i.e. registration with the Information Commissioner). Head Office ensures compliance
Handling requests from individuals for their personal data

All staff or volunteers are responsible for understanding and complying with the procedures that Active Creative has adopted in order to ensure Data Protection compliance.

All Franchise Teams have the following responsibilities:

Assisting Lorry Edwards in identifying aspects of their area of work which have Data Protection implications so that guidance can be provided as necessary
Ensuring that their activities take full account of Data Protection requirements
Including Data Protection and confidentiality in the induction and training of all staff including Agency or casual staff and volunteers. (And freelance consultants if relevant)

‘Data controller’ refers to the organisation that decides why and how personal data is to be processed. Active Creative is the ‘data controller’ under the Data Protection Act (1998) and is therefore ultimately responsible for implementation.

However, day to day matters relating to this data protection policy and the handling of subject access requests will be dealt with by the Data Protection Officer within each Franchise area.

‘Data subjects’ refers to the individual whose personal data is being processed.

‘Processing’ refers to the use made of personal data including:

obtaining and retrieving
holding and storing
making available within or outside the organisation printing, sorting, matching, comparing, destroying

2.1 Data management:

All data collection and recording systems are designed to ensure that the data collected is adequate, relevant and not excessive for the purpose. Where relevant, staff and volunteers are given training in good data recording practice to ensure that the data they record is appropriate.

Active Creative takes reasonable steps ensure that information is kept accurate and up to date by asking data subjects at appropriate intervals to check their key information for accuracy and to notify Active Creative if there have been any changes.

Active Creative maintains an agreed retention schedule based on legal and practical requirements.

2.2 Retention of Records:

The Data Protection Act states that data should not be kept for longer than is necessary for the purposes for which it is processed.

Therefore, Active Creative will use following time periods for retaining employee, volunteer and beneficiary data. These guidelines relate to all at Active Creative who may hold information about individuals.

Staff Team Data:

Applicants for jobs who are not short-listed for interview: 6 months

Applicants short-listed for interview that are not successful: 12 months

Ex-employees: 5 Years

Summary of record of service of ex-employees: 10 years

It is important to remember that computer records as well as manual files are included in this protocol.

Customer Data:

To comply with new GDPR regulations we commit to obtaining consent for customer information.

We commit not to contact any historic (not currently engaged), customer electronically without consent.

‘Service User’ refers to anyone attending Active Creative classes or any others who use/ engage in Active Creative’s services, whether that is a single encounter during a workshop, or an ongoing class.

We must keep all data on current / active customers for H&S reasons

The age range is 4 years

The Active Creative age range spans a 10-year period, so 4 years would be reasonable to keep data in order to best inform parents of initiates, new classes, changes of teachers etc.

2.3 Disposal of Data:

Active Creative will carry out a periodic review to identify all data that has reached its disposal date. All relevant data on individuals must be disposed of sensitively and completely. If the information is hard copy it must be shredded or incinerated. If the information is soft copy (i.e. on a hard drive or computer disk) it must be deleted from the file, disk and the recycle bin of the computer. Remember to check for all copies of the data.

3 Confidentiality & security

Active Creative recognises that a clear policy on confidentiality of personal data – in particular that of staff and beneficiaries underpins security. It maintains a policy that sets out which staff are authorised to access which data and for which purposes. In particular, this clarifies when data may be disclosed outside Active Creative and whether such disclosures require the individual’s consent. See the separate confidentiality policy.

Active Creative maintains a security policy that sets out measures to protect data ‘at rest’ – including access being restricted only to authorised staff – and measures to protect data ‘in transit’, whether it is physically removed from a secure environment or transmitted electronically.

All staff, freelance consultants and any helpers are required to abide by any security measures designed to protect personal data from loss, misuse or inappropriate disclosure.

4 Principles underlying operational procedures

Good Data Protection practice is, wherever relevant, incorporated into everyday operational procedures. These aim to include:

Transparency, so that all the individuals about whom data is collected are made aware of the uses that Active Creative makes of information about them, and in particular to whom it may be disclosed.
Informed consent, where necessary, especially in the case of donors and clients.
Good quality data, so that all the data held about individuals is accurate and can be justified as adequate, relevant and not excessive.
Clear archiving and retention periods.
Security, proportionate to the risk of information being lost or falling into the wrong hands.

5 Specific legal provisions

Active Creative makes no charge for Subject Access.

The Data Protection Act gives rights of access to an individual to the personal data held on them. They can access this data at any time by making a written request to the Operation Director
The designated Data Protection officer must be satisfied with the identification of the individual making the request and can ask for information or documentation as proof
Individuals are entitled to a copy of the information held on them, both on computer, in emails and as part of a relevant filing system within 1 month of their request being received
Individuals also have a right to know why their information is being held, who that information is being disclosed to and for what purpose.

Active Creative maintains an up to date Notification with the Information Commissioner as required by law.

All contracts between Active Creative and external data processors are reviewed by the Data Protection Officer for compliance with Data Protection Act requirements.

May 2018