Introduction
Studio 61 is fully committed to compliance with the requirements of the Data Protection Act 2018 (The Data Protection Act 2018 is the UK’s implementation of the General Data Protection Regulation (GDPR).
They will therefore follow procedures that aim to ensure that all members, contractors, agents, consultants, partners or others who have access to any personal data held by or on behalf of Studio 61, are fully aware of and abide by their duties and responsibilities under the Act.
Statement of policy
In order to operate efficiently, Studio 61 collects and keeps information about people with whom it works. These may include Studio 61members, members of the public, current, past and prospective suppliers. This personal information must be handled and dealt with properly, however it is collected, recorded and used, and whether it be on paper, in computer records or recorded by any other means, there are safeguards within the Act to ensure this. Studio 61 will ensure that it treats personal information lawfully and correctly. To this end the council fully endorses and adheres to the Principles of GDPR and Data Protection as set out in the Data Protection Act 2018.
The principles of data protection
The Data Protection Act 2018 controls how personal information is used by organisations, businesses or the government.
Studio 61 will ensure everyone responsible for using personal data follows strict rules called ‘data protection principles’. They must make sure the information is:
- used fairly, lawfully and transparently
- used for specified, explicit purposes
- used in a way that is adequate, relevant and limited to only what is necessary
- accurate and, where necessary, kept up to date
- kept for no longer than is necessary
- handled in a way that ensures appropriate security, including protection against unlawful or unauthorised processing, access, loss, destruction or damage
There is stronger legal protection for more sensitive information, such as:
- race
- ethnic background
- political opinions
- religious beliefs
- trade union membership
- genetics
- biometrics (where used for identification)
- health
- sex life or orientation
There are separate safeguards for personal data relating to criminal convictions and offences.
People’s Rights
Under the Data Protection Act 2018, people have the right to find out what information the government and other organisations store about them. These include the right to:
- know what information about them is being stored
- be informed about how data is being used
- access personal data
- have incorrect data updated
- have data erased
- stop or restrict the processing of data
- data portability (allowing people to get and reuse data for different services)
- object to how data is processed in certain circumstances
People can write to the Secretary of Studio 61 and request a copy of the information we hold about them. The request must be actioned within a month.
There are some situations when we are allowed to withhold information, for example if the information is about the prevention, detection or investigation of a crime. We do not have to say why we are withholding information.
Costs
Requests for information are usually free.
Handling complaints
If a person thinks their data has been misused or that it has not kept it secure they should contact Studio 61 to complain. If they are unhappy with the response they can complain to the Information Commissioner’s Office or get advice from the ICO.
Dissemination and training
In addition, Studio 61 will ensure that:
- There is someone with specific responsibility for data protection in the organisation;
- Everyone managing and handling personal information understands that they are contractually responsible for following good data protection practice;
- Everyone managing and handling personal information is appropriately trained to do so;
- Queries about handling personal information are promptly and courteously dealt with;
- Data sharing is carried out under a written agreement, setting out the scope and limits of the sharing. Any disclosure of personal data will be in compliance with approved procedures;
All members are to be made fully aware of this policy and of their duties and responsibilities under the Act.
All members will take steps to ensure that personal data is kept secure at all times against unauthorised or unlawful loss or disclosure and in particular will ensure that:
- Paper files and other records or documents containing personal/sensitive data are kept in a secure environment;
- Personal data held on computers and computer systems is protected by the use of secure passwords, which where possible have forced changes periodically;
- Individual passwords should be such that they are not easily compromised.
- Paper records are disposed of securely
- Data is not shared without explicit consent from the person to whom the data relates
All partners of Studio 61 must ensure that they and all of their staff who have access to personal data held or processed for or on behalf of Studio 61, are aware of this policy and are fully trained in and are aware of their duties and responsibilities under the Act.
Implementation
The Chair will be responsible for ensuring that the policy is implemented.
Notification to the Information Commissioner
The Information Commissioner maintains a public register of data controllers, Studio 61 is registered as such.
The Data Protection Act 2018 requires every data controller who is processing personal data, to notify and renew their notification, on an annual basis. Failure to do so is a criminal offence.
Any changes to the register must be notified to the Information Commissioner, within 28 days.
To this end, any changes made between reviews must be brought to the attention of the Chair immediately.
Signed:
