Data Protection Policy – June 2018

The Data Protection Act 1998 establishes a framework of rights and duties which are designed to safeguard personal data. The Act applies to living individuals only, not organisations, hence personal data. The Act also applies to an activity – processing personal data – rather than to particular people or organisations. Thus, anyone who processes personal data must comply with the Act and must handle that data in accordance with the principles set out in the Act.

The City of Plymouth Festival is a charitable organisation, run by voluntary personnel, which promotes the performing arts. The Festival recognises its responsibilities under the Data Protection Act and will achieve these as follows:

1 Data will only be collected on behalf of the Festival by specified personnel. Data will be collected by consent where appropriate, or by other criteria as specified in Article 6 of the General Data Protection Regulation.

2 Only such data will be collected as is necessary for the efficient administration of the Festival. All reasonable efforts will be made to ensure that the data held is accurate. An individual can obtain, without charge, details of any data held by the Festival about that person by written application to the General Secretary. Any data which is deemed by an individual to be incorrect will be amended or deleted as requested.

3 Data will be held for such length of time as is deemed necessary for the efficient administration of the Festival, or as may be required by law. This period will be reviewed periodically by the Festival committee, but at present these are:
• Data concerning entries to the Festival – 3 years
• Data concerning Members, Friends, stewards, advisors – ongoing, so long as the individual is associated with the Festival
• Financial data – as required by legislation (usually 7 years)

4 All reasonable steps will be taken to ensure the security of any data held on behalf of the Festival, whether in written or electronic form. Laptops and home PCs will be password protected, written copies will be stored in a secure environment.

5 All reasonable steps will be taken to ensure that data is disposed of in a secure manner, to be determined by the Festival Members.

6 The Festival will not pass collected data to any third party unless required to do so for legal reasons.

7 Transfer of data outside the EEA: the Festival will strive to use service providers with servers inside the EEA. Otherwise, it will only use service providers that can show compliance with EEA security protocols.

8 Possible data breaches should be reported as soon as possible and will be thoroughly investigated and, where necessary, reported to the Information Commissioner’s Office (ico.gov.uk). 9 Any complaints regarding the collection and use of personal data should be made to the General Secretary in the first instance, or ultimately to the ico as above.

This policy statement and accompanying documentation will be reviewed annually and updated as necessary