About us Policies Data Protection Policy 1. Policy Statement For the National Opera Studio (NOS) to operate effectively, both as a training organisation and as an employer, it needs to collect and use certain types of information about the people it deals with. This includes current, past and prospective employees and trainees, freelance coaches, suppliers of goods and services, customers and others with whom it communicates. It may also occasionally be required by law to collect and use such information to comply with the requirements of the HM Revenue and Customs and other government departments. The National Opera Studio recognises that personal information must be dealt with properly regardless of how it is collected, recorded and used and is committed to applying to the safeguards set out in the Data Protection Act 1998 to ensure that this happens. The lawful and correct treatment of personal data is essential to successful operations and to maintaining the confidence of those it deals with. This policy sets out the requirements for Data Protection at the NOS, to ensure that all personal information is treated lawfully and correctly, in accordance with the Data Protection Act 1998 and related legislation including the Privacy and Electronic Communications (EC Directive) Regulations 2003. It seeks to promote best practice with regard to holding, obtaining, recording, using and sharing personal data. 2. Scope This policy applies to all those who handle personal data on behalf of the National Opera Studio, including members of staff, freelancers, volunteers, contractors or sub-contractors. 3. Key Definitions Personal data comprises information which relates to a living individual who can be identified from that information or from other information which is available to us. All data held on computer is covered by the Act but paper filing systems are only covered when the files are arranged in way that allows information on individuals to be readily accessible (such as a set of A-Z files on employees). Sensitive personal data is personal data about a data subject’s racial or ethnic origin; political opinions; religious beliefs or beliefs of a similar nature; trade union membership; physical or mental health or condition; sexual life; commission or alleged commission of any offence and information about any associated proceedings. A data controller is an organisation or person that determines the purposes for which and the manner in which personal data are processed. In this case it is the National Opera Studio. A data subject is an individual about whom data are held. For example, an employee, a young artist, coach, alumnus, contractor or supplier would be a data subject. A data protection officer is the person or persons responsible for ensuring that the NOS complies with all provisions of the Act. Processing covers any action that can be done with data. This includes obtaining, recording, holding, organising, adapting, altering, retrieving, consulting, using, transferring, disclosing, aligning, combining, transcribing, printing, filing, sorting, blocking, erasing or destroying data. 4. Actions Required The Data Protection Act 1998 specifies eight principles regarding the handling of personal data. These principles are summarised below, to illustrate the standards that everybody who handles personal data on behalf of the NOS are expected to follow, together with the measures the NOS takes to comply in each case. This is not an exhaustive list of all measures undertaken by NOS to safeguard data and ensure sound working practices which uphold the principles of the Data Protection Act. Personal data must be processed fairly and lawfully and obtained for specified lawful purposes (principles 1 and 2) To comply with these two closely related principles, personal data should be obtained only for one or more specified purposes, and should be processed fairly and lawfully and in a manner which is compatible with those purposes. Valid consent must be obtained from the individual whose data is to be processed, or that one of the other conditions specified in Schedule 2 of the Data Protection Act is met (for example, the processing is necessary into relation to a contract or another legal obligation). When “sensitive personal data” is collected (such physical or mental health details or data on racial or ethnic origin) then consent must always be obtained. National Opera Studio is a Data Controller under the Data Protection Act, and is therefore registered with the Information Commissioner’s Office. As such, the purposes for which we processes personal data are set out in our entry the Register of Data Controllers (Z4952461). The Data Protection Officer must ensure that our entry on the register is regularly updated to specify any new purposes for which data will be collected or processed. Furthermore, the National Opera Studio provides a Privacy Notice on its website. Again, the Data Protection Officer must ensure that this privacy notice is kept up date and fully specifies the purposes for which data will be used. The principles behind the Privacy Notice are fairness and transparency. Those who handle personal data on behalf of the NOS must consider the fairness of how the data is used and must not use data collected for one purpose for another purpose without explicit authority from the Data Protection Officer. Whenever personal information is collected for purposes not covered by the Privacy Notice published on the NOS website then a separate Privacy Notice should be prepared and available when individuals supply their personal data (for example, when young artist applicants or short course participants fill in a form to supply their personal details). Any new Privacy Notices must be approved by the Data Protection Officer before they are used. Personal data must be adequate, relevant and not excessive, kept accurate and up to date and must not be kept for longer than necessary (principles 3, 4 and 5) These principles concern “information standards” in relation to personal data. In each case the standard relates to purposes for which the information is processed. Whenever personal information is collected it must only include information that is relevant to the purpose for which that information is intended to be used. All forms used to collect data must meet this requirement. However, it should be noted that a legitimate purpose for the collection of data may be research (for example, market or audience research). Everybody who handles personal data must ensure that it is kept accurate to extent that is practical. In particular, whenever the National Opera Studio is informed that personal information is inaccurate (for example, by telephone to the office) the data must be corrected as soon as practical, and in all circumstances within three working days. Data will not be kept for longer than necessary for the purposes for which it is held. Customer data will be made anonymous after a designated period during which the customer has had no contact with the National Opera Studio. Personal data must be processed in accordance with the rights of the data subjects, i.e. individuals about whom information is held (principle 6) The National Opera Studio must fully comply when data subjects (that is, individuals about whom data are held) exercise their specific rights under the Data Protection Act. The key rights relevant here are as follows: Subject Access Requests – individuals have the right to be told whether their personal data is being processed, to being given a description of the data and its processing, to be given a copy of the information comprising the data and to be told details of the source of the data (where available). In accordance with the law, the National Opera Studio will charge a £10 fee for this, though the fee may be waived at the discretion of the NOS Data Protection Officer. The National Opera Studio will provide the information in “permanent form”, as required by the Act. Requests will be handled by the NOS Data Protection Officer and must be answered within 40 calendar days from the receipt of the fee (or original request if the fee is waived). Anybody who had worked with personal data on behalf of the NOS must comply with requests from the NOS Data Protection Officer to hand over documents and emails containing personal data in response to a Subject Access Request. Right to prevent processing – data subjects may object to processing likely to cause damage or distress. Requests must be referred to the NOS Data Protection Officer, as the rights are limited and any response must be fully assessed before action is taken. The Data Protection Officer will respond within 21 days of receiving the objection and will not charge a fee. Right to prevent direct marketing – individuals have the right to stop marketing letters, emails, text messages or phone calls sent specifically to them. This is an “opt out” right but the Privacy and Electronic Communications (EC Directive) Regulations 2003 creates an additional obligation to actively obtain the consent of data subjects before sending out marketing emails. The NOS will obtain consent from customers before engaging in direct marketing of any sort, and anybody responsible for NOS direct marketing must ensure that consent has been obtained. Requests to exercise the right under the Data Protection Act to prevent direct marketing may be handled by the person who receives the request but should be reported to the Data Protection Officer. Such a request should be complied with immediately whenever possible and must in all cases be complied with within three working days. Right to correct inaccurate data – individuals may apply to a Court to rectify or erase inaccurate data. The Data Protection Officer will handle any requests referred to a court, but all those who handle personal data on behalf of the NOS must take all reasonable steps to ensure it is as accurate as practically possible and to correct factually inaccurate data on request. Any requests in relation to data subjects’ rights under the Act must be submitted to the Data Protection Officer. Personal data must be protected from unlawful or unauthorised processing and against accidental loss, destruction or damage (principle 7) This principle requires the NOS to take appropriate technical and organisational security measures to safeguard personal information. Technological measures refer to the security of IT systems and are the responsibility of the Chief Executive. Organisational security measures place an obligation on everybody who works for or on behalf of the NOS to ensure that personal data are never accidentally or deliberately compromised. All members of staff, freelancers and volunteers who handle personal data must therefore be aware of and follow these key principles: Keep paper files containing personal data locked away when unattended (either by placing files in a locked filing cabinet or by keeping the room itself locked whenever it is unoccupied). Limit access to electronic documents containing personal data to those with a genuine business need to access that information. Under no circumstances place personal data of any kind on USB memory sticks or other portable media, or to store copies of NOS personal data on a home computer or other electronic device owned by the employee (such as a tablet or mobile phone). This does not preclude accessing NOS personal data on a home computer or personal device, provided the data are accessed via a NOS Virtual Private Network and that any portable device used is secured with a PIN or password. Not to transfer data to other organisations except where authorised by the NOS Data Protection Officer, and under an formal Data Sharing Agreement in all cases of substantial transfers of personal data. Where personal data are transferred to other organisations by electronic means, the person making the transfer must put in place due safeguards procedures (for example, emailing a password protected spreadsheet and then sending the password in a separate email). With the exception of routine business contacts, to store all personal data in NOS databases and systems. Note in particular that NOS credit and debit card details must not be kept in spreadsheets or sent via email. All known data protection breaches (for example, the loss of personal data or evidence that it has been accessed by an unauthorised person) must be reported immediately to the Data Protection Officer. Furthermore, the Data Protection Officer must keep a register of all breaches which are known to have occurred. Personal data must not be transferred outside the European Economic Area (EEA) unless there is an adequate level of protection (principle 8) This principle requires that personal data should not be transferred to a country or territory outside the European Economic Area (EEA) unless that country or territory is able to ensure an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of their data. Apart from the EEA there are 11 other territories considered to have “adequate protection” and in the USA certain data controllers are signed up US Department of Commerce Safe Harbor Scheme, which also ensures adequate protection. The National Opera Studio undertakes to take reasonable steps to ensure that personal data are not transferred outside the EEA without suitable safeguards. 5. Who is Responsible for the Actions Required? NOS Data Protection Officer The NOS Data Protection Officer is the Chief Executive. The specific responsibilities of NOS Data Protection Officer are to: Ensure that notifications to the Information Commissioner’s Office and the Privacy Notice on the NOS website remains accurate and up to date Respond to Subject Access Requests (with power to waive the £10 fee at their discretion) Respond to requests to under the right to prevent processing Handle requests and actions brought under other rights of data subjects (including applications to a Court to correct or erase inaccurate data) Investigate any known breaches of Data Protection security, and keep a register of such breaches Authorise the transfer of personal data to other organisations, and ensure that Data Sharing Agreements are put in place where necessary. Define which databases and systems may be used to hold personal data. Audit all personal data held by the NOS and the processes used to manage personal data – such an audit may be undertaken at any time. Provide internal advice on Data Protection compliance Chief Executive The Chief Executive is responsible for ensuring appropriate technological measures are put in place to maintain the security of IT systems, including annually external and internal penetration testing. Development Manager The Development Manager is responsible for ensuring that no person is allowed access to any Development database unless that person has undergone the necessary training. Engagement & Communications Manager The Engagement & Communications Manager is responsible for ensuring that no person is allowed access to any CRM database unless that person has undergone the necessary training. Members of staff and others who handle personal data on behalf of the NOS All members of staff, freelancers, volunteers, contractors and sub-contractors who handle personal data on behalf of the National Opera Studio have responsibility to: Ensure that the processing of personal data is fair, normally by ensuring that valid consent is obtained, and not using data collected for one purpose for another purpose without explicit authority from the Data Protection Officer Correct data which is known to be inaccurate as soon as practical, and preferably immediately Retain and destroy paper and electronic records containing personal data in accordance with the appropriate retention periods. Comply with requests from the NOS Data Protection Officer to hand over documents and emails containing personal data in response to a Subject Access Request Refer requests under the “right to prevent processing” promptly to the NOS Data Protection Officer Comply with requests to opt out of direct marketing of any kind by updating the relevant permissions on the applicable database; this should be done immediately whenever possible and must always be done within three working days Take the practical actions specified in section 4.4 to ensure that personal data are held securely and protected from loss or authorised access, and report any known breaches to the Data Protection Officer Comply with requests from the Data Protection Officer to audit personal data held by the NOS and the processes in place to protect personal data In addition, those who routinely handle personal data about individuals are personally accountable for ensuring that data are collected, used and safeguarded in accordance with the principles in this policy. This means that all business decisions involving personal data (for example, relating to marketing and fundraising campaigns) must be made with Data Protection factors in mind. 6. Monitoring and Compliance The Data Protection Officer will monitor compliance with this policy by maintaining a register of all data protection subject access requests, known data security breaches and other Data Protection matters referred to them. This will demonstrate compliance, for example by showing the Subject Access Requests are responded to within the 40 calendar days specified in the Act. In addition, the Data Protection Officer will report all data security breaches of a substantial nature to the Board. The Chief Executive must review procedures and staff training from time to time to ensure that they comply with the principles set out in this policy. The National Opera Studio will proactively refer matters to the Information Commissioner’s Office (ICO) whenever there is significant doubt as whether the organisation is or will be fully compliant with the Data Protection Act or associated legislation. Any guidance from the ICO will be fully taken into account, and any instructions or notices from the ICO will be fully complied with as soon as practically possible.