Data Protection Policy
Introduction
Tumble Circus recognises the importance of protecting and storing personal information and in being open and honest with our employees and people who participate in our programmes and attend our events about the use of the information that we hold. This policy sets out the principles Tumble Circus adheres to, the type of information we hold and for what purpose, how long that information will be held for and who has a right to access the information.
Scope
This policy applies to all employees, regardless of their status and should be adhered to by everyone who works on Tumble Circus projects and performances, freelance artists, volunteers and visitors. Tumble Circus and its employees have a shared responsibility to ensure that this policy is adhered to and promoted throughout the charity.
General Policy
Legal Framework
Data protection laws exist to strike a balance between the rights of individuals to privacy and the ability of organisations to use data for the purposes of their business. The Act regulates the processing of personal data, such as its collection, storage, use, destruction and any access to it. Personal data is data which refers to identifiable living individuals, known as data subjects. A personnel record would be one example.
Principles
The Act contains six key principles which must be followed when using personal data:
- Data should be used fairly, lawfully and transparently.
- Data should be obtained only for specified, explicit and legitimate purposes.
- Data should be used in a way that is adequate, relevant and limited only to what is necessary.
- Data should be accurate and, where necessary, kept up to date.
- Data should not be kept longer than is necessary.
- Data should be processed in a way that ensures appropriate security, including protection against unlawful or unauthorised processing, access, loss, destruction or damage.
Lawful basis for processing
The legal bases on which Tumble Circus processes personal data are:
- For the performance of a contract to take steps to enter into a contract.
- Public task, official authority or legal obligation.
- Our legitimate interests except where they are overridden by the need to protect personal data.
- The processing is necessary to protect your vital interests or another person.
- Where consent has been given for processing. Where consent is the legal basis for processing, this can be withdrawn at any time by contacting the Data Protection Officer.
Compliance arrangements
Tumble Circus recognises the need to protect its employees, freelance artists and those who participate in our programmes or attend our events from the misuse of personal and sensitive personal information that is held about them in their Personnel Records and audience records and to protect their rights under the Act. The following arrangements are in place to ensure this.
Personal data Tumble Circus holds
Personal data is held for purposes of administration, supervision, management, the payment of employees and to develop and maintain the employment relationship between Tumble Circus and its employees and contractual relationship with freelance artists. Personal information will also be used for monitoring purposes and for any residual employment related activities, such as recruitment and selection, the provision of job references, processing applications for employment and any matters relating to the provision of pension scheme payments.
Data is held on people who purchase tickets for events, participate in events and hire our facilities. The data is held for the purposes of administration and to maintain the relationship with Tumble Circus.
Verification and updating of personal data
There is a requirement to maintain accurate and up to date records. Employees and have the right to have incorrect data updated and to add any further details that may have been omitted from the records. To ensure this, staff or freelance artists, must notify the Senior Artist (Tina Segner) in writing of any changes in relation to:next of kin,name, address, telephone number, bank details, Qualifications where appropriate.
The employee’s personal file will be maintained securely with the Senior Artist. The Senior Artist is responsible for notifying payroll, the individual concerned and his/her line manager in writing of any changes affecting an individual’s remuneration or status, and for placing a record of this on the individual’s file.
Retention of personal information
Personal information will be retained for the duration of employment or the potential involvement in or attendance at Tumble Circus programmes, and it will be updated, revised or deleted as appropriate (please refer to Tumble Circus Retention Schedule). Thereafter personal information about a past employee will be kept for three years. Information will also be retained in respect of staff recruitment such as application forms, references and interview notes, for both successful and unsuccessful applicants.
Monitoring information, if applicable, for all applicants and appointees will be kept for a minimum of three years from the date of receipt of application forms, whilst recruitment files must be kept for a minimum of 12 months after the recruitment file has closed. This information includes: Gender, Marital status, Religious belief or political opinion, Disability, Race or ethnic origin, Nationality, and Age.
This information is treated in the strictest confidence and employees’ names will not be shown in the statistics produced. The statistics may not be completely anonymous, however, if the data is unique, and as a result the nature of this data means it is capable of identifying individuals. This information is confidential to the Senior Artist (Tina Segner) and to the employee to whom it relates. The board will retain securely and confidentially the equivalent information in relation to Tina Segner.
Disclosure of personal information – External
Tumble Circus does not disclose personal information about employees, participants, audience members, volunteers or customers to external organisations or individuals except where Tumble Circus has entered into a contract for the provision of services. In such instances the contractor will ensure compliance with the Act. Tumble Circus is legally required to disclose information to organisations such as the PSNI, Probation Service, Courts, Inland Revenue, Child Support Agency, Benefits Agency, the Pensions Regulator and Department of Health and Social Services. Personal information will also be passed to Tumble Circus’s insurance company, bankers, medical practitioners, payroll agency and pension provider.
Personal information will not be made available to other individuals or organisations outside Tumble Circus without the employee’s knowledge and consent except in relation to information requested in respect of mortgage loan applications; reference requests; and where non-disclosure would hamper the detection of crime.
Disclosure of personal information – Internal
In accordance with the data protection principles, the following employee personal data is considered to be ‘open access’ and may be disclosed on request to any member of staff including internal Tumble Circus representatives: Name, Job Title, Office telephone number/extension, Employment status, Employment commenced, Date terminated, Hours of work, and project manager’s name and job title.
Any other data which the employee specifically consents to allow the Senior Artist to disclose on an ‘open’ basis will also be treated as ‘open access data’.
Access to other employee personal data is restricted to Tumble Circus line managers (i.e. Senior Artists, and the chair of the board in relation to the Senior Artists) and the individual it relates to (subject to any legal requirements as above).
This data will only be disclosed to others if prior permission is obtained from the employee to whom the data relates and disclosure is authorised by the Senior Artist.
Identifiable information about employees’ disabilities, ethnicity, marital status, gender etc, may only be disclosed to others if all of the following conditions are met:
- A clear reason for wishing to use such information in a way that specifically identifies the employee is given to the Senior Artist and its use is in line with TUMBLE CIRCUS’s Equal Opportunities Policy.
- Consent has been sought from the employee to process their information.
- The disclosure is authorised by the Senior Artist (or Chair in relation to a Senior Artist) on the basis of (1) and (2) above.
Rights as a Data Subject
Under the Act, Tumble Circus staff, freelance artists and users of programmes and services have the right to know what information is kept about them. This right applies to sickness records, contracts, disciplinary or training records, appraisal or performance review notes, information held in general personnel files, interview notes, and correspondence. This includes the right for such individuals:
- To access personal data and be informed about how their data is being used.
- To have incorrect data updated and/orerased.
- To stop or restrict processing of their data.
- To data portability (allowing you to get & reuse their data for different services).
- To object to how their data is processed in certain circumstances.
- Not to be subject to automated decision-making including profiling.
This information can be accessed by making what is known as a Subject Access Request which should be made in writing and be addressed to the Senior Artist (Tina Segner). Tumble Circus will respond to Subject Access Requests promptly and within one month. In certain circumstances this may take a further two months to provide. If this is the case the Data Subject will be informed within one month of the request and given the reasons for the delay. The organisation may charge a fee if the request is large or may take a lot of time and resources to process.
Information can be corrected, amended or taken out on request. If the request is rejected a note reflecting this will be added to the file.
In accordance with the Act, information supplied in response to a Subject Access Request will be based on the data held at the date of receipt of the request. The information supplied may therefore be subject to any routine or regular amendments or deletions that have been made since that date.
Organisational Responsibilities
Board of Directors
To ensure that policies and procedures are in place that meet Tumble Circus’s legislative obligations in relation to the Data Protection Act 2018 (the Act) brought in line with the General Data Protection Regulation.
Senior Artists
Senior artists are required to:
- Report to the board on performance and non-compliance with the Act
- Ensure staff are aware of their responsibilities under the Act and are properly trained to comply with this policy
Staff and free lance artists
- Ensure adherence to this policy
- Report any breaches immediately to the Senior Artist (Tina Segner)
- Not to disclose employee personal data outside the organisation’s procedures, or use personal data held by Tumble Circus for their own purposes.
Comments
When visitors leave comments on the site we collect the data shown in the comments form, and also the visitor’s IP address and browser user agent string to help spam detection.
An anonymised string created from your email address (also called a hash) may be provided to the Gravatar service to see if you are using it. The Gravatar service Privacy Policy is available here: https://automattic.com/privacy/. After approval of your comment, your profile picture is visible to the public in the context of your comment.
Media
If you upload images to the website, you should avoid uploading images with embedded location data (EXIF GPS) included. Visitors to the website can download and extract any location data from images on the website.
Cookies
If you leave a comment on our site you may opt in to saving your name, email address and website in cookies. These are for your convenience so that you do not have to fill in your details again when you leave another comment. These cookies will last for one year.
If you visit our login page, we will set a temporary cookie to determine if your browser accepts cookies. This cookie contains no personal data and is discarded when you close your browser.
When you log in, we will also set up several cookies to save your login information and your screen display choices. Login cookies last for two days, and screen options cookies last for a year. If you select “Remember Me”, your login will persist for two weeks. If you log out of your account, the login cookies will be removed.
If you edit or publish an article, an additional cookie will be saved in your browser. This cookie includes no personal data and simply indicates the post ID of the article you just edited. It expires after 1 day.
Embedded content from other websites
Articles on this site may include embedded content (e.g. videos, images, articles, etc.). Embedded content from other websites behaves in the exact same way as if the visitor has visited the other website.
These websites may collect data about you, use cookies, embed additional third-party tracking, and monitor your interaction with that embedded content, including tracking your interaction with the embedded content if you have an account and are logged in to that website.
Who we share your data with
If you request a password reset, your IP address will be included in the reset email.
How long we retain your data
If you leave a comment, the comment and its metadata are retained indefinitely. This is so we can recognise and approve any follow-up comments automatically instead of holding them in a moderation queue.
For users that register on our website (if any), we also store the personal information they provide in their user profile. All users can see, edit, or delete their personal information at any time (except they cannot change their username). Website administrators can also see and edit that information.
What rights you have over your data
If you have an account on this site, or have left comments, you can request to receive an exported file of the personal data we hold about you, including any data you have provided to us. You can also request that we erase any personal data we hold about you. This does not include any data we are obliged to keep for administrative, legal, or security purposes.
Where we send your data
Visitor comments may be checked through an automated spam detection service.