top of page

Data Protection: Introduction

​

​UnderWired Productions is a Charitable Incorporated Organisation – Charity Number: 1180997

 

This Policy sets out UnderWired’s procedures for the collection, storage, use and sharing of personal data and data for electronic business to business communications. The Policy will be reviewed by the UnderWired Board every 3 years, or earlier if there are changes to legislation and/or to UnderWired’s use of data. Current relevant legislation is the Data Protection Act (“the Act”), the General Data Protection Regulations (“the GDPR”) and the Privacy and Electronic Communications Regulations (“PECR”).

​

What data is relevant?

Data Protection legislation is concerned with the use of personal data, held on electronic systems, in paper filing and online identifiers such as location data and cookies.

​

Personal data is defined by the Information Commissioners Office (“the ICO”) as data that relates to a living individual who can be identified –
• from that data, or
• from that data and other information in the possession of (or likely to come into the possession of) the data controller e.g: expressions of opinion about an individual.
• from codified records that do not identify individuals by name but, for example, bear unique reference numbers that can be used to identify the individuals concerned.

Special categories of personal data means information that could be used in a discriminatory way, so needs to be treated with greater care than other personal data, i.e: information about:-
• race or ethnic origin
• political opinions,
• religious beliefs or other beliefs of a similar nature,
• trade union membership
• physical or mental health or condition,
• sexual life,
• commission or alleged commission by the data subject of any offence, or
• any proceedings for any offence committed or alleged to have been committed by the data subject, the disposal of such proceedings or the sentence of any court in such proceedings.

 

Who’s who in data processing

A data subject: Anyone whose data is processed.

A data controller: The organisation/ person who decides how and personal data is/will be, processed. Data controllers will usually be organisations, but can be individuals, for example self-employed consultants.

A data processor: Any person (other than an employee of the data controller) who processes the data on behalf of the data controller, e.g: external payroll service providers.

Consent

In line with the GDPR we will ensure that when we process personal data we have the data subject’s consent and that the data subject has been made aware that they have the right to withdraw their consent. Consent must be:-
• Specific to the purpose for which we are using the data.
• Unambiguous
• Active not implied: Silence is not consent; pre-ticked boxes, inactivity, failure to opt-out or passive acquiescence will not constitute valid consent.
• Freely given: Consent will not be valid if the data subject does not have a genuine and free choice or cannot refuse or withdraw consent without detriment.

​

Ways in which we may ask for consent include:-
• Written consent;

• Ticking a box on a web page;
• Choosing technical settings in an app;
• Verbal consent (which is then recorded in writing)
• Any other statement/conduct that clearly indicates (in this context) the data subject’s acceptance of the proposed processing of personal data e.g: cookie acceptance.

In line with PECR we will not contact individuals for direct marketing purposes by email, the internet, phone, fax or any new electronic systems that may be introduced without prior consent. (NB: Business to business communications to generic addresses such as “admin@” “info@” do not require consent.)

 

We provide opt-out opportunities in every mailing to ensure compliance with the principle that data held should be accurate and up to date.

 

All our mailings make it clear who the sender is, so the recipient’s ability to opt out is viable.

 

Our website makes it clear we use cookies to collect details of visitors to our website and gives them an opportunity to refuse their operation.

​

Who does UnderWired Productions collect/process/store data from?

• Members: Current, past and potential – this is unlikely to be personal data but it can be in some cases, particularly entry level organisations where people may be working from a home address and using personal email.
• Training: Details of attenders and trainers – again this is unlikely to be personal data but may be from time to time.
• Staff recruitment – this will be personal data.
• Staff records – this will be personal and some may be special category data.

​

How do we deal with data?

Members-signing up to UnderWired Newsletter: Our membership form makes it clear that we do not share data with any third parties and that applicants are given the choice to opt in to:-
• UW processing any personal data they may provide.
• UW using their data for marketing purposes, i.e to send news and events information.
 

Staff records: Our staff contract reflects the fact that the law allows us to collect some data about employees and that employees have the right to access this. The relevant clause says

 

Data Protection: For the purposes of administration, such as payroll and pension auto-enrolment, it is necessary for UW Productions to hold and sometimes disclose certain personal data about employees.

i) Any data UW holds about the Employee will only be held for so long as the Employee works for UW, unless UW is required to hold it for longer in order to comply with the law. UW shall take every care to ensure personal data is held securely and in confidence.
ii) The Employee has the right to inspect data that UW holds about her and, if necessary, update that data. Normally inspection of files can be within 10 working days of a request.

iii) If the Employee’s personal information changes at any time, she should inform her line manager as soon as possible to ensure that the information remains accurate.

​

Deletion of data: Data subjects have the right to request to be “forgotten”, UW will delete records in line with GDPR as follows:-
• When processing can cause substantial damage or distress.
• Where the personal data is no longer necessary in relation to the purpose for which it was originally collected/processed.
• When the individual objects to the processing and there is no overriding legitimate interest for continuing the processing.
• If the personal data was unlawfully processed.

If personal data being erased has been disclosed to third parties we will inform them about the erasure unless it is impossible or involves disproportionate effort.

​

If personal information has been processed online, for example on social networks, forums or websites we will inform any other organisations who are involved to erase links to, copies or replication of “forgotten” personal data.

​

UW will not always delete records, a request to be forgotten can be refused where data has been processed:
• To exercise the right of freedom of expression and information;
• To comply with a legal obligation for the performance of a public interest task or exercise of official authority.
• For public health purposes in the public interest;
• For archiving purposes in the public interest, scientific research historical research or statistical purposes; or
• For the exercise or defence of legal claims.

​

Data Protection Officer

UW does not need a designated Data Protection Officer under the GDPR, however, the Artistic Director is responsible for ensuring Data Protection Compliance.

​

Appendix A The principles of good data protection practice

UW processes data in line with the Act, which says that:
• Personal data shall be processed fairly and lawfully
• Personal data shall be obtained only for specified, lawful purposes and shall not be further processed in any manner incompatible with such purpose(s).
• Personal data shall be adequate, relevant and not excessive in relation to the purpose(s) for which they are processed.
• Personal data shall be accurate and, where necessary, kept up to date.
• Personal data processed for any purpose(s) shall not be kept for longer than is necessary.
• Personal data shall be processed in accordance with the rights of data subjects under the Act.
• Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss, destruction of or damage to, personal data.
• Personal data shall not be transferred to a country or territory outside the EEA unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.

​

Appendix B Statutory Data Retention Periods

Accident books, accident records/reports: 3 years from the date of the last entry (or, if the accident involves a child/ young adult, then until that person reaches the age of 21).

Records relating to children and young adults: until the child/young adult reaches the age of 21.

Wage/salary records (also overtime, bonuses, expenses): 6 years.

​

Appendix C Recommended non-Statutory Data Retention Periods

Application forms and interview notes (for unsuccessful candidates): 6 months to a year. Because of the time limits in the various discrimination Acts, minimum retention periods for records relating to advertising of vacancies and job applications should be at least 6 months. A year may be more advisable as the time limits for bringing claims can be extended. Successful job applicants documents will be transferred to the personnel file in any event.

Assessments under health and safety regulations and records of consultations with safety representatives and committees: permanently.

Personnel files and training records (including disciplinary records and working time records): 6 years after employment ceases.

​

UnderWired Website Data Protection

No personal information is collected however information is collected about how users access and use this website.

  1. The information collected and used
    If you use this website, you are in control of what information is collected, but if you choose not to share your information, you may not be able to access or use some areas of this website.

    1. How information is collected
      This information may be collected, stored and used when you use this website.

    2. What information is collected
      The information collected and held may include but is not limited to:

      1. information about your computer and about your visits to, and use of, the website (including your IP address, approximate geographical location, browser type, referral source, length of visit and number of page views);

      2. if you call us, your phone and/or mobile phone number and the time, date and day of the week; and

      3. any other information you may provide to the provider of this site.

    3. Using cookies or other on-device storage
      Cookies are information files stored on your computer, tablet or smartphone that help websites remember who you are and information about your visit. For further information (including how to opt out of cookies) please go to the Cookie Policy.

  2. 2. How information collected is used

    1. When you use this website
      When you use this website, information is collected. It will be used for the purposes set out in this privacy policy.

    2. Tracking how the website is used
      Information may be collected about activity on the website, or other organisations may be used to collect it and to share it. This information is used to:

      1. analyse statistics;

      2. track pages and paths used by visitors to, or users of, the website;

For these purposes, the information on the path you take to get to the website and on some of the pages you visit or use through the website, using cookies, and other on-device storage will be retained. For information about, or the Third Party organisations used (including how to decline their cookies), please go to the Cookie Policy.

  1. Disclosure of your information
    Your information may be passed to one or more of the following organisations:

    1. mailchimp, data processing companies; and

    2. government and enforcement agencies and the police.

Occasionally, this may involve sending your information outside the European Economic Area. For more information, please read section 4 – Where your information is processed.
Every now and again, requests are received for information from government departments, the police and other enforcement agencies. If this happens, and there is a proper legal basis for providing your information, it will be provided to the organisation asking for it.

  1. Where your information is processed
    When your information is used as described in section 2 – How information collected is used, this may occasionally involve sending your information outside the European Economic Area (EEA). Where this is done, appropriate steps are taken to protect your information. By using this website, you agree that your information may be transferred, stored and processed outside the EEA.

  2. How your information is kept secure
    The security of information is taken very seriously. Technology and security policies are in place to protect the information held.

How changes to this privacy policy may occur
This privacy policy may be updated from time to time so you may want to check it each time you visit the website.

Trustees’ minute books: permanently.

Reviewed 26th January 2024

Next review due: 26th January 2027

underwired versions-30.png

Charity No: 1180997

bottom of page