DATA PROTECTION POLICY
1.1 In order to operate efficiently, it is necessary for Pinewood Studios Group (“Pinewood”) to collect information about people and organisations with whom it works. This may include current, past and prospective employees, customers, contractors, suppliers and members of the public. It may also be necessary for information to be collected and used in order to comply with legal or regulatory requirements.
2. DATA PROTECTION ACT 1998
2.1 The correct treatment of information collected by Pinewood is of paramount importance and Pinewood seeks fully to support and adhere to the provisions of the Data Protection Act 1998 (“Act”).
2.2 The Act has two principal purposes:
• to regulate the use of data by those who obtain, hold and process Personal Data (known as “Data Controllers”); and
• to provide certain rights to those individuals whose Personal Data is held (known as “Data Subjects”).
2.3 For the purpose of the Act, the Data Controller for Pinewood is Pinewood Group Limited.
2.4 “Personal Data” means information held by Pinewood from which individuals may be identified. This might include information such as names, addresses, telephone numbers, photographs, driving licences and other personal information. Personal Data can also include any expression of opinion about an individual or any indication of Pinewood’s intentions towards an individual.
2.5 “Sensitive Personal Data” means Personal Data consisting of information as to an individual’s race or ethnic origin, political opinions or allegiance, religious or other beliefs of a similar nature, membership of a trade union, physical or mental health or condition, sexual life, commission or alleged commission of any offence or any proceedings for any offence committed or alleged to have been committed.
2.6 “Processing” has a wide meaning under the Act and includes all aspects of handling Personal Data such as obtaining, recording, editing, revising, storing, sharing, archiving or destroying.
2.7 The Act is based upon eight data protection principles (“Data Protection Principles”). The remainder of this policy is intended to set out the basis upon which Pinewood shall comply with the Act, and in particular, the Data Protection Principles.
3. PRINCIPLE ONE - PROCESSING PERSONAL DATA FAIRLY AND LAWFULLY
3.1 When processing Personal Data, Pinewood shall ensure that:
• it has a legitimate reason for collecting and using the Personal Data;
• the Personal Data is not used in ways that may have adverse consequences for the individual concerned;
• a ‘Privacy Notice’ is available to individuals at the time their Personal Data is collected, detailing the purpose for which the Personal Data will be held;
• the Personal Data is only handled in ways an individual would reasonably expect;S and
• the Personal Data is not used unlawfully.
4. PRINCIPLE TWO - PROCESSING PERSONAL DATA FOR SPECIFIED PURPOSES
4.1 When processing Personal Data, Pinewood shall ensure that:
• it is made clear from the outset why Personal Data may be collected and how it may be used;
• the Personal Data is processed fairly; and
• prior consent is obtained if the purpose for which the Personal Data was originally collected changes.
5. PRINCIPLE THREE - AMOUNT OF PERSONAL DATA HELD
5.1 When processing Personal Data, Pinewood shall ensure that the amount of Personal Data held does not exceed the level required to properly fulfil the purpose for which it was originally collected.
6. PRINCIPLE FOUR - KEEPING PERSONAL DATA ACCURATE AND UP TO DATE
6.1 When processing Personal Data, Pinewood shall ensure that:
• reasonable steps are taken to ensure the accuracy of the Personal Data collected;
• the source of any Personal Data collected is clear;
• where necessary, take reasonable steps to keep Personal Data up to date; and
• when challenged, take reasonable steps to verify the accuracy of Personal Data held.
7. PRINCIPLE FIVE - RETAINING PERSONAL DATA
7.1 When processing Personal Data, Pinewood shall ensure that:
• the length of time that Personal Data is kept is reviewed periodically;
• the purpose for which the Personal Data has been collected is reviewed periodically, to determine whether or not that purpose has been fulfilled and the Personal Data needs to be retained;
• Personal Data that is no longer required is securely deleted; and
• Personal Data that is no longer accurate is updated, archived or securely deleted.
8. PRINCIPLE SIX - RIGHTS OF INDIVIDUALS
8.1 Pinewood acknowledges that individuals have been granted the following rights under the Act:
• right to access a copy of the Personal Data held;
• right to object to processing of Personal Data that is likely to cause damage or distress;
• right to prevent processing of Personal Data for direct marketing;
• right to object to decisions being taken by automated means e.g. online forms or questionnaires;
• right, in certain circumstances, to have inaccurate Personal Data rectified, blocked, erased or destroyed; and
• right to claim compensation for damages caused by a breach of the Act.
9. PRINCIPLE SEVEN - INFORMATION SECURITY
9.1 When processing Personal Data, Pinewood shall ensure that:
• appropriate security measures are in place to protect against unauthorised or unlawful processing of Personal Data;
• policies are in place to deal with any breach of security swiftly and effectively; and
• all Pinewood staff understand the importance of protecting Personal Data, including Pinewood’s duties under the Act, the responsibilities of individual staff members for protecting Personal Data, the dangers of people trying to obtain Personal Data by deception and restrictions are placed on the use of work computers for personal reasons to avoid, for example, virus infection.
10. PRINCIPLE EIGHT - SENDING PERSONAL DATA OUTSIDE THE EUROPEAN ECONOMIC AREA ("EEA")
10.1 When processing Personal Data, it may be necessary for Pinewood to transfer such Personal Data to a country or territory outside the EEA. In doing so, Pinewood shall ensure that:
• Personal Data is only transferred to a country or territory that has adequate levels of protection for the rights of individuals to whom the Personal Data relates; and
• all steps reasonably necessary are taken to ensure the Personal Data is treated securely before, during and after transfer.
11. CONDITIONS OF PROCESSING PERSONAL DATA
11.1 When processing Personal Data, Pinewood shall (in addition to compliance with the Data Protection Principles) ensure that at least one of the following conditions is met:
• individuals have consented to the processing of Personal Data;
• the processing of Personal Data is necessary for the performance of a contract with the individual;
• the processing of Personal Data is necessary to comply with a legal obligation (other than one imposed by contract);
• the processing of Personal Data is necessary to protect the vital interests of the individual;
• the processing is necessary for the administration of justice or for the exercise of statutory, governmental or other public functions; or
• the processing is necessary in order to pursue a legitimate interest of Pinewood.
11.2 When processing Sensitive Personal Data, Pinewood shall ensure that one of the following conditions is also met:
• individuals have expressly consented to the processing of Personal Data;
• the processing of Personal Data is necessary to comply with the requirements of employment law;
• the processing of Personal Data is necessary to protect the vital interests of the individual or another person;
• the processing of Personal Data relates to legal proceedings, the obtaining of legal advice or establishing, exercising or defending legal rights;
• the processing of Personal Data is necessary for the administration of justice or exercising statutory or governmental functions;
• the processing of Personal Data is necessary for medical purposes and is undertaken by a health professional or someone who is subject to an equivalent duty of confidentiality; or
• the processing of Personal Data is necessary for monitoring equality of opportunity.
12. SUBJECT ACCESS REQUESTS
12.1 The Act gives individuals the right to access information held about them. A right of access can be exercised by submitting a subject access request (“SAR”). Following receipt of a SAR Pinewood may, if it thinks necessary, request supporting documentation to establish that the individual making the SAR is the person to whom the Personal Data relates.
12.2 The fee for a SAR is £10.00 to meet Pinewood’s administrative costs in providing details of the information held.
12.3 Only once payment of the fee has been received is Pinewood under an obligation to comply with the SAR. Pinewood then has 40 days to provide the information requested.
13. LEGAL REQUIREMENTS
13.1 It may be necessary for Pinewood to disclose Personal Data if required to comply with legislation or an order of a court or tribunal. If required to do so, Pinewood shall use reasonable endeavours to notify any individual(s) of such requirement, unless legally restricted from doing so.
14.1 This policy will be reviewed periodically to take account of changes in the law and guidance issued by the Information Commissioner.
15. FURTHER INFORMATION
15.1 For further information on the Act, please visit the Information Commissioner’s website at www.informationcommissioner.gov.uk.