Privacy Policy
Show Time Agency is committed to all aspects of data protection and takes seriously its duties, and the duties of its staff, under the General Data Protection Regulation.
This policy sets out how Show Time Agency deals with personal data, including personnel files and data subject access requests, and staff members’ obligations in relation to the personal data of other members of staff, their clients, contacts, suppliers and any other third party in respect of whom Show Time Agency has access to their personal data.
This policy applies to all company staff which for these purposes includes all employees, agents, consultants, other contractors, interns, volunteers and clients.
Data protection officer
Show Time Agency’s Director and the Head of HR are the Data Protection Officers and are responsible for the implementation of this policy. If staff or clients have any questions about data protection in general, this policy or their obligations under it, they should direct them to the Director and or Head of HR.
Data protection principles
The General Data Protection Regulation requires that data protection principles be followed in the handling of personal data. This consists of any of the below categories, but not limited to:
Name
Surname
Email address (personal or business)
Residential / business address
Phone number
IP address
Contact details
The General Data Protection Regulation applies to information that constitutes “personal data”. “Personal data” means information relating to identifiable individuals such as clients, job applicants, current and former employees, agency staff, consultants and other staff, suppliers, clients and marketing contacts. This includes any expression of opinion about the individual and any indication of someone else’s intentions towards the individual.
Consequently, automated and computerised personal data about staff and clients held by Show Time Agency is covered by the Regulation. Personal data stored physically (for example, on paper) and held in any “relevant filing system” is also covered. In addition, information recorded with the intention that it will be stored in a relevant filing system or held on computer is covered.
A “relevant filing system” means a well-structured manual system that amounts to more than a bundle of documents about everyone which is accessible according to specific criteria.
The use of Client and Staff personal data
The General Data Protection Regulation applies to personal data that is “processed”. This includes any use of the personal data such as, but not limited to, obtaining, retaining and handling it, allowing it to be accessed, disclosed or disposed of.
Show Time Agency may process the personal data of clients and staff members in order to comply with its statutory obligations under the company’s guidelines and employment contract with that individual. That data will be held and processed in accordance with this data protection policy.
Show Time Agency may process the personal data of its clients, contacts and suppliers and other third parties for the purposes of providing the services of the company and in order to comply with Show Time Agency’s contractual obligations. That data will be held and processed in accordance with this data protection policy.
“Sensitive Client and Staff personal data”
“Sensitive personal data” also includes information about an individual’s:
racial or ethnic origin.
political opinions.
religious beliefs or other beliefs of a similar nature.
trade union membership (within the meaning of the Trade Union and Labour Relations (Consolidation) Act 1992).
physical or mental health or condition.
sex life.
commission or alleged commission of any criminal offence; and
proceedings for any offence committed or alleged to have been committed, the disposal of such proceedings or the sentence of any court in such proceedings.
The company will not retain sensitive personal data without the express consent of the individual in question.
The company will process sensitive personal data in relation to staff, including sickness and injury records and references, in accordance with the data protection principles. If the company enters discussions about a merger or acquisition with a third party, the company will seek to protect staff’s data in accordance with the data protection principles.
Staff obligations regarding personal data
If a staff member processes any personal data of any individual, including the personal data of another member of staff or client, in the course of his/her duties, he/she must ensure that:
the information is accurate and up to date, insofar as it is practicable to do so.
the use of the information is necessary for a relevant purpose and only used for that purpose.
that it is not kept longer than necessary.
the information is secure.
that:
the individual whose details are being processed has consented to the processing of that personal data; or
the processing is necessary to perform the legal obligations or exercise the legal rights of Show Time Agency; or
the processing is otherwise in Show Time Agency’s legitimate interests and does not unduly prejudice the individual’s privacy.
Where it is necessary for a staff member to process an individual’s personal data for the purposes of providing the services they have requested from the company or to ensure compliance with an employment contract, this will always be acceptable and the staff member is free to do so without needing specific consent from the individual.
Staff should continue to be mindful of their duties under this policy to keep such personal data safe and secure and should consider whether they have the appropriate consent of the individual before sharing any such personal data with a third party. Where personal data is to be shared with a third party for purposes other than those connected to the services being provided to the client or in order to ensure the company’s compliance with any employment contract, staff should ensure the individual has been notified of who and for what purposes the personal data will be processed and for that individual to consent to such processing.
Staff members should ensure that they do not send direct marketing material to an individual electronically unless there is an existing business relationship with the individual in relation to the services being marketed, or the company has their explicit consent to receive such marketing from Show Time Agency.
When processing personal data, staff members should ensure that they:
use password-protected and encrypted software when dealing with personal data and particularly for the transmission and receipt of emails.
use a secure VPN access when remotely accessing the company’s network and will not attempt to gain access to the network other than by way of the VPN access.
encrypt any data held on remote devices.
lock files in a secure cabinet.
refrain from taking files offsite unless reasonably necessary.
This is not an exhaustive list and all efforts must be made by the staff member to keep any personal data secure.
Where information is disposed of, staff should ensure that it is securely destroyed. This may involve the permanent erasure of the information from the server so that it does not remain in a staff member’s inbox or trash folder. Hard copies of information must be confidentially shredded and not just disposed of in a wastepaper basket/recycle bin.
If a staff member acquires any personal data (including that of another staff member or client, agent or supplier) in error by whatever means, he/she shall inform the Data Protection Officer (Financial Controller) immediately and provide that information to the Data Protection Officer.
A staff member must not take any personal data away from any of Show Time Agency’s premises, save in circumstances where he/she has obtained the prior consent of the Data Protection Officer (Financial Controller) to do so.
If a staff member is in any doubt about what he/she may or may not do with personal data, he/she should seek advice from the Data Protection Officer (Financial Controller). If he/she cannot get in touch with the Data Protection Officer (Financial Controller) he/she should not disclose the information concerned.
Data subject access requests
Show Time Agency will inform all individuals, of whom the company processes the personal data of, of:
the types of information that it keeps about him/her.
the purpose for which it is used; and
the details of any company that it may be transferred to, subject to obtaining the appropriate consent.
All individuals have the right to access information kept about him/her by the company and the company’s Data Protection Officers (Director and Head of HR) are responsible for dealing with data subject access requests.
If a member of staff receives a data subject access request from any individual, it must inform the Data Protection Officer (Director and Head of HR) immediately. The company is bound to deal with any such requests within one calendar month.
Show Time Agency will provide the individual with the information free of charge however a fee may become payable where unreasonable and multiple access requests are made by that individual.
Show Time Agency will allow individual access to hard copies of any personal data. However, if this involves a disproportionate effort on the part of Show Time Agency, the individual shall be invited to view the information on-screen or inspect the original documentation at a place and time to be agreed by the company.
Show Time Agency may reserve its right to withhold the individual’s right to access data where any statutory exemptions apply.
Correction, updating and deletion of data
If an individual becomes aware that Show Time Agency holds any inaccurate, irrelevant or out-of-date information about him/her, he/she is entitled to request that such data is corrected, updated or deleted accordingly.
Requests for personal data to be corrected, updated or deleted should be made to the Data Protection Officers (Director and Head of HR) immediately, together with any necessary corrections and/or updates to the information. The company will respond to such requests within one calendar month.
Restriction to processing of data
If an individual believes that the processing of personal data about him/her is inaccurate, unlawful or unnecessary, he/she may notify the company either in writing to the Data Protection Officers (Director and Head of HR) to request Show Time Agency to restrict the processing of that information.
Within one calendar month of receiving the individual’s notice to exercise any of the above rights, Show Time Agency will reply to the individual stating either:
that it has complied with or intends to comply with the request; or
the reasons why it regards the individual’s notice as unjustified to any extent and the extent, if any, to which it has already complied or intends to comply with the notice.
Monitoring
Show Time Agency may monitor staff members by various means including, but not limited to, recording staff member’s activities on CCTV, checking emails, listening to voicemails and monitoring telephone conversations. If this is the case, the company will inform the member of staff that monitoring is taking place, how data is being collected, how the data will be securely processed and the purpose for which the data will be used. The staff member will usually be entitled to be given any data that has been collected about him/her. The company will not retain such data for any longer than is necessary.
In exceptional circumstances, the company may use monitoring without informing the staff member in advance. This may be appropriate where there is, or could potentially be, damage caused to Show Time Agency by the activity being monitored and where the information cannot be obtained effectively by any non-intrusive means (for example, where a staff member is suspected of stealing property belonging to the company). Such monitoring will take place only with the approval of the Data Protection Officers.
International transfer
Staff should not transfer personal data outside the EU without first consulting the Data Protection Officers (Director and Head of HR). There are restrictions on international transfers of personal data from the EU to other countries because of the need to ensure adequate safeguards are in place to protect the personal data. If the staff member is unsure of what arrangements have been or need to be put in place to address this requirement, they should contact the Data Protection Officers.
Reporting breaches
Staff and Show Time Agency have an obligation to report actual or potential data protection compliance failures to the Data Protection Officers (Director and Head of HR). This allows the company to:
investigate the failure and take remedial steps if necessary; and make any applicable notifications.
Show Time Agency will potentially have duties to notify the regulators and/or the individuals whose data has been compromised and a failure by a staff member to report any compliance breach may put the firm in a breach of its obligations. It is therefore imperative that all staff report any breach, as soon as possible.
Consequences of non-compliance
All staff are under an obligation to ensure that they have regard to the data protection principles (see above) when processing, accessing, using or disposing of personal data and any failure to do so may result in disciplinary action up to and including dismissal. For example, if a member of staff accesses another member of staff’s employment record without the requisite authority, the company will treat this as gross misconduct and instigate its disciplinary procedures.
Taking records off site
Staff must not take personal data relating to another staff member, client or third party off site (whether in electronic or paper format) without prior authorisation from the Data Protection Officers (Director and Head of HR).
Staff may only take records containing personal data off site if there is a legitimate reason for doing so. These reasons might include disciplinary or grievance meetings that cannot be held on site/meetings with occupational health/discussions surrounding the sale of the business or specific monitoring purposes/seeking professional advice. Staff may also take records containing personal data off site for any other legitimate reason given by the Data Protection Officers (Director and Head of HR).
Staff taking records containing personal data off site must ensure that:
no files are taken away from the office unless strictly necessary for work purposes.
files must be brought back to the office at the first reasonable opportunity and should not be kept offsite for any longer than is reasonably necessary.
whilst files are offsite, they are the responsibility of the member of staff who has elected to take them offsite; and
whilst files are offsite, they must always be kept as secure as possible. Files must not be left unattended when not secured. Files must not be left in vehicles unless strictly necessary.