Data protection compliance and the appropriate and proportionate use of Personal Data is an increasingly significant issue for businesses. Across our business, BlackFest (“we“, “us“, “our“) collects and uses Personal Data relating to our customers (including potential customers), employees and job applicants, stakeholders, teachers and schools, funding bodies, suppliers, and other individuals whose data we process for business purposes.
We are fully committed to the protection of the Personal Data that we process, including by recognising that compliance with applicable data protection laws impacts upon everyone and requires all employees, workers, contractors, agency workers, consultants, directors, members and others that we engage (collectively referred to for the purposes of this Policy as “employees“) to meet certain standards when handling or otherwise processing Personal Data.
We are committed to ensuring that:
This policy is designed to help all employees understand our expectations about how we may use Personal Data from time to time. The policy (and the requirements and standards described within it) apply to our use of any Personal Data (in whatever format that data is stored or used).
There are lots of examples of the ways in which we use Personal Data. We have set out a few examples below, but you should think carefully about your own role and work with others in your team to understand how you process Personal Data on our behalf:
Our Privacy Policy which can be found on our website, describes in more detail how we process Personal Data.
Breaches of our obligations under Data Protection Legislation may result in enforcement action by the Information Commissioner being brought against us and in fines being imposed of up to £17,500,000 (approximately) or 4% of our global turnover, whichever is higher. Some breaches of Data Protection Legislation may also be a criminal offence.
We take compliance with Data Protection Legislation and this policy extremely seriously and we expect all employees to take this issue equally seriously. Any breach of this policy will be investigated and may result in disciplinary action, including termination of employment.
This policy (together with any other policies referred to in it) is an internal document and should not be shared with third parties, customers, or regulators without obtaining prior authorisation from info@blackfest.co.uk.
We will review this policy regularly to make sure that we are ensuring the highest standards of protection for the Personal Data that we process. On that basis, it may be updated from time to time. The policy does not form part of any contract of employment or service contract, and any changes will be communicated to you in writing. You should ensure that you comply with any updates from the date that you receive them.
If there is anything in this policy which you do not understand or which you have any questions about, please contact info@blackfest.co.uk
If you consider that the policy has not been followed in respect of Personal Data about yourself or others you should raise the matter with your Line Manager or, in their absence, by following our Whistleblowing Policy which is accessible.
Term
Definition
Data Controller
An organisation that determines how and why Personal Data is collected and how and why that data is used. There can be more than one data controller for a particular dataset.
For the purposes of the majority of the Personal Data that we as a business collect and use, including in relation to employees, the Personal Data of our customers and supplier data, we will be the data controller.
Data Processor
A third party (i.e. not an employee) processing Personal Data on behalf of a data controller.
For example, our payroll service provider would be our data processor on the basis that they process Personal Data regarding our business on our behalf.
Data Protection Legislation
All privacy and data protection legislation which applies to our processing of Personal Data, including the Data Protection Act 2018, GDPR, the UK GDPR (as adopted into national legislation in the UK) and the Privacy and Electronic Communications (EC Directive) Regulations 2003 and any and all other laws, statutory instruments or regulations made under such laws and regulations, as may be amended, replaced or repealed from time to time.
Data Subject
An identified or identifiable person such as a consumer using our website, one of our customers, an individual contact at a supplier, or one of our employees.
Information Commissioner
The UK Information Commissioner who is responsible for implementing, overseeing, and enforcing data protection laws in the UK.
Data Privacy Impact Assessment (DPIA)
An assessment used to identify and reduce risks of a data processing activity (and in some cases determine whether we should carry out the data processing activity at all).
A DPIA should be carried out as part of all major system or business change programmes involving our processing of Personal Data.
Personal Data
Any information about a living individual which can identify that individual or otherwise allow action to be taken with respect to that individual, even if we do not know their name.
For example, names, contact details including email addresses, job title and other HR data will all obviously be Personal Data as well as CCTV footage, photographs and voice recordings.
Other data can qualify as “Personal Data” even if it would typically be seen as less obviously related to an individual, such as shift patterns, physical descriptions of people, opinions about people, location data, device related data, browsing data, online identities and so on that could all lead to that person being identifiable.
Information which does not on its own identify an individual will still be ‘Personal Data’ if it can be put together with other information which we hold or which it could fairly easily get hold of. For example, if we have made the Personal Data for an individual anonymous but we hold (or could easily get hold of) information which could identify that living individual, the anonymous information will still be regarded as ‘Personal Data.’
Personal Data Breach
The loss, or unauthorised access, disclosure, or acquisition, of Personal Data is a Personal Data Breach.
There are some examples of what a Personal Data Breach could look like in practice in section 8.
Processing
This covers virtually anything you can do with Personal Data, for example:
Sensitive Personal Data
Personal Data about an individual which relates to their race or ethnic origin, political opinion, religious or other beliefs, trade union membership, physical or mental health or condition, sexual life, gender or criminal proceedings or convictions. Data Protection Legislation recognises this data as being worthy of extra protection since its misuse presents a higher risk of harm to the individuals.
Data Protection Legislation requires us to consider risks to individual data subjects’ rights whenever we process Personal Data, and to proactively seek to minimise those risks.
As well as taking (and demonstrating) a general ‘risk based’ approach as described above, there are a number of broad principles that we need to comply with when processing Personal Data. We have set out an overview of these principles below, along with an explanation of what this means both for us and for you in practical terms.
Personal Data must be processed lawfully, fairly and in a transparent manner (‘lawfulness, fairness and transparency’).
Personal Data must be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes (‘purpose limitation’).
What this means for us in practice:
Fairness and transparency:
In order to make sure that our processing of Personal Data is fair and transparent, we have to give individuals information about the way that we will use their Personal Data. For example, we have to tell our employees and customers about the purposes for which we will use their data and who else might have access to it.
We would typically inform website visitors, customers (and prospective customers), employees, and suppliers about the way that we use their data through our Website Privacy Policy on our website.
Lawfulness:
We are also required to make sure that we have a legal justification for using Personal Data in the way that we want to. There are various legal justifications for processing Personal Data, and all will require careful legal analysis in each case. With this in mind, it’s very important that data collected for a particular purpose is only used for that same purpose, as we may not have a legal justification to use it for any other purpose.
Sometimes we may be required to get consent from individuals for certain types of processing. For example, processing Sensitive Personal Data will often require explicit consent.
There are additional requirements in respect of Sensitive Personal Data and the purposes for which we can process Sensitive Personal Data are more limited. If you would like more information email info@blackfest.co.uk
When commencing new projects, we may need to carry out a Data Protection Impact Assessment to ensure that our use of Personal Data is necessary and proportionate.
What you need to consider:
You should only use Personal Data that you access for the normal purposes of your job role, and you should only use that data for its usual or normal purpose.
For example, we could not suddenly start using our HR data for marketing purposes, and we could not start using email addresses of individual contacts at our suppliers for marketing purposes without additional consideration of appropriate legal justifications for such secondary uses of data.
If you use someone’s data in a way that might not be obvious to (or expected by) the individual, then you may be breaching data protection law or infringing someone’s rights. If you are ever unsure, make sure you email info@blackfest.co.uk
If you think that you have identified a new purpose for which the data could be used, you may need to work with key stakeholders to manage any risks involved and ensure that we can use the data in the way that protects the rights of the individuals concerned. In the first instance, you should consult with info@blackfest.co.uk
Personal Data must be adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’).
What this means for us in practice:
We should not collect Personal Data that we do not need for specific purposes. For example, we do not need information regarding an individual’s age, preferences, health, or family in order to process their payment details (however interested we might be for other reasons).
This may seem like an obvious example, but whenever you are capturing data, you will need to think about how to ensure that you are only collecting what you specifically need for the purpose for which you will process the data.
If we need to share Personal Data with third parties, we must ensure that we only share the minimum information necessary to achieve the purpose of sharing the data.
What you need to consider:
You should only capture data that is relevant for the purpose for which we will process it.
If there is no appropriate template data capture “form” or no available pre-determined data capture fields, you should only collect the Personal Data that is strictly relevant to what you are doing and you should, at all times, seek to “minimise” the data that we collect and process, including by considering and applying our retention policies and practices (see the storage limitation section below for more details). You should not speculatively collect excess or additional data fields (even if you think that the additional data may be of interest to us) as we may not have a valid legal basis to do so.
If and when you capture payment card data, you should ensure that you use our existing payment processors to capture/record the data and make sure that you do not capture or record payment card data in any other way.
Personal Data must be accurate and where necessary, kept up to date (‘accuracy’).
What this means for us in practice:
We should put in place appropriate tools to ensure the ‘quality’ of our data and to ensure that it can be kept up to date and accurate.
Although ultimately it is our responsibility to make sure Personal Data is up to date and accurate, we will often be reliant on Data Subjects themselves to tell us of changes to their Personal Data. From a practical perspective it is often useful to encourage Data Subjects to contact us if Personal Data we hold about them becomes out of date or if they are aware of any inaccurate data we hold about them.
If we are notified about inaccurate data (for example, a change of address), we must ensure that our records are updated promptly.
What you need to consider:
If an individual notifies you that their Personal Data is incorrect, or that their circumstances have changed, you should ensure that our records for that individual are updated (including ensuring that all relevant datasets and records are updated, not just the dataset that you are using or working with).
Personal Data must not be kept for longer than is necessary for the purpose or the purposes that we collect it for (‘storage limitation’).
What this means for us in practice:
We should not keep Personal Data for longer than we need it (this requires us to consider the original purpose for which the data was collected).
If Personal Data is no longer required for the purposes for which it was collected, we should securely and confidentially dispose of or delete it.
We must therefore identify retention periods for Personal Data and ensure that Personal Data is either anonymised or securely destroyed or erased at the end of applicable retention periods.
What you need to consider:
You should ensure that data that is out of date, or that is no longer required for its original business purpose is deleted. You should consult with info@blackfest.co.ukto confirm the appropriate method for deleting Personal Data.
If you think that you have identified a new purpose for which the data could be used (and so you want to keep it for an extended period), you may need to work with key stakeholders to manage any risks involved and ensure that we can use the data in the way that protects the rights of the individuals concerned. In the first instance, you should consult with info@blackfest.co.uk.
Personal Data must be processed in a manner that ensures appropriate security of the Personal Data, including protection against unauthorised or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).
What this means for us in practice:
We need to implement processes to ensure that we keep all Personal Data secure and confidential, and that access is only granted to those people that need and have a right to access it.
These processes will include technical measures (such as protections from malware and technical systems access controls) as well as operational measures such as ensuring that only our employees that need to access data for their role will be able to do so.
Wherever we share Personal Data with service providers or suppliers (e.g. hosting or data storage, email platform, payroll etc.), we need to ensure that we factor in the security of Personal Data that we share at the earliest stage of negotiating the relationship, and that we build appropriate protections for the data into our contracts with these suppliers and related processes (please see section 6 below for more information on the appointment of suppliers).
What you need to consider:
Keep the Personal Data that we process secure and confidential (remember that your contract of employment or service contract also includes general confidentiality obligations).
There are specific standards that we require you to comply with in respect of data security in our information security, computing, and equipment policies which you can find in our employee handbook.
As a rule of thumb, you must not disclose any Personal Data to a third-party supplier or customer other than in very limited circumstances. There are a number of specific conditions that can permit the disclosure of Personal Data. You should email info@blackfest.co.uk to determine whether or not in each case it is appropriate to disclose data. You should not try to make those decisions on your own.
Even in circumstances where the disclosure of data may be justified:
Always email info@blackfest.co.uk if you are unsure or need further guidance.
Being able to demonstrate accountability and good data governance has long been considered ‘best practice’ in respect of data protection compliance. However, Data Protection Legislation now requires us to formally build these concepts into our data protection compliance framework and, accordingly, to put data protection at the heart of our business processes wherever appropriate.
The Data Controller shall be responsible for, and be able to demonstrate compliance with, the data protection principles described above (‘accountability’)
What this means for us in practice:
Accountability requires us to be able to demonstrate that we comply with all of the principles described in section 3.1 of this policy, above.
In practical terms, this means that we must be able to show that we take data protection rights seriously.
It also requires us to show that we have implemented strategies, policies, processes, business rules, practices, controls and so on, and that we have ensured that our employees understand what is required and are able to comply, for example by raising awareness and providing training.
We must monitor compliance with our policies and processes and take action to ensure that any issues of non-compliance are remedied by the provision of further training or other measures, and we must regularly review the adequacy of our policies and processes to ensure they enable compliance with the data protection principles.
What you need to consider:
You will need to make sure that you have read and understood this policy and that you carefully follow all processes and practices set out within this policy.
We rely on your proactive and appropriate conduct in order to be able to demonstrate ‘accountability’. If you have any concerns about the way that we use Personal Data or if you can think of ways that we could do things better, please contact info@blackfest.co.uk
Demonstrating good ‘data governance’ involves compliance with a suite of obligations including keeping records of processing, being able to demonstrate Data Protection by Design and Default and conducting Data Protection Impact Assessments (DPIAs).
What this means for us in practice:
Data Protection Legislation requires us to put in place “comprehensive but proportionate governance measures”. Best practice tools that have been championed for a long time by the Information Commissioner such as Data Protection Impact Assessments (DPIAs) and privacy by design are now legally required in certain circumstances. We need to:
What you need to consider:
You will need to make sure that you understand the way that data protection impacts your role, and work with your teams and line manger to ensure that you understand how you can demonstrate good data governance in your everyday role.
More specifically, you must make sure that you have read and understood this policy and that you have attended and completed all necessary training.
As set out above, if you have any concerns about the way that we use Personal Data or if you can think of ways that we could do things better, please always speak to info@blackfest.co.uk
If any data processing is likely to result in a high risk to individuals, we must ensure that prior to carrying out the processing we carry out a Data Protection Impact Assessment (DPIA). The DPIA must document the envisaged processing operations and the purposes of the processing, an assessment of the necessity and proportionality of the processing, an assessment of the risks to the individuals and the measures that will be taken to address those risks.
What this means for us in practice:
We must put in place procedures to ensure that all new projects are assessed to determine whether there is any high-risk data processing operation involved and, therefore, whether a DPIA is required. This means we need you to follow the steps set out below.
For all high risk processing we must ensure that a DPIA is completed prior to processing commencing. We must ensure that the mitigating actions identified in a DPIA are implemented.
What you need to consider:
You will need to make sure that you are able to identify if/when a DPIA is required. Where it is required, or if you think it might be, please contact info@blackfest.co.uk
If you are ever unsure, we would rather that you check.
A few illustrative examples of when you may need to think carefully about whether or not a DPIA is required are set out below:
We must keep a record of our data processing activities, including the purposes of processing, a description of the categories of individuals and categories of Personal Data, categories of recipients to whom Personal Data is disclosed, details of overseas data transfers, time limits for erasure of different categories of Personal Data and a general description of security measures in place to protect Personal Data.
What this means for us in practice:
We must ensure that a central record of all data processing activities is maintained.
Any new data processing activities or changes to existing data processing activities must be recorded on the central record.
We will ensure that we regularly review the record to ensure that it is accurate and up to date.
What you need to consider:
If you think that you have identified a new or different purpose for which the data is or could be used, please talk to info@blackfest.co.uk so that we can update the appropriate records.
Data Protection Legislation gives individual Data Subjects various rights. It is important that you understand them and that you are able to recognise them (since you could, depending on your role, be the recipient of a request from an individual to exercise their rights). A very brief summary of the rights available to Data Subjects is set out below:
The key points for you to remember are that:
We must only use Data Processors that provide sufficient guarantees to ensure that the data for which we are responsible is subject to appropriate protection.
What this means for us in practice:
Our arrangements with Data Processors must be documented in a written contract and that contract must include certain mandatory clauses as required by Data Protection Legislation.
We must carry out checks (including appropriate information security due diligence) on Data Processes to ensure that they are compliant with applicable requirements.
All contracts with Data Processors must include standard data processing provisions. Please email info@blackfest.co.uk for more information before signing any Data Processor terms.
We will carry out ongoing monitoring of Data Processors to ensure compliance with Data Protection Legislation.
What you need to consider:
You will need to check with info@blackfest.co.uk to ensure that contract terms are acceptable to us before signing them and you may need to assist in carrying out a DPIA in certain circumstances.
You will also need to understand the location of processing carried out by the supplier (see section 7 below).
Personal Data must not be transferred to certain territories around the world unless adequate protection is put in place for that data.
What this means for us in practice:
Data Protection Legislation places restrictions on the way that we can transfer Personal Data outside of the UK and the EEA.
Crucially, that does not mean that we can never send Personal Data outside of the UK and EEA, but it does mean that there are some important processes to go through before we can do so – this is likely to include looking at the ‘recipient’ country and the ‘recipient’ organisation, and may require us to put certain contractual and practical arrangements in place in respect of the international data flow.
Some examples of international data flows that could trigger these requirements are:
engaging an overseas or cloud-based SaaS provider;
using a data storage provider such as AWS or Microsoft Azure on any basis other than using European server space;
engaging an overseas IT maintenance and support provider.
What you need to consider:
As a general rule of thumb, if Personal Data is being transferred to any country outside of the UK or the EEA, you are likely to need to take extra steps to make sure that it is adequately protected. For example, additional contract terms may need to be put into place with the recipient overseas entity.
Remember that a “transfer” means that any processing occurs in the overseas territory, even if the data is just viewed or accessed from overseas – “transfers” are much broader than just overseas data storage.
If you think that a transfer of Personal Data outside of the UK and EEA may take place, or if you are unclear about whether or not a data transfer is likely, please contact info@blackfest.co.uk
If a Personal Data Breach occurs, unless the breach is unlikely to result in risk for individual Data Subjects, we must notify the Personal Data Breach to the Information Commissioner. If the breach could pose a high risk to individuals, then individuals must also be notified of the breach.
Notification of the breach to the Information Commissioner must take place within 72 hours of us becoming aware of the breach. Notification to individuals must happen without undue delay.
What this means for us in practice:
We need you to understand what a Personal Data Breach is and to make sure that you tell us about one as soon as you discover it to allow us to comply with our obligations under Data Protection Legislation.
What you need to consider:
Personal Data Breaches can take a variety of forms (it is not all about cyber security or ‘hacking’ or phishing attempts). For example, all of the following (and many more events) would count as a Personal Data Breach:
If you have made a mistake leading to a Personal Data Breach, we would much rather that you tell us about it than try to cover it up. We understand that everyone makes mistakes but failing to tell us about them could lead to us being in breach of our obligations under Data Protection Legislation.
The two key points for you to be aware of are:
Any employees dealing with telephone enquiries should be careful about disclosing any personal information held by us. In particular they should:
No-one should feel that they are being bullied into disclosing personal information.