SWMTC Data Policy

1. Terminology SWMTC - Saffron Walden Musical Theatre Company. The organisation which controls the personal information of its Members and Supporters. Members - Individuals who hold one of the classes of membership of SWMTC as outlined in the company rulebook. Supporters - Any individual who supports the societies aims through involvement in SWMTC activities. Such involvement includes scenery construction, costumes, properties, publicity and front of house arrangements, stage management, sound, lighting, direction, choreography, music and orchestra. Supporters also include lapsed members. DICE - Data and Information Compliance Executive. The individual responsible for ensuring SWMTC adheres to data protection regulation. 2. Purpose This policy details the manner in which SWMTC obtains, controls and shares personal information about its Members and Supporters. It includes what information is held, what this information is used for and the rights of Members and Supporters. In addition the policy specifies the legal basis for holding personal information and the company practices designed to guarantee compliance with data protection regulations. 3. What personal information does SWMTC control? SWMTC collects personal details of its Members and Supporters as listed below. Name Address, e-mail address Telephone number Subscriptions and dates paid Photographs Biographies Records of attendance at rehearsals Relevant musical theatre experience The legal basis for controlling this information is consent. Details on how this consent is obtained are given in section 6. 4. How does SWMTC use personal information? SWMTC uses personal information in the following ways. To send newsletters, to send letters or emails giving details of general meetings, minutes of committee meetings, shows, rehearsals, production meetings and similar events that are likely to be of interest to its

Members and Supporters. Names, photographs and biographies may appear in show programmes and SWMTC newsletters. Photographs may be used for promotion and advertising purposes.

Personal information is not shared with third parties without explicit consent being obtained from those concerned. 5. How long does SWMTC keep the data it controls? SWMTC keeps the personal details of its Members and Supporter indefinitely. Members and Supporters can request that any or all of their personal information is deleted at any time. This will be actioned as soon as is practicable. In addition Members and Supporters can make Subject Access Requests and these will be actioned within 30 days of the request being received. In order to make a Subject Access Request or request that personal data be deleted parties should contact the Honorary Secretary by post or email. All Members and Supporters are provided with details of how to do this via the SWMTC Privacy Notice.

6. SWMTC data handling practices 6.1. Where necessary SWMTC will obtain the explicit consent of Members and Supporters before processing and storing their personal data. This consent will be obtained via the distribution of the SWMTC Privacy Notice and the accompanying SWMTC Consent Declaration. 6.2. Personal information will be controlled by the Honorary Secretary. 6.3. When personal information is used to send correspondence to groups every reasonable effort should be made to ensure that this information is not shared with the group. 6.4. Personal information where it is stored electronically will always be password protected. Written records will be stored in a location that is inaccessible to the public. 6.5. From time to time personal information may be shared with other members of the SWMTC Executive Committee to facilitate certain activities such as social events, subscription management or other activity in the interest of SWMTC Members and Supporters. In such instances the committee member concerned should destroy the data as soon as is practicable upon the completion of their task. In instances where the data needs to be stored beyond the completion of the task the data should be passed on to the Honorary Secretary before deletion. Any committee member acting in such a way must act in accordance with the SWMTC Data Policy. 6.6. From time to time a SWMTC Member or Supporter who is not on the Executive Committee may be required to perform a task which involves handling personal data. For example taking photographs or collecting biographies for use in show programmes. These persons will be required to act in accordance with the SWMTC Data Policy and destroy this data as soon as is practicable on completion of their task. In instances where the data needs to be stored beyond the completion of the task the data should be passed on to the Honorary Secretary before deletion. 6.7. Members and Supporters will receive a copy of the SWMTC Privacy Notice when they join SWMTC. In addition the SWMTC Privacy Notice and SWMTC Data Policy will be available on the SWMTC website. 6.8. If any party handling personal information on behalf of SWMTC notices that a data breach has occurred they must inform the DICE. Types of breach include communication of data to an unauthorised third party, loss of documents containing personal data and loss of availability of personal data.

7. Monitoring The SWMTC Committee will select a person to perform the role of DICE. This individual will have responsibility for monitoring and enforcing the implementation of this policy. The DICE will be selected at the first meeting of the new Committee following the AGM or as soon as is practicable afterwards.

8. SWMTC Youth Group The SWMTC Youth Group will adhere to the SWMTC data policy where possible. Notable deviations are outlined below. 8.1. Personal information will be controlled by the Chair of the Youth Group. 8.2 Dates of birth must be held in addition to the data that may be held as outlined in section 3. 8.3. Consent for data storage will be obtained from the legal guardians of Youth Group members under the age of 18. Data stored on this basis must be deleted when the subject turns 18 or new consent must be obtained from the subject themselves.

9. Changes to the policy Changes to this Data Policy or the Privacy Notice can be made at the discretion of the SWMTC Executive Committee. In such instances all Members and Supporters will be informed of the changes and issued with a new Privacy Notice. 10. Breaches Any breaches of this data policy will be recorded by the DICE. Where parties may be harmed as a result of the breach details of the breach will be communicated with them. When the likelihood of harm is high details of the breach will be passed to the Information Commissioner’s Office.

May 2018