Data Protection Policy
Leisure & Culture Dundee (hereinafter referred to as "the Organisation") supports the objectives of the General Data Protection Regulation (GDPR) and Data Protection Act, 1998 (DPA) and seeks to ensure compliance with this data protection legislation.
The processing of data by the Organisation is essential to services and functions and will often involve the use of personal and/or ‘special category’ personal data. Compliance with the data protection legislation will ensure that such processing is carried out fairly and lawfully.
The purpose of this policy is to ensure that the provisions of the GDPR and DPA are adhered to, protecting the rights and privacy of living individual and ensuring that their personal data is not processed without their knowledge.
This policy sets out the Organisation’s commitment to upholding the data protection principles set out in the GDPR and fairly and lawfully managing information held. It applies to the acquisition, controlling and processing of all personal data within the Organisation.
The Organisation expects all Trustees and employees to comply fully with this policy.
The Organisation will hold the minimum personal information necessary to enable it to perform its functions, and the information will be erased once the need to hold it has passed.
Every effort will be made to ensure that information is accurate and up-to-date, and that inaccuracies are corrected without unnecessary delay.
The Organisation as the Data Controller, will ensure that individuals are aware of the purpose it is processing their personal data for and will seek consent where appropriate.
Personal information is confidential. Automated systems and relevant filing systems will be designed to comply with GDPR and DPA. Personal information will be disclosed only for registered purposes to:
- Organisation staff where such information is vital to their work;
- others as detailed in the Registration;
- the Court under the direction of a Court Order.
The personal data the organisation holds will be kept in accordance with the six principles of GDPR and in line with the Records Management and Retention Policy. Personal data will only be used for the direct promotion or marketing of goods or services with the explicit consent of an individual.
The six principles of GDPR state that personal data shall be:
a) processed lawfully, fairly and in a transparent manner in relation to individuals;
b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;
c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals; and
f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
Data sharing and data matching with external agencies will only be carried out under a written contract setting out the scope and limits of the data agreement.
It is the responsibility of the Managing Director and Service Managers to ensure compliance with this policy. All systems within the Service Section or Organisation containing information about individuals must be identified, made secure, and notified to the Data Protection Officer for notification purposes. It is the responsibility of all employees to co-operate in this task.
Upon discovering that the Organisation's Policy on Data Protection is not being complied with, the Managing Director, after consultation with the Finance Director, shall have full authority to take such immediate steps as considered necessary.
Requests from individuals for copies of personal data that the Organisation holds about them (Subject Access Requests) can be made in writing or verbally.
The Organisation will provide to any individual who requests it in the proper manner a written copy in clear language of the current information held about themselves. The Organisation shall fix a fee for this service which in appropriate circumstances may be waived by the Managing Director. Employees of the Organisation will not be required to pay any such fee when requesting access to information regarding their employment.
In cases where the Organisation acts as a bureau providing services to outside organisations, no disclosure will be made without the written consent of the third party except under the direction of a Court Order checked by the Managing Director.
All employees of the Organisation must comply with the requirements specified in the Organisation's e-mail/internet guidelines and should avoid storing Personal Information on lap tops, home PC's etc. If this is unavoidable then the lap tops etc. must be encrypted and staff must ensure the security of such devices at all times.
Disciplinary action may be taken against any Organisation employee for deliberate or reckless breach of any instructions contained in, or following from this Date Protection
Changes to our data protection policy
We keep our data protection policy under regular review and we will place any updates on this web page. This data protection policy was last updated in May 2018.