DATA PROTECTION POLICY
Note to reader
This document describes the measures that companies within the ALL3MEDIA Group (the “Group”) must take and the guidelines that they must follow in order to protect the personal data that each company collects, processes and stores. Note – this data may be in either electronic or paper form.
We have tried to keep this policy as brief and as clear as possible and have aimed it specifically at the television and video production industry. However, in case it is helpful, we have included links to The Information Commissioner's Office which provides the Data Protection Act 1998 (the "Act”) in full together with more detailed notes of the eight data protection principles which are central to the Act. You will also find a number of forms appended to this policy document with checklists to assist you further.
The Act has an impact on us all: - as well as the more obvious examples like how to protect data held on laptops and memory sticks, it also covers issues such as the handling of requests from callers to reception for private mobile phone numbers and how to manage personal information produced on call sheets or displayed on PC screens around the office and rushes containing interviews and CCTV.
All companies within the Group are required to adhere to the measures set out in this policy document including the undertaking of regular reviews to ensure that each company within the Group continues to take appropriate measures to ensure that Personal Data is protected. All employees and workers will be required to acknowledge that they have read and agree to abide by the guidelines contained in this policy. Contravening the Act, in certain cases, is a criminal offence that can be punishable by an unlimited fine in the Crown Court and liability for damages.
ALL3MEDIA has a Data Protection Officer, (currently Donall Crehan and Sara Geater are the acting DPO) who can be contacted by email via firstname.lastname@example.org, email@example.com. Any messages you sent them should also be CC’d to firstname.lastname@example.org. Each company within the Group has a Data Controller. In the case of your Company, your Data Controller is named below and is the key contact. However, every employee and worker is responsible for data protection. If you have any issues, doubts or questions regarding Data Protection and how best to interpret this document please contact these people or speak with your line manager.
IF ANYONE BECOMES AWARE OF ANY POSSIBLE BREACH OF THIS GUIDELINE, PLEASE ALERT YOUR DATA CONTROLLER OR LINE MANAGER IMMEDIATELY. PROMPT ACTION IS ESSENTIAL.
Group Data Controllers
ALL3MEDIA - Donall Crehan/Sara Geater CC Joe Lythgoe
ALL3MEIDA Int - Louise Pedersen
ARG - Meredith Wilson
Bentley - Ian Strachan
Cactus - Anna Ratcliffe
Company - Janine Spikings
Illumina - Stefan Salva
Kameleon - Mark Webster
Lime Pictures - Pat McGinn
Lion Television - Susan Cooke/ Emma Murie
Maverick - Alex Coffey
NOTV - Nick Barrett and Robert Gough
Objective - Debi Roach
Optomen - Anke Folchert
Studio Lambert - Amanda Greenfield
1.1 What is Personal Data?
1.2 What are our Obligations?
1.3 What we have to do
2. Policy Statement
3.2. Data records
3.3 Verbal communication
3.4 CCTV systems
3.5 Buildings and premises
3.6 Key Departments
3.7 Data Disposal
3.8 Use of data offsite
3.9 Data Monitoring/Review
3.10 Data Breaches
3.11 Links to general and more detailed advice
Appendices (forms and checklists);-
A. CCTV impact assessment
B. CCTV Annual review check list
C. Data Protection annual review form
D. IT procedures for a new production
E. Breach of data security assessment form
F. Production debrief - Personal Data assessment form
Everyone has rights with regard to how their personal information is handled. In the course of business, employees and workers within the Group collect, store and process certain types of personal information and we recognise the need to treat it in an appropriate and lawful manner. Personal Data (as defined below) includes, for example, data that identifies current, past and prospective employees, programme contributors, contractors and suppliers and others with whom companies within the Group conducts business or otherwise communicate with.
The Act sets out the legal framework for the handling of personal information that identifies living people. All organisations that hold or process Personal Data must comply with the law and this policy aims to assist the Group companies in managing and processing data in accordance with the Act.
It is essential that you read and understand this policy document and what is required of you.
1.1 What is Personal Data?
The Act applies to all Personal Data. Personal Data is data which identifies a living individual when combined with other information, for example a name and a phone number. Personal data can be factual or it can be an opinion. Some types of Personal Data are defined in the Act as being ‘Sensitive’ and can only be processed under strict conditions, and will usually require the express permission of the individual concerned.
This includes: personal information/data that identifies a living individual by that personal information/data such as names, addresses, telephone numbers, mobile phone numbers, personal email addresses (if it includes the person’s name), dates of birth, agent details, next of kin, bank or building society details, employment history/CV, passport information, payroll/fee information, performance appraisal.
Sensitive Personal Data
This includes: medical information (including physical or mental health or condition), references from previous employers, any information on minors (i.e. anyone under the age of 18), membership of trade unions, information on an individual’s sexual orientation and/or sexual life/race or ethnic origin/religious or similar beliefs/political opinions, personality/psychometric tests, criminal convictions.
Sensitive Personal Data can only be collected, processed and used under strict conditions, and will usually require the express consent of the individual concerned.
This includes: any activity that involves the use of the data. It includes obtaining, recording or holding the data, or carrying out any operation or set of operations on the data including organising, amending, retrieving, using, disclosing, erasing or destroying it. It also includes transferring personal data to third parties.
Personal Data including Sensitive Personal Data as defined by the Act is routinely included in, but is not limited to, programme scripts, treatments, briefs, running orders, invoices, purchase orders, float and expenses claims, company bank statements, call sheets, company organigrams, lists of employees and payroll/fee information. In other words, care needs to be taken when handling data which is very much part and parcel of your everyday work practices.
For personal data to be processed lawfully, certain conditions have to be met. These are described in more detail in the next sections and may include, among other things, requirements that the individual has consented to the processing, or that the processing is necessary for the legitimate interest of the date controller or the party to whom the data is disclosed. When sensitive personal data is being processed, more than one condition must be met. In most cases the individual's consent to the processing of such data will be required (unless otherwise approved by HR and/or the Data Protection Officer).
1.2 What are our obligations?
The Act sets out eight key principles regarding the processing of personal data. Personal Data must be –
- fairly and lawfully processed;
- processed for limited purposes and in an appropriate way;
- adequate, relevant and not excessive for the purpose;
- accurate and, where necessary, kept up to date;
- not kept for longer than is necessary for the purpose;
- processed in accordance with the rights of the individual;
- kept secure; and
- transferred only to countries in the European Economic Area (unless the information is adequately protected).
1.3 What we have to do
In simple terms, we need to make sure that the Personal Data we gather and use is:
- kept safe;
- used only for the purpose for which it was gathered;
- used by you properly when performing your normal work duties;
- accurate and kept up to date;
- kept no longer than necessary and disposed of in the correct way; and
- in the case of Sensitive Personal Data, in most cases this use must be with the consent of the individual concerned (unless otherwise approved by HR and/or the Data Protection Officer).
2. Policy Statement
It is Group Policy to:-
- only collect, handle, process, store, record, use, transport, and retain Personal Data that is necessary for the Group to conduct its business,
- respect the privacy of individuals; and
- ensure that any Personal Data held is secure, giving access only to those who have a lawful right to access. This applies to both automated and manual records.
Every employee or worker within the Group has a responsibility to adhere to the Data Protection Policy. Directors, Managers and Supervisors (and anyone else deemed to be a ‘Data Controller’) have key responsibilities for the implementation, application and monitoring of this policy. If you are unsure about how you should apply or interpret this policy, or are concerned about a possible breach, you should ask your company Data Controller, line manager or the Group's Data Protection Officer for guidance prior to taking any action.
This policy does not form part of any employee's contract of employment and it may be amended at any time. Any breach of this policy will be taken seriously and may result in disciplinary action. This policy is reviewed biannually by the ALL3MEDIA Group Data Protection Officer.
Group Policy for the areas is set out below and must be followed by all Group employees and workers.
- Data Records
- Verbal Communication
- CCTV Systems
- Buildings and Premises
- Key Departments
- Data Disposal
- Laptops, portable media and the use of data offsite.
- Data Monitoring/Review
- Data Breaches
- Data Requests
In order to ensure that Personal Data is fairly and lawfully processed certain conditions have to be met. These will include Personal Data being acquired with the express consent of the individual (which will in most cases be acquired pursuant to an agreement with that individual) and that the processing is necessary for the legitimate interest of the individual or the party to whom the Personal Data is disclosed.
In order to comply with the principle above, any agreement with the individual must set out:
- the contact details of the Data Controller i.e. the person from each operating company that determines the purposes and manner in which data is processed;
- the purpose or purposes for which it is intended that the Personal Data will be processed. Personal Data must not be used for other purposes unless the consent of the individual has been obtained. Also, it must be adequate and not excessive; and
- any other information that is necessary to ensure that the processing of the data is fair.
3.2 Data Records (for example paper records, emails, electronic files stored on computers or portable memory devices, rushes, audio, video)
Data records are any media which may contain personal information. For example, they could be paper contracts, spreadsheets, rushes with captions, or sound recordings. Great care and attention should be paid to them by all employees and workers.
- Paper documents containing Personal Data must be stored securely and not left on view. Accordingly, appropriate measures need to be undertaken to ensure that no day to day paper records are left unattended so that they might be seen by visitors unauthorised to view them. A ‘Clean Desk’ policy should be operated, with all paperwork and files to be locked away outside normal office hours.
- Unnecessary copying of paper and electronic records must not be undertaken. For example does a call sheet really have to be duplicated and distributed to so many people?
- Special care should be taken when ‘faxing and emailing Sensitive Personal Data. You need to ensure that only the intended recipient receives the information. When sending a ‘fax, a call must be made first to make sure that the person is standing by the ‘fax machine. Passwords must be used on documents and communicated by phone to the recipient of sensitive emails.
- Special attention must be taken when constructing and presenting ‘pitch’ documents to broadcasters and partners. These documents must follow all of the guidelines set out in this document.
- Documents containing Personal Data must be shredded in a secure manner (see 3.7 Data Disposal).
- Every effort must be made to ensure that PC display screens and monitors showing Personal Data are facing away from walkways and areas where others might be able to view them.
- Electronic documents must be password protected or encrypted if they contain personal data. Passwords must only be made available to those authorised to process an individual’s information as is reasonably necessary.
- PCs used in HR and payroll departments must be sited at desks with the screen facing a wall when possible. If not possible, screen viewing guards can be useful to prevent others seeing the screen unless they are sitting directly in front of them.
- PC Network log-on passwords and email passwords must be made known only to authorised people and systems should force them to be changed at least every 40 days, in accordance with the All3Media IT policy.
- PCs must be set to lock to screensavers if not in use for 10mins, with the network password needed to unlock them.
- Access to computer data must be limited to levels of the internal company system relevant to the particular member of staff.
3.3 Verbal communication
Verbal communication of Personal Data must only be given to authorised individuals. For example, the disclosure of personal email address, home phone numbers and home addresses must not be given out by anybody without the express permission of that person. Great care should be taken when dealing with people claiming to be from some kind of authority, for example the police. Proof needs to be obtained of that person’s identity before any information is disclosed. All such requests must be authorised by your company Data Controller or line manager. You should suggest that the person making the verbal request put their request in writing if you are not sure about the caller's identity. Don't be afraid to ask for assistance in difficult situations. No-one should be bullied or harassed into disclosing personal information.
3.4 CCTV Systems
- CCTV must be operated in accordance with the CCTV Code of Practice as issued by the Information Commissioner's Office. http://www.ico.gov.uk/upload/documents/cctv_code_of_practice_html/index.html
- Prior to any decision to install CCTV; companies should undertake an impact assessment (see Form A) to assess the need for CCTV.
- The Data Controller at each Group company who “controls” and is responsible for the use of any CCTV systems and the images produced must also notify the Information Commissioner annually. Companies who decide to install a CCTV system or already have CCTV installed should complete an annual checklist (see Form B).
3.5 Buildings and Premises
Access to the building(s) must be controlled with appropriate and practical measures to protect Personal Data acquired by the Company.
If any of the following security measures are implemented, best practice would include the following:-
- swipe card entry systems which should be regularly monitored to ensure that only current members of staff have access to the building(s).
- any Security Guards to be employed outside normal office hours should be SIA approved contractors.
- Redcare approved security alarms should be linked to a security company and/or the Police.
- manual coded door locks. Code should be changed every 2 months.
Notwithstanding the use of the measures above, where possible a clean desk policy must be implemented outside office hours.
3.6 Key Departments
Production Teams: production data must be kept on a separate drive on the company’s network and software system in a separate folder for each programme. Access to this folder and data contents must be strictly controlled and be limited to the people working on that production and to senior management. Any Sensitive Personal Data must be stored within a subfolder of the production folder and must be further secured by passwords and be available to a very limited access list. This access list must be reviewed at each production meeting by the production manager.
A system must be in place in tape/disk libraries to check all other types of media, both on and off premises; Production teams working on site must have a system of tracking original rushes and associated scripts and production paperwork back to the company’s premises, to and from edit, to and from broadcasters on completion and to and from any remote storage facility at the completion of the production. (see Form F).
Call Sheets should be numbered when printed and logged out to individual personnel and logged back in again for disposal. With regard to crew lists, freelancers can no longer be permitted to take crew lists from job to job. This is a strict requirement.
Business Affairs, HR, Accounts, IT: data must be kept on a separate drive on the company’s network and/or software system. Access to this data must be strictly controlled. Access to the departmental data must be limited to the people working in that department. Any Sensitive Personal Data must be secured further by passwords and a very limited access list. The access list must be reviewed regularly by the head of each department or an MD at each Group company.
Sub Contractors: must agree to adhere to, and work in accordance with the Group's Data Protection Policy to the principles of the Act. Cleaners and security workers must have been given basic training by their employers.
3.7 Data Disposal
Personal Data should not be kept longer than is necessary and if the data is no longer relevant for the purpose for which it was obtained, the data should be destroyed.
- Printed material containing Personal Data should be securely destroyed, for example: paper waste containing data can be shredded by Group companies locally. Alternatively, suppliers can be employed to site bins around offices and the waste taken to be securely shredded in bulk at the suppliers company’s premises.
- CD’s, tapes and all other media must be wiped locally before recycling.
- If you are reusing media, including tapes, DVD’s and memory sticks they should be completely wiped before they are ‘written over’.
- IT departments must have a clear work process for dealing with old PCs, laptops and servers, which must have their hard drives wiped, tested and recycled or physically destroyed at the end of their useful life. Certification of cleaning and/or physical destruction should be obtained from a specialist supplier whether they be a specialist media or general waste recycling company.
3.8 Laptops, portable media and the use of data offsite.
Personal Data MUST be kept secure.
Each company must have a procedure covering the temporary removal of Personal Data from the company’s premises that must be complied with by, for example, staff who need to work from home or for on location.
The following practices should be adopted:-
- Sensitive Personal Data should only be taken off-site with the express permission of your line manager. All staff who work from home/on location must adopt the same policies with electronic and paper records as they do in the office.
- to remove the need to take personal data off-site, IT departments must, where applicable, make it possible for staff to use a computer to access data remotely, when working away from the office.
- physically transporting paper and electronic files between the office and home/location and back should, wherever possible, be avoided as there is always a risk of data being lost or stolen in transit.
- any documents containing Personal Data must be, at the very least, password protected before being sent by email.
- ALL laptops in the group must be encrypted. This is not limited to Laptops containing Personal Data or specific departments. This means every single Laptop in the group even ‘pool’ ones. Any hard disks must be encrypted. The minimum would be TrueCrypt; this is free open-source disk encryption software for Windows 7/Vista/XP, Mac OS X, and Linux. IT departments please see http://www.truecrypt.org/ for more information or speak to the Group IT Director.
- any Personal Data downloaded to a portable memory device e.g. USB sticks, CD’s, DVD’s, Laptops, must be protected by a password, kept securely AND encrypted. USB sticks should be held on a keyring or lanyard and be kept on your person at all times and not stored in bags or left in vehicles. Encrypted sticks can be provided by your IT department.
- blackberry, iPhones and other mobile devices MUST be protected with a password that auto-locks after 30 minutes. Any device that is lost must be reported immediately so IT can perform a remote wipe of the device.
- IT backup tapes must be collected and stored offsite by a professional service firm and in accordance with the guidance issued in the separate ALL3MEDIA policy that can be found in the Policy and Procedures manual.
- External Hard Drives used for data storage and rushes must be encrypted and password protected when they contain personal data. An example of one such device would be the LaCie d2 Biometric SAFE Hard Drive range.
Please also remember that personal data must not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of individuals in relation to the processing of personal data. Should you have any questions or concerns in this respect you should refer them to the Data Protection Officer or a member of the HR Team.
3.9 Data Monitoring/Review
Data must not be kept any longer than necessary, and must be kept secure, up to date and processed in accordance with the purpose that it was obtained.
- a Data Controller has been appointed at each company who will report to the Group's Data Protection Officer at agreed times during the calendar year.
- the Data Controller at each company must undertake regular data protection reviews of Personal Data it has acquired to ensure that the Personal Data is adequate for the purpose, relevant and not excessive. This is in addition to the production set up and debrief meetings outlined below. The reviews should occur at least annually (see Form C) and immediately after any breach has occurred (see Form E).
- production set up meetings - Production Managers/Business Affairs must specifically address the issue of data protection during the production process i.e. what Personal Data needs to be acquired, who should have access to it, etc. They must then work with IT to establish a routine for data storage for new productions (see Form D).
- production de-brief meetings - Data protection issues must also be addressed as an item in a production debrief at the end of each production i.e. what data needs to be retained and for how long; is it accurate and up to date. If it is no longer required it must be securely destroyed (See 3.7 Data Disposal). Production Managers/Business Affairs should sign off a Production Debrief Personal Data Assessment Form (see Form F) covering how data is to be destroyed or archived and for how long.
3.10 Data Breaches
- It is imperative that any breaches or suspected breaches are dealt with straight away. Companies who discover a breach should notify Jules Burns, Jane Turton and/or Donall Crehan and Sara Geater CC Joe Lythgoe at ALL3MEDIA immediately before any further action is taken.
- For example; breaches of security could be the loss or theft of computer hardware, data sticks, media hard drives, paper files, tapes, disks or any other medium that contains Personal Data.
- A written assessment should be made of the incident that has occurred and the possible implications stated (see Form E).
- Arrangements will then be made to advise those affected as soon as it is practical to do so, in order that they can take any measures needed to protect themselves.
The Data Protection Act 1998 creates a number of criminal offences for unlawfully obtaining or disclosing Personal Data which the Group and the individual who makes an unlawful disclosure of Personal Data could be held liable. Therefore, any serious breach of Group Policy will be considered as an act of gross misconduct and will be dealt with in accordance with the Group’s disciplinary policy.
3.11 Links to general and more detailed advice
The following link to the Information Commissioner's Office web home page provides detailed information for best practices to a large range of departments and circumstances and is an excellent point of reference. http://www.ico.gov.uk/
The http://www.opsi.gov.uk/Acts/Acts1998/ukpga_19980029_en_1 is also available for more detailed reference.