Data Protection Policy

Overview

In the course and scope of its operation, and in order to provide its audience with a good service, Nevill Holt Opera (‘NHO’) may need to collect, handle, store and process personal information about current, past and prospective audiences, customers, suppliers, sponsors and other third parties. This personal information is subject to legal safeguards in the Data Protection Act 1998 (the ‘DPA’).

The DPA is underpinned by eight important principles. These provide that any person processing personal data must ensure it is:

  • processed fairly and lawfully.
  • processed in an appropriate way and only for the purposes set out;
  • adequate, relevant and not excessive for its purpose;
  • accurate and kept up to date;
  • not held for any longer than necessary;
  • processed in accordance with the rights of data subjects;
  • be protected in appropriate ways; and
  • must not be transferred outside the European Economic Area (EEA), unless that country or territory ensures an adequate level of protection or unless consented to by the data subject.

This policy describes how personal data is, and must be, collected, handled and stored to meet the NHO’s data protection standards and those required by law.

The Data Protection Compliance Manager is responsible for ensuring compliance with the Act and with this policy. That post is held by Rosenna East. Any questions about the operation of this policy or any concerns that the policy has not been followed should be referred in the first instance to the Data Protection Compliance Manager at re@nevillholtopera.co.uk

Terminology

  • Data is information which is stored electronically, on a computer, or in certain paper-based filing systems.
  • Data subjects include all living individuals about whom NHO holds personal data save for our employees. A data subject need not be a UK national or resident. All data subjects have legal rights in relation to their personal information.
  • Personal data means data relating to a living individual who can be identified from that data (or from that data and other information in our possession). Personal data can be factual (for example, a name, address or date of birth) or it can be an opinion about that person, their actions and behaviour.
  • Data controllers are the people who, or organisations which, determine the purposes for which, and the manner in which, any personal data is processed. They are responsible for establishing practices and policies in line with the Act. We are the data controller of all personal data used in our business for our own commercial purposes.
  • Data users are those of our employees whose work involves processing personal data. Data users must protect the data they handle in accordance with this data protection policy and any applicable data security procedures at all times.
  • Processing is any activity that involves use of the data. It includes obtaining, recording or holding the data, or carrying out any operation or set of operations on the data including organising, amending, retrieving, using, disclosing, erasing or destroying it. Processing will not include the transferring of personal data to third parties, unless we are required to do so in terms of one or more of the grounds set out in the DPA or by written request of the data subject.
  • Sensitive personal data includes information about a person’s age, racial or ethnic origin, political opinions, religious or similar beliefs, trade union membership, physical or mental health or condition or sexual life, or about the commission of, or proceedings for, any offence committed or alleged to have been committed by that person, the disposal of such proceedings or the sentence of any court in such proceedings. Sensitive personal data can only be processed under strict conditions, including a condition requiring the express permission of the person concerned.

Fair and Lawful Processing

The Act intends to ensure that data processing is done fairly and without adversely affecting the rights of the data subject. For personal data to be processed lawfully, it must be processed on the basis of one of the legal grounds set out in the Act and in accordance with the rights of the data subjects.

These include their right to:

  • request access to any data held about them by a data controller.
  • prevent the processing of their data for direct-marketing purposes.
  • ask to have inaccurate data amended.
  • prevent processing that is likely to cause damage or distress to themselves or anyone else.

When processing personal data as data controllers in the course of our business, we will ensure that those requirements are met.

Processing for Limited Purposes

In the course of our business, we may collect and process the personal data. This may include data we receive directly from a data subject (for example, by completing forms or by corresponding with us by mail, phone, email or otherwise) and data we receive from other sources in the ordinary course of our business (including, for example, business partners, sub-contractors in technical, payment and delivery services, credit reference agencies and others).

Any personal information we hold on the NHO’s system will be used for operational purposes (for example the processing of bookings and orders), and for sending you information and updates about NHO and its activities.

You have a right at any time to stop us from contacting you by either sending an email to our data compliance manager or by clicking on the Unsubscribe button at the bottom of our emails.

We may from time to time ask you for further information in order to update records and ensure that our data is accurate and well maintained.  You are under no obligation to participate and should you provide any further information, NHO will inform you how any further information will be used.

We will only process personal data for the specific purposes set out herein, or for any other purpose specifically permitted by the Act.

Adequate, Relevant and Non-Excessive Processing

We will only collect personal data to the extent that it is required for the specific purpose set out in this policy or as otherwise notified to the data subject.

Accurate Data

We will take all reasonable steps to ensure that personal data we hold is accurate and kept up to date. We will check the accuracy of any personal data at the point of collection and at regular intervals afterwards. We will take all reasonable steps to destroy or amend inaccurate or out-of-date data.

NHO will make it easy for data subjects to update the information held about them. As inaccuracies are discovered or brought to our attention, we shall ensure our data is updated.

Timely Processing

We will not keep personal data longer than is necessary for the purpose or purposes for which they were collected and will take all reasonable steps to destroy, or erase from our systems, all data which is no longer required.

Disclosure and sharing of personal information

We shall only disclose personal data in accordance with those circumstances permitted by the DPA or as necessary to comply with our legal obligations.

Data Security

Everyone who works for or with NHO has a responsibility to ensure data is collected, stored and handled appropriately and in accordance with both this policy and any applicable laws relating thereto.

We will take appropriate security measures against unlawful or unauthorised processing of personal data, and against the accidental loss of, or damage to, personal data.

We will put in place procedures and technologies to maintain the security of all personal data from the point of collection to the point of destruction.

We will maintain data security by protecting the confidentiality, integrity and availability of the personal data.

Security procedures shall include:

  • Entry controls. Any stranger seen in entry-controlled areas should be reported.
  • Secure lockable desks and cupboards. Desks and cupboards should be kept locked if they hold confidential information of any kind. (Personal information is always considered confidential.)
  • Methods of disposal. Paper documents should be shredded. Digital storage devices should be physically destroyed when they are no longer required.
  • Equipment. Data users must ensure that individual monitors do not show confidential information to passers-by and that they log off from their PC when it is left unattended.

Employees must keep all data secure, by taking sensible precautions and following the general staff guidelines in addition to the terms of this policy.

Subject Access Requests

All individuals who are the subject of personal data held by NHO are entitled to:

  • Ask what information the company holds about them and why.
  • Ask how to gain access to it.
  • Be informed how to keep it up to date.
  • Be informed how the company is meeting its data protection obligations.

If an individual contacts the company requesting this information, this is called a subject access request.

Data subjects must make a formal request for information we hold about them. This must be made in writing to the Data Protection Compliance Manager.

Any employee who receives a formal subject access request must provide the individual with the email address of the DPO, being rosenna@nevillholt.co.uk, together with the following information:

  • All subject access requests must be made in writing to the DPO;
  • Proof of the identity of the person requesting the subject access request must be provided at the time of the request being made;
  • The individual will be charged £10 per subject access request and such payment must be made at the time of the request being made;
  • The data controller will aim to provide the relevant data within 40 days of payment being received provided the individual requesting the information has been appropriately identified and their identification has been verified.

**Changes to this policy: We reserve the right to change this policy at any time. Where appropriate, we will notify data subjects of those changes by mail or email**

General Staff Guidelines

Everyone who works for or with NHO has a responsibility to ensure data is collected, stored and handled appropriately and in accordance with both this policy and any applicable laws relating thereto.

Employees must keep all data secure, by taking sensible precautions and following the following the general staff guidelines in accordance with this policy.

  • The only people who will have access to any of the data covered by this policy are those who need it for the completion of their jobs and for the furtherance of the legitimate interests of the business.
  • Data should not be shared informally nor disclosed to any unauthorised people
    Strong passwords must be used, changed regularly and never shared between unauthorised employees.
  • Where data is no longer required, it must be deleted and disposed of;
  • Data must be held in only those places absolutely necessary and no additional data sets may be created unless absolutely necessary.
    Data must be kept in a secure place where unauthorised people can neither see nor obtain it.
  • When data is stored electronically, it must be protected from unauthorised access, accidental deletion and malicious hacking attempts:
  • Where data is stored on removable media (like a CD or DVD), these should be kept locked away securely when not being used.
  • Servers containing personal data should be sited in a secure location, away from general office space.
  • Data should be backed up frequently. Those backups should be tested regularly, in line with the company’s standard backup procedures.
  • Data must never be saved directly to laptops or other mobile devices like tablets or smart phones.
  • All servers and computers containing data should be protected by approved security software and a firewall.

Priority Booking

Priority booking opens to members in January 2018. To access priority booking and guarantee your ticket, become a Nevill Holt Opera Member.

Public Booking opens on Friday 2nd February.

Become a Member