Purpose and scope of application
Sets out ESCARLATE PRODUCCIONES’ commitment to the confidentiality of personal information and its responsibilities with respect to the disclosure of such information;
Is intended to ensure that all personnel, whether directly employed or contracted, are aware of their responsibilities with respect to the confidentiality of personal information; and
Applies to all ESCARLATE PRODUCTIONS staff including temporary and agency staff, contractors and volunteers and to personal information recorded in any format, including paper, electronic and any other media.
All employees, contractors and associates share responsibility for ensuring that information assets are handled in accordance with this policy.
Data: Information as defined in data protection law, i.e.:
Electronically processed, i.e., information systems, databases, microfiche, audio and video (CCTV) systems, and telephone recording systems;
Recorded with the intention that it be processed by equipment; or
Recorded as part of a relevant filing system, i.e. structured, either by reference to natural persons or by reference to criteria relating to natural persons that are readily accessible.
Controller: The person, company or organization that determines the purpose for which and the manner in which personal data may be processed.
Processor: Any person who processes personal data on behalf of the controller;
Data Subject: Any person who is the owner of the data that is the subject of the processing.
Disclosure: The disclosure or provision of access to data.
Confidential personal data: Personal information about identified or identifiable individuals, which must be kept private or secret. Personal information includes the General Data Protection Regulation (GDPR) definition of personal data, but is adapted to include both dead and living individuals and “confidential” includes both information “given in confidence” and “owed as a duty of confidence”, and is adapted to include “sensitive” information as defined in data protection law.
Personal information: Information that relates to a living individual who can be identified from information that is in the possession of the data controller or that may become so.
Processing: Using the information in the following ways:
Disclosure of information
Special category personal data (formally known as sensitive personal data): is any information about an individual relating to his or her person:
Biometrics (when used for identification purposes)
Third parties: Any person other than:
The data subject;
The data controller; and
Any processor or other person authorized to process on behalf of the controller.
4. Data protection
The principles of data protection
The Data Protection Act sets out the following principles to support good practice and fairness in the processing of personal information. These principles stipulate that:
Personal data must be processed lawfully, fairly and transparently;
Personal data may only be collected for specified, explicit and legitimate purposes;
Personal data must be adequate, relevant and limited to what is necessary for processing;
Personal data must be accurate and kept up to date with every effort to erase or rectify without delay; Personal data must be kept in a form which permits identification of the data subject only for as long as necessary for its processing;
Personal data must be processed in a manner that ensures adequate security; and
The controller must be able to demonstrate compliance with the other data protection principles (proactive accountability).
5. Information security
In order to ensure the confidentiality of personal information, systems and procedures are required to control access to such information.
Such controls are essential to ensure that only authorized persons have done so:
Physical access to computer hardware and equipment;
Access to computer system utilities capable of overriding system and access controls, e.g., administrator rights; and
Access to electronic or paper records containing confidential information about individuals.
ESCARLATE PRODUCTIONS’ responsibilities of confidentiality and proper treatment of personal data are maintained even if the processing is carried out by a third party.
Access to personal information
Persons acting on your behalf with your consent have the right of access to data held by you. This includes access to audit trails indicating who has accessed your personal or confidential data.
Duty of confidentiality
All staff and contractors must recognize that confidentiality is an obligation. Any breach of confidence, inappropriate use of records or abuse of computer systems may result in disciplinary and legal proceedings.
Temporary and volunteer agency staff are also subject to such obligations and must sign a confidentiality agreement when working for or on behalf of ESCARLATE PRODUCTIONS.
Staff must be assured that there is a legal basis before sharing information. Any questions about the legitimacy of sharing information should be directed to the Information Security Manager.
Any illegal sharing of personal or confidential data that takes place must be reported as an incident and investigated in accordance with the Security Incident Management Procedure.
Objections to the processing of confidential data
Any doubts or objections about the processing of personal data shall be immediately referred to the Information Security Officer. When ESCARLATE PRODUCCIONES acts as a data processor under contract, the query shall be referred to the Data Controller.
Data Protection Impact Assessments (PIA)
New initiatives involving high-risk processing of personal data will be subject to a PIA to ensure that the privacy and security of sensitive personal data is maintained.
7. Information flow mapping
Personal information flows in and out of ESCARLATE PRODUCTIONS will be mapped in PIA reports.
8. International Transfers
Personally identifiable information should not be transferred outside the EEA unless an appropriate risk assessment has been carried out and mitigating controls are in place.
ESCARLATE PRODUCTIONS should review flows of personally identifiable information to understand whether information transferred to external organizations flows outside the UK and EEA.
Decisions about the transfer of personally identifiable information should only be made by a senior manager who has been authorized to make that decision.
Organizations will need to obtain a statement of assurance from third parties that process the personal data of their users or staff overseas. This assurance may be within the contract between the two organizations or within other processing terms.
The Information Security Manager is responsible for ensuring that relevant personnel within ESCARLATE PRODUCTIONS have read and understood this document.
Document Owner and Approval
The Information Security Manager is the owner of this document and is responsible for ensuring that this procedure is reviewed in accordance with the review requirements set out in this policy.