All public and private organisations are legally obliged to protect personal information that they hold about people. Broadly speaking, personal data is defined as any information that can identify an individual and could include someone’s name, contact details, their computer’s IP address or many more types of data. Legislation ensures that personal information about an individual is:
•
Only held with consent
•
Held securely
•
Shared only on a need to know basis and with consent
•
Accessible to the person that the information is about
•
Not held longer than necessary
•
Not transferred to other countries without adequate safeguards.
Data protection is an important part of maintaining the dignity and confidentiality of dance class participants. It’s important as dance practitioners not to presume that we know the circumstances of the people who take part in our classes. Participants may have very good reasons to not want to disclose even the most basic personal information (surname, address, phone number). Data protection legislation seeks to ensure that everyone’s information is held safely and with consent.
The Information Commissioner’s Office (ICO) is responsible for regulating data protection in the UK, registering people who control data (Data Controllers) and taking action if the Data Protection Act is breached. They have a full and informative website which contains a range of guidance, including check lists to help small business owners identify the actions they need to take to comply with the Act. Visit their website (and particularly their section about data protection for small businesses) for more information:
https://ico.org.uk
According to the Information Commissioner’s Office:
•
A data
controller determines the purposes and means of processing personal data.
•
A data
processor is responsible for processing personal data on behalf of a controller.
As a dance practitioner you may act as a data controller. Under the most recent legislation, all organisations and individuals who are data controllers must register to pay a data protection fee to the Information Commissioner’s Office, unless they are exempt. The rules determining whether or not you register to pay this fee are complex and it is recommended that you take the self-assessment test provided on the ICO website:
https://ico.org.uk/for-organisations/data-protection-fee
Data Protection Act 2018 and GDPR
In May 2018, the Data Protection Act 2018 came into force and, along with General Data Protection Regulation (GDPR), replaced the 1998 Act. One of the key changes to data protection law under this legislation is the new Accountability Principle, which essentially requires data controllers to have appropriate measures and records in place to be able to
demonstrate their compliance to data protection law. The GDPR has also broadened the definition of what is considered personal data, enhanced the rights of the individuals whose information is being collected, and requires organisations to be more transparent about what they will do with personal data. To read about the other key changes to data protection law under the GDPR, visit the ICO website.
Legislation:
www.legislation.gov.uk/ukpga/2018/12/contents/enacted
Further resources:
•
Guide to the GDPR:
https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr
•
Data protection self-assessment for sole traders and small businesses:
https://ico.org.uk/for-organisations/resources-and-support/data-protection-self-assessment/assessment-for-small-business-owners-and-sole-traders
•
Sole traders and small businesses can contact the dedicated ICO helpline on
0303 123 1113.