123
  

1. Introduction
1.1. Starr in the Community C.I.C. needs to collect and use certain types of information about certain Individuals in order to carry out its work. This work pertains predominantly to the provision of free circus tickets to disadvantaged, disabled or vulnerable children.
1.2. Personal information must be collected and dealt with appropriately whether collected on paper, stored in a computer database, or recorded on other material and there are safeguards to ensure this under the General Data Protection Regulation 2018 (GDPR), to which this policy adheres.
1.3. The parties about whom Starr in the Community C.I.C. may hold and process personal data (the Data Subject) include:
1.3.1. Individuals who may be interested in procuring free tickets to a circus show.
1.3.2. Organisations or their representatives who may wish to procure tickets to a circus show for their Clients or Service Users.
1.3.3. Individuals who may wish to offer a financial donation towards the work of Starr in the Community C.I.C.
1.3.4. Organisations or their representatives who may wish to offer a financial donation towards the work of Starr in the Community C.I.C.
1.3.5. Any other organisation or individual who contacts Starr in the Community C.I.C.

2. Data Controller
2.1. Starr in the Community C.I.C. is the identified Data Controller under the GDPR, which means that we determine the purposes for which personal information is held and used. We are therefore also responsible for ensuring that this data is controlled in full compliance with the GDPR.

3. Disclosure
3.1. Starr in the Community C.I.C. regards the lawful and correct treatment of personal information to be of the utmost importance in creating successful working relationships, and to maintaining the confidence of those with whom we deal.
3.2. The Data Subject will be made aware in all circumstances of how and with whom their information will be used and shared. Starr in the Community C.I.C. will never share personal data with other organisations, (such as businesses, local authorities, funding bodies or voluntary agencies), unless at least one of the following circumstances apply:
3.2.1. The Data Subject has given explicit, verifiable consent.
3.2.2. The sharing of data is seen to be in the legitimate interest of the Data Subject.
3.2.3. The law mandates the disclosure of personal data.
3.3. There are circumstances where the law mandates that Starr in the Community C.I.C. disclose data (including sensitive data), without the Data Subject’s consent. These include:
a) Carrying out a legal duty or as authorised by the Secretary of State.
b) Protecting vital interests of an Individual/Service User or other person.
c) The Individual/Service User has already made the information public.
d) Conducting any legal proceedings, obtaining legal advice or defending any legal rights.
3.4. Personal data will never be sold to a third-party.
3.5. Starr in the Community C.I.C. will adhere to the Principles of Data Protection, as detailed in the EU General Data Protection Regulation. Specifically, these Principles require that:
a) Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the Data Subject.
b) Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
c) Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
d) Personal data shall be accurate and, where necessary, kept up to date.
e) Personal data shall be kept in a form which permits identification of Data Subjects for no longer than is necessary for the purposes for which the personal data is processed.
f) Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
g) The controller shall be responsible for and be able to demonstrate compliance with the GDPR.
3.6. Starr in the Community C.I.C. will, through appropriate management and strict application of criteria and controls:
3.6.1. Observe fully, conditions regarding the fair collection and use of information.
3.6.2. Meet its legal obligations to specify the legitimate purposes for which information is used.
3.6.3. Collect and process appropriate information, and only to the extent that it is needed to fulfill its operational needs or to comply with any legal requirements.
3.6.4. Ensure the quality of information used.
3.6.5. Ensure that the rights, (as defined by the Information Commissioners Office), of people about whom information is held, can be fully exercised under the GDPR. These include:
a) The right to be informed.
b) The right of access.
c) The right to rectification.
d) The right to erasure.
e) The right to restrict processing.
f) The right to data portability.
g) The right to object.
h) Rights in relation to automated decision making and profiling.
3.6.6. Take appropriate technical and organisational security measures to safeguard personal information.
3.6.7. Ensure that personal information is not transferred to a third-party without suitable consent or legal obligation.
3.6.8. Treat people justly and fairly whatever their age, religion, disability, gender, sexual orientation or ethnicity when dealing with requests for information.
3.6.9. Set out clear procedures for responding to requests for information, erasure of information and cessation of processing.

4. Data Collection
4.1. Starr in the Community C.I.C. will ensure that data is collected within the boundaries defined in this policy. This applies to data that is collected in person, over the telephone or by completing a form on the website (www.circus-starr.org.uk).
4.2. When collecting data, Starr in the Community C.I.C. will ensure that the Data Subject:
a) clearly understands why the information is needed;
b) understands what it will be used for and what the consequences are should the Data Subject decide not to give consent to processing;
c) is, as far as reasonably practicable, competent enough to give consent and has given so freely without any duress; and
d) has received sufficient information on why their data is needed and how it will be used.
4.3. The two key parameters through which personal data will be held and processed are Consent, and Legitimate Interest.
4.3.1. Consent is defined:
a) As offering individuals real choice and control.
b) Genuine consent puts individuals in charge, building customer trust and engagement.
c) Consent requires a verifiable positive opt-in.
4.3.2. Where consent is not required or realistically available, the legitimate interest of the Data Subject can be used as a lawful basis for data processing.
4.3.3. To determine legitimate interest, we make sure to:
a) identify a justifiable legitimate interest of the Data Subject;
b) show that the processing is necessary to achieve it; and
c) balance it against the individual’s interests, rights and freedoms.
4.4. The Information Commissioner’s Office clarifies that legitimate interest is comprised of three key elements:
4.4.1. A Legitimate Interest:
a) Starr in the Community C.I.C. will clarify the legal ground for data processing through identification of a legitimate interest (e.g. direct marketing).
4.4.2. A Necessity Test:
a) Starr in the Community C.I.C. will assess whether legitimate interest is the correct legal ground and whether the processing of personal data is necessary. (e.g. The processing of personal data is necessary for a direct marketing campaign).
4.4.3. A balance with individuals’ interests, rights and freedoms:
a) Starr in the Community C.I.C. will not impinge an individual’s rights. We will identify privacy risks and assess whether legitimate interest is valid in each particular instance.
4.5. In order to function properly, Starr in the Community C.I.C. collect personal data in the following ways:
4.5.1. Through a website enquiry form.
4.5.2. Through a ticket application form.
4.5.3. Through inbound phone calls made to our organisation.
4.6. Personal data collected will include:
4.6.1. Name
4.6.2. Address
4.6.3. Phone Number
4.6.4. Email Address
4.6.5. Any notes which may pertain to the wellbeing of the individual whilst on our premises. These could include:
a) Physical Requirements
b) Dietary Requirements
c) Cultural Requirements

5. Data Storage
5.1. Information and records relating to service users will be stored securely on a dedicated hard drive and will only be accessible to authorised staff and volunteers. Designation of responsibility for this authorisation sits with the Data Protection Officer.
5.2. Information will be stored for only as long as it is needed or required by statute and will be disposed of appropriately.
5.2.1. Unless otherwise confirmed through an auditable document such as a feedback form, data will be held for 2 years before it is completely removed from all systems and data storage facilities.
5.2.2. If it has been expressly stated in a feedback form or other auditable format that personal data may be kept for longer than 2 years, this will be adhered to in accordance with the consent of the Data Subject.
5.3. It is Starr in the Community C.I.C.’s responsibility to ensure that all personal data is non-recoverable from any computer system previously used within the organisation, which has been passed on / sold to a third-party.
5.4. If Starr in the Community C.I.C. is requested to delete personal data, this will be done immediately and without question.

6. Data Processing
6.1. Starr in the Community C.I.C. process personal data in the following ways:
6.1.1. Once an enquiry form is received, the personal data included in the form will be used in strict accordance with the content of the form.
6.1.1.1. In this situation consent to process data is taken to have been given upon submission of the enquiry form.
6.1.1.2. The legitimate interest of the enquirer is also taken into account when responding to the enquiry, as it is assumed that our response is in their best interest.
6.1.2. If a ticket application is received the personal data will only be used to fulfil the request, including delivery of the tickets.
6.1.2.1. In this situation consent to process data is taken to be given upon submission of the ticket application.
6.1.2.2. The legitimate interest of the individual making the application is also taken into account when responding to the enquiry, as it is assumed that our response is in their best interest.
6.1.2.3. A feedback form may be sent to the customer following their visit. This may be via email or postal mail.
6.1.3. Details of potential donors are kept for our own records in accordance with the agreement made upon donation.
6.1.3.1. It is in the legitimate interest of the donor to have their information kept on our records.
6.1.3.2. We will not contact a donor for any further donation unless express consent is given.
6.1.3.3. The donor has the right to full anonymity publicly and as far as is practicable within our organisation.

7. Data Access and Accuracy
7.1. All Data Subjects have the right to access the information Starr in the Community C.I.C. holds about them. Starr in the Community C.I.C. will take reasonable steps ensure that this information is kept up to date by asking Data Subjects whether there have been any changes.
7.2. Starr in the Community C.I.C. will ensure that:
a) It has a Data Protection Officer with specific responsibility for ensuring compliance with Data Protection.
b) Anybody processing personal information understands that they are legally responsible for following the GDPR.
c) Anybody processing personal information is appropriately trained to do so.
d) Anybody processing personal information is appropriately supervised.
e) Anybody wanting to make enquiries about handling personal information knows what to do.
f) It deals promptly and courteously with any enquiries about handling personal information.
g) It describes clearly how it handles personal information.
h) It will regularly review and audit the ways it holds, manages and uses personal information.
i) It regularly assesses and evaluates its methods and performance in relation to handling personal information.
j) All staff are aware that a breach of the rules and procedures identified in this policy may lead to disciplinary or legal action being taken against them or the organisation.

This policy will be updated as necessary to reflect best practice in data management, security and control and to ensure compliance with any changes or amendments made to the GDPR. In case of any queries or questions in relation to this policy please contact the Starr in the Community C.I.C. Data Protection Officer: 

Michelle Crossley
Office Address: 1st Floor Dane Mill, Broadhurst Lane, Congleton, Cheshire, CW12 1LA
Email: michelle@circus-starr.org.uk
Tel: 01260 288690

Glossary of Terms
Data Controller – The person who (either alone or with others) decides what personal information Starr in the Community C.I.C. will hold and how it will be held or used.
Data Protection Officer – The person(s) responsible for ensuring that Starr in the Community C.I.C. follows its data protection policy and complies with the GDPR.
Individual/Customer/Data Subject – The person whose personal information is being held or processed by Starr in the Community C.I.C. for example: a client, an employee, or supporter.
Explicit Consent – is a freely given, specific and informed agreement by an Individual/Service User in the processing of personal information about them. Explicit consent is needed for processing sensitive data.
Processing – means collecting, amending, handling, storing or disclosing personal information.
Personal Information – Information about living individuals that enables them to be identified – e.g. name and address. It does not apply to information about organisations, companies and agencies but applies to named persons, such as individual volunteers or employees.
Sensitive data – refers to data about:
• Racial or ethnic origin
• Political affiliations
• Religion or similar beliefs
• Trade union membership
• Physical or mental health
• Sexuality
• Criminal record or proceedings

©Circus Starr 2019 All Rights Reserved all 3rd party trademarks acknowledged. Company’s Registered Office Address: Circus Starr, Starr in the Community CIC - Dane Mill, Broadhurst Lane, Congleton, Cheshire CW12 1LA Registered in Companies House England & Wales No 7477542