Data Protection and Information Security Policy

Statement of Policy and Purpose of Policy
1.    Come Dancing With Me is committed to ensuring that all personal information handled by us will be processed accordingly and to legally compliant standards of data protection and data security.

2.   The purpose is of this policy is to help us achieve our data protection and information security aims by:

a.    Notifying our customers of the types of personal information that we may hold about them and what we do with that information;
b.    Ensuring rules are adhered to, and the legal standards are maintained for the handling of personal information relating to our customers
c.    Clarifying the responsibilities and duties with respect to data protection and the security of information.

Who is responsible for data protection and information security?
3.    We maintain appropriate standards of data protection and information security as prescribed by EU legislation.

4.    The management has overall responsibility for ensuring that all personal information is handled in compliance with EU law.

5.    We ensure compliance with this policy, and handle all personal information consistently with the principles set out and ensure that measures are taken to always protect data security.

6.   A breach of this policy is taken seriously and may result in disciplinary action.

What personal information and activities are covered by this policy?
7.    This policy covers personal information:
a.    Which relates to a living individual who can be identified either from that information in isolation or by reading it together with other information we possess;
b.    Is stored electronically or on paper in a filing system;
c.    In the form of statements of opinion as well as facts;
d.    Which relates to any individuals whose personal information we handle or control;
e.    Which we obtain, hold or store, organise, disclose or transfer, amend, retrieve, use, handle, process, transport or destroy.

What personal information do we process about our customers and what do we do about it?
8.    We collect personal information about you which:
a.    You provide to us willingly;
b.    Is provided by third parties that we do business with; or
c.    Is already in the public domain.

9.    The types of personal information that we may collect, store and use include records relating to home addresses and relevant contact details supplied to us by you such as email addresses and telephone numbers.

10.   We will use information in order to carry out our business, to administer your application for purchase of services offered by Come Dancing With Me and to deal with any possible issues or concerns you may have.

11.    We confirm that for the purposes of the Data Protection Act 1998, the Employer is a Data Controller of personal information.  This means that we will determine the purposes for which, and the manner in which, personal information is processed.

12.    We will take reasonable steps to ensure that all personal information is kept secure, as described later in this policy and in general, we will not disclose personal information to other third parties unless required to so as to comply with legal obligations to assist in a criminal investigation.

Data Protection Principles
13.     Any person whose work involves using personal data relating to customers or others must comply with this policy and with the eight legal data protection principles which require that personal information is:
a.    Processed fairly and lawfully. We must always have a lawful basis to process personal information. In most (but not all) cases, the person to whom the information relates (the Customer) must have given consent. The customer must be told who controls the information (us), the purpose(s) or which we are processing the information and to whom it may be disclosed.
b.    Processed for limited purposes and in an appropriate way. Personal Information must not be collected for one purpose and then used for another. If we want to change the way we use personal information we must first tell the Customer.
c.    Adequate, relevant and not excessive for the purpose.
d.    Accurate. Regular checks must be made to correct or destroy inaccurate information.
e.    Not kept longer than necessary for the purpose. Information must be destroyed or deleted when we no longer need it. For guidance on how long particular information should be kept, contact Come Dancing With Me.
f.    Processed in-line with customer’s rights. Customers have a right to request access to their personal information, prevent their personal information being used for direct marketing, request the correction of inaccurate data and to prevent their personal information being used in a way likely to cause them or another person damage or distress.
g.    Secure. See further information about information security below.
h.    Not transferred to people or organisations situated in countries without adequate protection.

Information Security
14.    We must all protect personal information in our possession from being accessed, lost, deleted and damaged unlawfully or without proper authorisation through the use of information security measures.

15.   Maintaining information security means making sure that:

a.    Only people who are authorised to use the information can access it;
b.    Information is accurate and suitable for the purpose for which it is processed; and
c.    Authorised persons can access information if they need it for authorised purposes. Personal information therefore should not be stored on individual computers but instead on our central system.

16.    By law, we must use procedures and technology to secure personal information throughout the period that we hold or control it from obtaining to destroying the information.

17.    Personal information must not be transferred to any third party to process unless that person has either agreed to comply with our data security policy procedures or we are satisfied that other adequate measures exist.

18.   Security procedures include:

a.    Physically securing information. Any desk or cupboard containing confidential information must be kept locked. Computers should be locked with a password or shut down when they are left unattended and discretion should be used when viewing personal information on a monitor to ensure that it is not visible to others. 
b.    Controlled access to premises.

19.    Methods of disposal. Copies of personal information, whether on paper or on any physical storage devise, must be physically destroyed when they are no longer needed. Paper documents should be shredded and memory sticks or similar must be rendered permanently unreadable.

Customer Access Requests
20.    By law, any Customer may make a formal request for information that we hold about them, provided that certain conditions are met. The request must be made in writing. A fee may be payable by the Customer for provision of this information. In some circumstances, it may not be possible to release the information about the Customer if it contains personal data about another person.