1 Hotsauce TV Ltd /BFQ Ltd Data Protection Policy

In common with other companies and organisations in the UK, Hotsauce TV Ltd (HSTV Ltd) and BFQ Ltd collect Personal Data in the course of its business.

The purpose of this policy is to explain the importance of Data Protection, how it affects HSTV/BFQ Ltd and its productions and to set out the steps HSTV/BFQ Ltd takes as a business and within the process of its television productions to ensure compliance with its obligations under the General Data Protection Regulations 2018 (“the Regulations/the GDPR”).

This is a living policy that will be updated as and when necessary.

The Regulations set out the rules that govern the collection, management and protection of “Personal Data” and “Sensitive Data” by all organisations in the UK and came into force on 25 May 2018.

The potential consequences of failing to comply with the Regulations are severe, including unlimited fines and criminal prosecution. In addition, HSTV/BFQ Ltd may suffer damage to its reputation if it does not take proper care of the personal data of employees and contributors to our productions. Data protection should be embedded in all production decisions.

It is necessary for HSTV/BFQ Ltd to be registered on the Information Commissioner’s central register.

2 Who within HSTV/ BFQ Ltd does the GDPR apply to?

The GDPR refers to ‘controllers’ and ‘processors’.

Controllers

A controller determines the purposes and means of processing personal data. There can be more than one controller and HSTV/BFQ Ltd as a company can be considered a controller as can the Head of Production. For productions where the broadcaster has asked for sensitive personal data to be supplied to the Project Diamond project then in those instances, the broadcasters are also considered as controllers of personal data.

Processors

A processor is responsible for processing personal data on behalf of a controller. All production team members and direct employees of HSTV/BFQ Ltd are identified as processors and therefore have responsibilities under the Regulations.The GDPR places specific legal obligations on processors such as a requirement to maintain records of personal data and processing activities. There is a legal liability for anyone responsible for a breach.

Each member of the team will need to identify their role and responsibilities. A meeting involving the whole team should be held during the pre-production period in order to determine responsibilities.

If you have any queries in relation to this note or Data Protection matters more generally, please direct them to the Head Of Production.

What are Personal and Sensitive Data?

Personal data

The GDPR applies to ‘personal data’ meaning any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier. They are referred to in this Policy as the ‘data subject’.

The main thing to note is that the definition is very broad. It covers any information that relates to a living person from which that person can be identified or from which, in conjunction with other readily available information (e.g. anyone or more of their names, address, telephone numbers, email address, date of birth, bank account/payroll information, next of kin and images etc.) a person can be identified. It includes IP addresses and data automatically collected by ISPs when using computers and the internet.

Personal Data can also be obtained from past, current and future employees, contributors, suppliers and contractors. It might be contained or proffered in letters, correspondence, call logs, programme treatments, running orders, CVs, CCTV footage, contributor agreements or contributor application forms, post production paperwork, criminal record bureau checks, medical records, purchase orders, rushes with captions, bank statements and employee references. The Personal Data may be hard copy form e.g. original or copy paper document, photographs and film; or electronic form e.g. PC, laptop, mobile phone, blackberry or memory stick.

HSTV/BFQ is entitled to process Personal Data in order to perform the contractual dealings and relationships with its staff and with its contributions.

Provided that at all times Personal Data must:

be fairly and lawfully processed

be processed for limited purposes

be adequate, relevant and not excessive

be accurate and up to date

be kept for no longer than necessary

be processed in accordance with the rights of the individual subject

be secure

not be transferred to other countries without adequate protection.

As a matter of good practice you should always notify the Data Subject that their data is being collected and wherever possible obtain their consent in writing (within a signed contract).

You must think carefully for what purpose you are collecting and recording any personal data. Data Subjects have new rights under the GDPR (which may include the right to the erasure of their data) and you must be fully aware of the HSTV/ BFQ Ltd Privacy Policy which is available at http://www.hotsauce-tv.com/ You must make the data subject aware of the HSTV/ BFQ Privacy Policy during the process when collecting their data. It could be at the point that a contract is issued or with any initial request for personal data.

Sensitive Personal Data

The GDPR refers to sensitive personal data as “special categories of personal data”

This is data that relates to an individual’s racial or ethnic origin, political opinions, religious beliefs, trade union membership, physical or mental health matters, sexual orientation/life, alleged or actual criminal activity and criminal records.

The processing (i.e. collection/use) of Sensitive Personal Data must only be undertaken with the express consent of the person to whom the data relates. HSTV/BFQ Ltd may occasionally need to collect Sensitive Personal Data – ie for the reporting to Project

Diamond – a single online database used by the BBC, ITV, Channel 4, Channel 5 and Sky to obtain consistent diversity data on the programmes they commission.

Sensitive Personal Data should only be collected with the prior approval from the Head of Production.

This cannot be collected for the necessity of operating the relationships between HSTV/BFQ Ltd you must ALWAYS get clear consent from the data subject.

Under 18s

If for any reason you are filming with children or there are any children on set you must operate seek specific consent and please see the Head of Production for a separate guidelines.

Collecting and access to Personal Data

HSTV/BFQ Ltd’s employees and freelancers will have access to or will routinely acquire Personal Data from many sources and in many forms including in the course of the following activities:

Storage of Personal Data

Once Personal Data has been collected it is of paramount importance that it is stored securely on and off site.

On-site Security (principally HSTV/BFQ Ltd production offices): Hard copies of all documents containing Personal Data should be stored in lockedcabinets or in locked offices.

Computers and networks must be password protected and passwords should be hanged regularly. Computers must be logged out of at the end of each working day.

Access to documents/computers on which Personal Data is stored should be restricted to those people who need it to perform their duties.

Computers and computer networks should be fitted with virus protection (and firewalls where feasible) and guidance should be given to personnel as to the necessary care to be taken when opening email attachments and when visiting unfamiliar websites.

Measures should be taken to make back up copies of Personal Data to prevent accidental deletion.

Access to buildings and offices in which Personal Data is stored should be controlled and adequate security measures in place. Visitors must be supervised at all times when in places where Personal Data is stored.

Off-site Security:

Computers, lap tops, computer discs, memory sticks, PDAs and all kinds of portable media devices (“Computer Equipment”) should only be taken off-site where it is necessary for an individual to perform their duties such as whilst on location or in a studio production office.

General Security

Computer Equipment should be password protected and wherever Sensitive Personal Data is stored such data should be encrypted. The intention should be that if Computer Equipment was stolen, the Personal Data stored on it would remain secure.

Mobile phones should be password locked.

A system of monitoring should be in place in relation to the return of all material and Computer Equipment which is taken off-site which contains Personal Data.

All production paperwork (contracts, call sheets, release forms) taken off-site should be stored securely at all times.

HSTV and BFQ Ltd may transfer Personal Data within the two companies where such transfer is based on an operational requirement such as the shared use between the two companies of current and future employees, contributors, suppliers and contractors.

Engaging Third Parties to Process Personal Data

Where third party service providers are engaged to process or dispose of Personal Data we must ensure that they undertake to comply with the Regulation in our contract(s) with them. This could apply to an external payroll company or an external IT service provider. If you have any queries in relation to this requirement, speak to the Head Of Production.

Duplication of Personal Data

Physical and computer files/documents should only be copied where strictly necessary. Where copying is necessary, copied documents must be stored securely at all times as set out above and not left unattended on photocopiers, scanners, fax machines etc.

Information Retention and Disposal

At the end of a production the Production Manager should consult with Head Of Production as to which Personal Data records can be legitimately retained and which should be destroyed.

Shredders or secure recycling bins must be provided for the disposal of documents containing Personal Data.

Data should only be kept for so long as is necessary to keep it and where such retention can be justified (either as a result of an applicable legal obligation or genuine business requirement) and, in any event, should not be kept longer than the maximum retention period as set out in the table below. Notwithstanding the table below, documents may be destroyed at an earlier date where they are no longer required.

The table below applies to both paper copy and digital documents.

All files stored on Computer Equipment must be fully deleted prior to the sale or disposal of such equipment.

Employees leaving HSTV/BFQ Ltd and production personnel leaving at the end of their engagement should be reminded to leave in the office all material containing

Personal Data and to delete all sensitive files from Computer Equipment personally owned but utilised during the course of the job.

Loss and Unauthorised Disclosure of Personal Data

If you become aware of a breach of this Policy or of the loss or unauthorised disclosureof Personal Data you should immediately inform the Head Of Production.

A breach may occur in a number of ways and you need to be aware of how they couldoccur. These are examples:

  • Any physical loss of paperwork or loss of theft of an electronic device from the production sites
  • Sending Personal Data to an incorrect recipient

  • Digital loss/damage of the Personal Data, so that it is no longer available

  • Altering the Personal Data without the permission of the data subject

  • Access by a third party to the data sites – eg breach of firewall or release of the Personal Data to an unauthorized member of the team.

If you suspect that there may have been a breach, you must notify your Head of Production, no matter how inconsequential the breach may seem to you.

The Head of Production can then decide what steps need to be taken to address the breach and make a decision as to whether it is necessary to contact the Data Subject or the ICO. If HSTV/ BFQ Ltd need to notify the ICO, it must be done within 72 hours of the breach – s0 it is imperative that Head of Production is notified very quickly.

Date of Policy: 21 May 2018

Next Review: 23 March 2025