DATA PROTECTION POLICY OBJECTIVE The three-part objective of this Policy is to achieve, across our organisation:
(i) a culture of awareness of the personal data we hold,
(ii) an understanding the data processing ‘life cycle’ of that personal data; and
(iii) the establishment of data processing protocols by which our station/ automatically complies with data protection law when processing personal data.
Part 1 Explanation of the key terminology used in this Policy Part 2 Principles we apply in our data processing Part 3 Application of those data protection principles in practice
A separate data mapping sheet for each category of personal data we collect and process.
A statement of our response protocols where;
there has been an event of data breach; and / or
we receive a data subject access request
we receive a data rectification or erasure request.
This policy will be reviewed and updated regularly and in any event no less than once a year. Updated versions of this Policy will be notified to all Staff who are required to read and familiarise themselves with its contents and to implement it in all aspects of their work with our station.
Section A - Part 1
KEY TERMINOLOGY USED IN THIS POLICY Data controller: The person or organisation having the power to determine what is done with personal data held by that person or organisation. In our case this means our radio station.
Data processing: At the direction of the data controller, doing anything with the personal data we hold, whether ourselves or through a third party contractor / service provider – to include filing it, analysing it, copying it, disclosing it, keeping it and deleting it.
Data Protection Commissioner: The State official to whom we are answerable for compliance with our data protection obligations. See www.dataprotection.ie
. Data life cycle: The path that personal data collected and processed by our station follows from the time of our collection of that personal data to the time we erase it.
Data subject: The person about whom we collect and process personal data. GDPR: The EU General Data Protection Regulation 2018.
Personal data: Any information about living individual by which the individual is identified or identifiable, either directly or indirectly. It includes names, email addresses, mobile ‘phone numbers. the individual may be Irish or from overseas – their personal data must be protected in accordance with this Policy regardless of their origin or place of residence.
Privacy Officer: The person in our organisation nominated to be responsible for co-ordinating and overseeing our compliance with data protection law. Our nominated Privacy Officer at the date of this Policy is: Ciara O’Connor. If an alternative Privacy Officer is nominated by management, all Staff will be notified. If our Privacy Officer is on annual leave, absent, unavailable or uncontactable, the CEO will immediately nominate a Deputy Privacy Officer to act in place of the Privacy Officer during their absence or unavailability.
Special Category personal data: Personal data about an individual’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health, sex life or sexual orientation
Staff: All individuals working in any capacity for our station, whether as employees, freelance contractors, volunteers, interns / trainees or otherwise.
Section A – Part 2
PRINCIPLES WE APPLY IN OUR DATA PROCESSING
2.1 Every data subject has legal rights in respect of how their personal data is processed by our station. We collect personal data about many individuals, including; on-air contributors; competition entrants / prize winners; Staff; sales and marketing contacts; visitors to our station; and any other individuals with whom we engage in the course of our business.
2.2 Keeping data protection to the forefront of everything we do.
2.2.1 We consider the data protection implications of all our activities and design protocols for handling that data which means we automatically (i.e.by default) comply with our data protection obligations.
2.2.2 We keep data protection in mind in all our activities, both on-air and off-air.
2.2.3 We collect and hold only the minimum personal data we need for the various purposes for which we collect it, and process it in accordance with this Policy.
2.2.4 In planning any new project or activity, we will consider the data protection implications of what we are planning to do, to ensure our compliance with data protection law when we undertake that project or activity
. 2.3 All Staff are expected to adhere to this Policy when collecting and processing personal data in their work with our station.
2.4 Any breach of this Policy will be taken seriously and may result in disciplinary action, up to and including dismissal.
2.5 Any concerns or queries any Staff member has about how we collect or process data should be referred to the Privacy Officer.
2.6 There are 6 base-line principles for processing personal data we observe in all aspects of our business and broadcasting operations:
2.6.1 Principle of “Lawfulness, Fairness and Transparency”. We process personal data in a manner that is, (a) lawful, (b) fair to, and (c) transparent for the data subject.
2.6.2 Principle of “Purpose Limitation”. We only collect personal data for specific and explicit purposes and will only use it for that / those specific and explicit purpose(s), and for no other purpose
2.6.3 Principle of “Data Minimisation” We collect only the personal data we need for the specific purpose in question. The personal data we collect will be restricted to what is adequate and relevant for that purpose and nothing more.
2.6.4 Principle of “Accuracy”
We make sure personal data we collect is accurate and, where necessary (e.g. personal data on employee files) kept up-todate. We will take every reasonable step to erase or rectify personal data held by us that we know is not up-to-date Note for newsroom and programmes: This does not oblige us to systematically re-visit stories on our news archive or other programmes on our archive / website, unless we are requested by a data subject do so, in which case the Privacy Officer should be notified and consulted. However, if we become aware of a substantive inaccuracy in our news coverage or programming, we will use our best efforts to rectify that inaccuracy at the earliest opportunity.
2.6.5 Principle of “Storage Limitation” We keep personal data only for so long as is necessary for the purposes for which we collected it in the first place, and then erase it. Our data mapping sheets (see Section 2 of this Policy) states what our retention periods are for various categories of personal data we hold. We may decide, for legitimate reasons, so continue to hold certain data (e.g. for archive purposes) but must always consider how we do so in a way that respects the rights of data subjects
2.6.6 Principle of “Integrity and Confidentiality” We keep the personal information we hold secure, protecting it from damage, unauthorised disclosure and accidental loss.
2.7 Accountability We acknowledge and understand that we are always accountable to data subjects and the Data Protection Commissioner for our adherence to these Principles in everything we do.
2.8 Consent Ensuring we have the consent of data subjects to our collection and processing of their personal information is key to implementing this Policy. Data subjects must; (a) know we are collecting their personal information, (b) what personal information we collect about them, (c) the purpose for which we collect it. They must clearly and unambiguously indicate their freely given consent to us processing their personal data for that purpose. This may be verbally, in writing or by some other clear affirmative action indicating their consent e.g. responding to an on-air call-out for competition entrants.
Always be sure you can demonstrate that a data subject has consented to the collection and processing of their data for a specific purpose. If there is a complaint about our holding and processing of personal data by a data subject, we will be relying on that information to demonstrate our compliance with data protection law.
2.9 Training and Staff Awareness Training and Staff awareness are central to our effective implementation of this policy and our compliance with data protection law. We have arranged training for our Staff in GDPR awareness in 2018, being the year when the GDPR became effective. We will arrange Staff awareness programmes within our station at least once in every calendar year to ensure that our Staff are kept up-to-date and reminded of our legal obligations in respect of our station’s collection and processing of personal data.
2.8.1 Data Protection Commissioner Codes and Standards We carry out our data processing in accordance with Codes and Standards published on the website of the Data Protection Commissioner (www.dataprotection.ie ) cognisant always that those Codes and Standards represent best practice in data processing. Our Privacy Officer monitors the website of the Data Protection Officer regularly for updates in these Codes and Standards.
Section A – Part 3
PRACTICAL APPLICATION OF DATA PROTECTION PRINCIPLES
3.1 When collecting personal data about any data subject as part of your work with the station, make sure:
3.1.1 You know exactly the purpose for which you’re collecting that data.
3.1.2 They know you’re collecting that data and exactly the purpose for which you’re collecting it.
3.1.3 That the purpose for which you’re collecting it is lawful.
3.1.4 You collect only the bare minimum of data you need for that purpose.
3.1.5 The individual has done something / taken some action that explicitly or by implication, indicates her / his clear consent to the collection and processing of their personal data by us for that specified purpose. These considerations apply in all areas of our organisation - to include management and administration, accounts, sales and marketing and programming.
3.2 On-air competitions
The presenter should make clear the information that entrants need to submit to have a chance to win the prize, and what will be done with the prize-winner’s personal information (e.g. “Prize winner’s contact details will be provided to [prize-sponsor] so they can receive their prize”). If a programme / prize sponsor or advertising agency requires us to collect and hand over personal information about any of our listeners, the Privacy Officer must be consulted so that the promotion of the on-air competition to our listeners is considered in advance and is done in a way that is compliant with our data protection obligations
. 3.3 Special Category information – on and off-air
3.3.1 If collecting ‘Special Category’ personal data about any data subject (e.g. about health, sexual orientation), other than as may be necessary in the context of Staff employment contracts, explicit consent (e.g. in writing) is required for us to process that Special Category personal data.
3.3.2 Usually however, this type of personal data will be collected through on-air contributions. We are entitled to process (e.g. record / broadcast) this category of personal data in the context of news stories and programme contributors provided we are satisfied the individual understands clearly that they are going to be broadcast on-air and that they voluntarily disclose Special Category information about themselves for the purposes of a broadcast programme.
3.4 Contributor confidentiality – within station and externally
3.4.1 Apart from what is broadcast, with their consent, as part of our own radio service, we do not make any personal data about a contributor to our programmes available to anybody within the station other than on a need-to-know basis, nor do we disclose that data to anyone outside the station.
3.4.2 There may be exceptions to this rule permitted on occasion, but only after consultation with the Privacy Officer (e.g. requests for recordings of our output for broadcast on other stations).
3.4.3 If a colleague on another show wishes to contact a caller to your show, call the individual contributor first and check that they consent to this further use of their contact information.
3.5.1 We do not collect personal data about children under the age of 16, directly or online, unless with parental consent. This consent may need to be evidenced in writing or by call-back to a parental contact number.
3.5.2 We strive insofar as is practicable to ensure that children under the age of 16 are not put on air unless with parental consent.
3.6 Personal data we collect online v 3.6.1 Where we collect any personal data online, whether through social media or our own website, we will ensure that we put in place mechanisms by which we can inform data subjects; (a) that we are collecting this data; (b) why and for what purpose(s) we are collecting it. We must ensure that the data subject gives clear and informed consent to our collection of that data and our processing of that data for the specified purpose. This may be by having them tick an “opt-in” box or an “I have read and accept terms and conditions” box. Opt-out boxes are not permissible. The purposes for which we will use the data must be clear to them and not ‘buried’ in a lengthy set of terms and conditions that the data subject may not actually read. Be clear and upfront with data subjects in respect of all personal data we collect from online sources.
3.6.2 Engaging with data subjects exclusively on social media platforms (e.g. Facebook) does not require consent as they have already consented to the sharing of their personal data in signing up to their Facebook account. However, if we ‘harvest’ any personal data from social media about individuals, for any reason, we may only do so with their clear and unambiguous, informed consent and for a specified purpose notified to them. 3.6.3 Website Privacy Statement
3.7 Accuracy Personal data we hold on an ongoing basis (e.g. about Staff or sales and marketing contacts) should be kept up-to-date and accurate on our records to the maximum extent we are reasonably able to do so. To this end, all Staff must update any records they are processing in their work with the station, as soon as they become aware of an inaccuracy or requirement to update that personal data. They must communicate that rectification / update to any other member of Staff who may need to process that data as part of their work.
3.8 Retention periods
3.8.1 In respect of each category of personal data we hold, we decide on a retention period for that data. Please see the ‘data mapping’ section of this Policy for the categories of personal data you are handling as part of your work with the station. Included in the data mapping section is, in respect of each category of personal data we hold, is a statement of our retention period for that category of data.
3.8.2 Divisional / Output Area managers must liaise with the Privacy Officer to ensure that our retention and erasure protocols are observed in respect of the personal data processed by their Division / Output Area.
3.8.3 If a review or alteration of a retention period is required, this should be noted on our data mapping sheets and a record kept of the reasoning behind any extended or shortened retention period.
3.9 Security of personal data Keeping personal data held by us across all Divisions / Output Areas, safe and secure is of paramount importance. To this end, we implement the following security measures:
3.9.1 Our IT systems will be kept secure and backed up, in physical and technological formats commensurate with best industry practice, taking into account the sensitivity of the personal data we hold.
3.9.2 We ensure that the providers of all external back-up IT services we use, to include cloud-based back-up and storage services, are compliant with the requirements of the GDPR. When this requires transferring personal information on our IT systems to enterprises based outside the EU, we will ensure we have complied with the recommendations and guidelines of the Data Protection Commissioner (available on www.dataprotection.ie) concerning the transfer of personal data to ‘third countries’.
3.9.3 Personal data stored on our station IT systems will be organised in such a manner (e.g. separate password-protected folders) that only those Staff within our organisation who need access to various categories of personal data we hold, for their work will be able to access and process that data. Other members of Staff will not be able to access that data.
3.9.4 All laptops, whether personal or station-owned, on which personal data collected for business / broadcast purposes is held, must be encrypted. If your laptop has not been encrypted, please contact the Privacy Officer immediately to arrange for encryption.
3.9.5 All PCs and laptops used by Staff, whether personal or stationowned, on which personal data collected for business / broadcast purposes is held, must be set to shut down and require password re-activation when not in use for more than 10 minutes
. 3.9.6 All mobile ‘phones, iPads, tablets and other digital devices (including USB sticks, cards and external hard drives) used by Staff, whether personal or station-owned, on which personal data held for business / broadcast purposes is stored or accessible, must be password protected and, where technically feasible, encrypted and / or set up with a remote wipe facility. This is necessary to ensure that accidental loss of such devices is not likely to lead to unauthorised access to that data. If you require assistance to ensure that your personal devices comply with this requirement, please immediately contact the Privacy Officer.
3.9.7 Passwords for access to electronic files containing personal data will be reviewed and updated no less than once every 12 (twelve) months and will be changed promptly where appropriate to prevent unauthorised access to personal data we hold, by former Staff who are no longer working with the station.
3.9.8 Personal data stored in hard copy filing systems will be filed and held in such a manner that their physical security is assured and that only those Staff members who need access to various categories of personal data we hold, will be able to access and process that data. e.g. Employee personal data will be kept in locked cabinets / locked offices to which unsupervised access for Staff other than those who need to process that personal data as part of their work, will not be possible or permitted.
3.9.9 All Staff must shred paper copies of personal data as soon as they have used that data and, if necessary, transfer it onto our secure IT systems for safe-keeping. 3.9.10 Shredders / shredding-service containers are provided on station premises and must be used to dispose of all handwritten or printed documents containing personal data. Such documents must not be disposed of in waste-paper baskets or bins.
3.9.11 Care should be taken in areas of station premises to which members of the public may on occasion have access. In reception areas and waiting areas, laptop and PC screens should not be readily visible to members of the public. Nor should any print-outs, paper-notes or other legible information containing any personal data be left in these areas where they could be read by visitors to the station.
3.9.12 All Staff should constantly check the email addresses they use for email recipients when emails contain personal data about any person, to ensure disclosure of that data only to people to whom we are entitled by law to disclose the data. Similarly, with hard copy correspondence being sent by post, care must be taken to ensure that personal data contained in the letter / correspondence is sent to the correct recipient to avoid inadvertent unauthorised data disclosure.
3.10 Third-party processors / service suppliers When entering into any contract with any external supplier of goods of services to our station (e.g. website maintenance, SMS management services), where the supply of those goods or services requires us to transfer to that supplier personal data about any person (including employees and other Staff) or, where we require that supplier to collect personal data on behalf of the station, we will ensure that our contract with that supplier contains binding commitments by the supplier to process that data in accordance with data protection law on our behalf. This will include contractual commitments in respect of; security of that data – both technological and physical; processing of that data solely for the purposes requested by us, as consented to by the data subject; rectification of that data on request by us; erasure of that data on request by us / in accordance with an agreed retention timeframe; immediate disclosure to us of any data breach in respect of that data and co-operation in responding to that data breach; immediate disclosure to us of any data in respect of which we have received a data access request by a data subject, such disclosure to be in a format that can be easily read / accessed and transferred by the data subject.
3.11 Sales and Marketing Communications
3.11.1 Our sales and marketing team will not carry out any ‘coldcalling’ or send any unsolicited communication by way of ‘phone, fax, email or text / SMS to any named individual unless with the clear implicit or explicit consent of that person or else within the terms of what is permitted by Direct Marketing Regulations, details of which are available on the website of the Data Protection Commissioner www.dataprotection.ie .
3.11.2 Our sales and marketing team will not use data originally collected through programme-related activities (e.g. listener mobile ‘phone numbers or email addresses) for marketing purposes unless further consent to the use of their personal data for this purpose has been obtained from the listener.
3.11.3 Our sales and marketing team and our accounts team will ensure they keep safe and promptly erase / destroy financial information (e.g. credit card details of advertisers / sponsors) given to them by our advertisers / sponsors for single use purposes. They will further ensure that where such data is retained by us for future use, the individual data subject has consented to our keeping that information about them on our files.
3.11.4 All sales and marketing communications sent to named individuals in whatever format will include an ‘opt-out’ provision by which that individual can easily indicate that they wish to opt-out of receiving any further marketing communications from us. Our records will be promptly updated in this regard by the Staff member receiving this opt-out request and communicated to other relevant Staff in an effective and timely manner.
3.13 Newsroom considerations
3.12.1 The GDPR provides an exemption from full compliance with the GDPR for the processing of personal data when that processing is carried out for the purposes of exercising the right to freedom of expression and journalistic activities. This exemption ensures the free expression of information for the public benefit in a democratic society in a manner that is not inhibited by the requirements of data protection law. This exemption allows for the collecting and processing of personal information about individuals for news story purposes without the need to obtain the consent of the individual to whom that information relates.
3.12.2 It should be noted that the parameters of this freedom of expression and journalistic activity exemption are not yet clear. An evaluation needs to be carried out weighing the importance of freedom of expression in a democratic society against the rights of privacy of the relevant data subject. Great care should be taken in relying on the ‘freedom of expression’ exemption.
3.12.3 It is a legal obligation that our processing of personal data gathered for journalistic purposes must, despite the exemption, be carried out in a manner that keeps that information secure. Files and notebooks kept by newsroom staff containing personal information should be kept secure at all times and to the maximum extent possible kept in locked cabinets or drawers on station premises. Journalists and newsroom staff are required to consider how best to ensure security of such files and notebooks in the home and when using those files and notebooks outside the station premises.
3.12.4 Requests by members of the public for either rectification or erasure of personal information about them from our online news archives may not need to be acceded to automatically. They must, however, be responded to immediately. Each access / rectification / erasure request must be evaluated on its own merits. Where such requests are received, they should be forwarded immediately to the Head of the Newsroom who in turn must consult with the Privacy Officer.
3.13 New work practices, technology and IT systems – Privacy impact assessments Privacy and protection of personal data will be a core consideration whenever the station is proposing to introduce new work systems or IT systems that could have an impact on how we process personal data held by the station. We will evaluate the impact any such new systems of working or IT systems could have on the personal data we process. We will structure any such new systems so that, by default, they comply with our data protection obligations.
3.14 Records of Data Processing
We record how we process various categories of personal data held by the station – see relevant data mapping sheets in this regard for each category of personal data held. The data mapping sheets form part of this Policy.
3.15 Social media and website – photographs, videos and voice recordings
3.15.1 Photographs, videos and voice recordings are all items of personal data.
3.15.2 We take photographs, film videos and make voice recordings for use on our website and / or social media accounts at sponsored and other events in which our station is involved. We ensure that any photography / filming / recording by us in a private venue (e.g. a hotel or a shopping centre) is carried out on the basis that the individuals we photograph / film / record are aware of and consent to being photographed / filmed / recorded and having those images / recordings used on our website and social media accounts. Usually a verbal or filmed / recorded consent will be sufficient. However, take care to ensure that data subjects know and are agreeing to you photographing/ filming / recording them.
3.15.3 The level of privacy an individual can legitimately expect when in a public place is less than in a private venue. However, care should be taken not to be intrusive or to photograph / film / record someone against their wishes unless there are clear overriding public interest reasons for doing so.
13.15.4 Particular care should be taken when photographing, filming or recording children – this should only be done with parental consent.
3.16 Premises security and CCTV
3.16.1 Our premises are locked at night and alarmed with an automatic call made to a member of management if the alarm is activated].
3.16.2 Internal administrative offices are locked after normal working hours to prevent unauthorised access to personal data held in those offices during the night / early morning shifts by programme personnel and their on-air guests.
3.16.3 Our premises are protected by external CCTV. Images captured and stored on the CCTV can be accessed only by the following personnel: Ciara O’Connor Sean Ashmore
3.16.14 CCTV footage will be kept only for a period agreed with / designated by the station CEO and will be erased after that period, unless retention for a longer period is indicated for security or crime investigation purposes.
3.16.15 We ensure we have easily legible and prominently placed notices in our building advising Staff as well as members of the public visiting the station that the premises are protected by CCTV.
This section comprises a separate data mapping sheet for each category of personal data our station collects and processes. These will be completed by each Divisional / Output Area manager in liaison with the Privacy Officer. It will be reviewed and updated at least once per year.
OUR RESPONSE PROTOCOLS 1) Data Breach 2) Data Subject access requests 3) Data Subject rectification and erasure requests 1. Data Breach There are two people to whom we must report data breaches – unless reporting is not necessary as indicated below. The Data Protection Commissioner The data subject whose personal data we have lost or otherwise compromised. Reporting internally
1.1 A data breach occurs when personal data held by our station is inadvertently lost, stolen or otherwise disclosed or at risk of disclosure to a third-party to whom we are not authorised to disclose that data, or the security and inte
1.2 Our station has serious legal obligations and liabilities in the event of a data breach. We are at risk of being fined by the Data Protection Commissioner and / or sued for damages by the data subjects concerned.
1.3 Where our data security systems fail for any reason and data is disclosed or its security or integrity compromised, even accidentally, that data breach must be reported immediately to the Privacy Officer, with a full report of the what data has been lost / disclosed and how the breach occurred.
1.4 Immediate action must be taken, in liaison with the Privacy Officer, to limit any harm or damage to the data subjects concerned and limit, if possible, the risk of unauthorised access to the data. Reporting externally
1.5 The Privacy Officer in liaison with the relevant Department / Output Area manager will immediately assess whether the breach is likely or unlikely to result in a risk to the rights and freedoms of the data subject affected.
1.6 The Privacy Officer must report the breach in writing to the Data Protection Commissioner in writing within 72 hours of becoming aware of the breach unless she / he concludes that the breach is unlikely to result in risk to the rights and freedoms of the data subjects affected.
1.7 The report to the Data Protection Commissioner should include the following information:
1.7.2 categories and approximate number of data subjects concerned;
1.7.3 categories and approximate number of personal data records concerned;
1.7.4 name and contact details of Privacy Officer who can supply more information if required;
1.7.5 likely consequences of the breach;
1.7.6 measures taken by us to address and mitigate the adverse consequences of the breach.
1.8 Whether liable to be reported or not, the Privacy Officer will keep records of all data breaches so that the information is available for production to the Data Protection Commissioner in the event of an investigation or audit by her / his Office of our compliance with our breach reporting obligations.
1.9 Note that we encrypt our laptops and implement equivalent security measures in respect of our other digital devices because encryption and equivalent security measures mean the breach is unlikely to result in risk to the rights and freedoms of the data subject affected and reporting to the Data Protection Commissioner will not be necessary. Reporting to the data subject(s) affected by a data breach
1.10 The Privacy Officer in liaison with the relevant Department / Output Area manager will immediately assess whether the breach is likely or unlikely to result in a high risk to the rights and freedoms of the data subjects affected.
1.11 We are legally obliged to report a data breach to the data subject affected if the breach is likely to result in high risk to the data subject affected. Where the Privacy Officer concludes that such high risk exists, then a written communication of the breach must be sent to the data subject without undue delay.
1.12 Where the Privacy Officer communicates the data breach to the data subject affected, she / he shall ensure that the communication states: 1.12.1 the nature of the data lost / in respect of which the breach has occurred;
1.12.2 the name and contact details of the Privacy Officer and that more information can be obtained if required from the Privacy Officer;
1.12.3 describe the likely consequences of the breach;
1.12.4 describe the measures taken or to be taken by our station in respect of the breach (e.g. reporting to Data Protection Commissioner) and any steps we will take to mitigate the adverse consequences of the breach.
1.13 Note that we encrypt our laptops and implement equivalent security measures in respect of our other digital devices because encryption and equivalent security measures mean the breach will not result in a high risk to the rights and freedoms of the data subject affected and communication of the breach to a data subject will not be necessary.
1. Data Subject Access Requests
1.1 Data subjects whose personal information we process have a legal right to request access to the personal data we hold about them.
1.2 There may be occasions where we have a legal right to refuse that access but these occasions will not be the norm. A refusal to disclose information is a decision that must only be taken after consultation with the Privacy Officer.
1.3 Any Data Access request must be notified immediately to the Privacy Officer.
1.4 The Privacy Officer is entitled to require the requester to verify their identity and put their request in writing, particularly if she / he has any concerns about the identity of the requester or the validity of the request.
1.5 Data Access requests must be responded to fully within 30 days. The Privacy Officer should initially acknowledge the request in writing (or by email if the request was received by email).
1.6 All Staff are required to promptly respond to any request from the Privacy Officer for information about personal data held by our station and how it has been processed, for the purposes of making a response to a Data Access request. All Staff must promptly provide copies of that personal data to the Privacy Officer in the format requested by the Privacy Officer when requested to do so. The importance of a complete and full disclosure of all personal data we hold about the data subject cannot be overstated. 1.7 Reception staff and other Staff members who receive telephone, email or in person requests for disclosures of any personal data from individual data subjects should ask the data subject to send an email or put their request in writing. You can tell the requester that their written / email request and that it will be passed on immediately to the person in our organisation who handles Data Access requests.
1.8 A sample Data Access Disclosure Letter is attached at Appendix A to this Policy.
2. Data Subject rectification and erasure requests
2.1 A request for rectification or erasure of personal data we hold about a data subject will usually be made following release to the data subject of their personal data held by us pursuant to a Data Access request.
2.2 We will promptly rectify (by way of updating, correcting any inaccuracy in or addressing a deficiency in the personal data we hold about that person) and confirm to them in writing (or by email) that we have done so.
2.3 We will promptly erase any personal data we hold about a data subject where that person has requested the erasure of that personal data unless we believe we are entitled to keep that data;
2.3.1 for exercising our right of freedom of expression and information;
2.3.2 for the performance of a task in the public interest;
2.3.3 for archiving purposes in the public interest;
2.3.4 for the purposes of legal claims to which our station or any of our station personnel are a party.
2.4 The exemptions set out at clauses 2.3.1 and 2.3.3 above are likely to be relevant if our news or programme archive contains content that a data subject wishes to have erased. In these instances, the data subject should be requested to put their request in writing and the Department / Output Area manager and the Privacy Officer will discuss and decide on the appropriate response to the request.
2.5 All rectification and erasure requests must be notified to the Privacy Officer and the Privacy Officer shall keep a record of all rectification and erasure requests received and the actions taken following such requests. DATA PROTECTION COMPLIANCE IN OUR RADIO STATION IS EVERYONE’S RESPONSIBILTY. END OF POLICY DOCUMENT.