Privacy Policy and GDPR Policy

Home / Privacy Policy and GDPR Policy

ABOUT US

We are Choice Model Management Limited, a Talent agency based in London, UK. We manage and represent actors, singers, dancers and models (Talent) and arrange work for our Talent with clients around the world (Clients). We operate the website at Choicemodelmanagement.co.uk (our Website). In this Privacy Policy, we refer to ourselves as “we“, “us“, “our” and the “Agency“.

This Privacy Policy is designed to give you, as Talent or a representative of a Client or a visitor to our website, information on how we obtain and process your personal data. Examples of the types of personal data we may collect about you include your name and contact details and, if you are one of our Talent, information relating to your appearance (including photographs of you), experience, charge out rates and your bank account details so we can pay you.

The purpose of our Website is to provide you with information about the Agency, the Talent we manage and the types of Clients we work with. You can contact us via our Website and connect with us on our social media platforms.

We are responsible for deciding how we hold and use your personal information. We are committed to protecting and respecting your privacy. We will ensure your personal data is stored and used in accordance with this Privacy Policy.

Please read this Privacy Policy carefully. From time to time we may also issue other privacy or fair processing notices to you relating to the way in which we collect personal data about you which we will publish on our Website.

HOW TO CONTACT US

Choice Model Management Limited is the “data controller” in respect of your personal data for the purposes of data protection legislation. Choice Model Management Limited is a limited company registered in England and Wales under company number 13462041. Our registered office is at 49 Greek Street, London, United Kingdom, W1D 4EG UK.
If you have any questions or concerns about any information contained within our Privacy Policy, please email us at [email protected]

THE DATA WE COLLECT ABOUT YOU

Personal data comprises any information relating to an identifiable individual. It does not include any information which relates to a person that cannot be identified or where the person’s identity has been removed (i.e. anonymous data) or information relating to a company. The term processing is used to refer to any activities carried out in respect of personal data, such as collecting, storing, using, organising, amending, disclosing and deleting data.

As one of our Talent, we may process different kinds of personal data about you, which we have grouped together as follows:

Name data – data which identifies you, including your name, professional name and any nicknames;

Contact data – your contact details, such as your address, telephone number and email address;

We may process the following special categories of personal data and criminal data about Talent:

Criminal data as described above. This information is used to determine whether it is appropriate for us to enter into a contract with you and/or whether to terminate such a contract if an offence you have been arrested for, charged with or convicted of is sufficiently serious. Please refer to “How long we hold your personal data for” for more information;

Health data as described above;

Information relating to your race or ethnicity – this information is used to describe your skin tone when promoting you and arranging bookings.

If you are a representative of one of our Clients, the personal data we may process about you includes:

Client name data – data which identifies you, including your name and your email address;

Client ID data – proof of your identity, such as a copy of your passport or driving licence;

Client contact data – your contact details, such as your office address, telephone number and email address;

Client email data – data contained in correspondence between us, such as your job title, authority to represent a Client and other personal information you choose to disclose to us;

Client social media data – information available on your LinkedIn account or other social media pages, such as your account name, photograph, experience and connections;

Client feedback data – information about you provided to us by our Talent or another third party in connection with a booking;

Marketing data–your preferences for receiving marketing emails;

CCTV data – information obtained through CCTV.

If you visit our Website, the personal data we may process about you includes:

Visitor contact data – the information you choose to disclose to us when you communicate with us via the Website or engage with us on our social media channels;

Usage data – information about how you use our Website, including how you navigate our Website and if you encounter any problems;

Technical data – electronic information which is automatically logged/stored by processing equipment, including internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access our Website.

We may anonymise some of your personal data so that it can no longer be linked to you. We are most likely to do this with your Usage and Technical data. We may then aggregate that data with other information we hold to help inform us how our Website is operating.

Anonymised and aggregated data may be derived from your personal data but is not considered personal data in law as this data does not directly or indirectly reveal your identity. For example, we may aggregate your Usage Data to calculate the percentage of users accessing a specific feature on our Website or to assess the diversity of the Talent we represent. However, if we combine or connect aggregated data with your personal data so that it can directly or indirectly identify you, we treat the combined data as personal data which will be used in accordance with this Privacy Policy.

HOW WE COLLECT INFORMATION

Direct interactions: The majority of the personal data we hold about you is collected when you interact with us or correspond with us directly (face to face or via email, telephone or post). As Talent, this includes personal data you provide to us when you register with the Agency and in our dealings with you as your management company. As a representative of a Client, this includes personal data you provide to us when you correspond with us regarding a booking of one of our Talent.

Automated technology: When you interact with our Website, our systems will automatically collect information about your equipment, browsing actions and patterns. We collect this personal data (namely Technical and Usage data) by using cookies and other similar technologies. Please see our Cookies Policy.

Other third parties: We may also receive personal data about you from other third parties. For example, from time to time, other Talent and Clients may provide us with information about you. We may also acquire publicly available information about you, including from Government websites and social media platforms. Clients will usually share images and video footage of Talent with us following a booking.

CCTV: Third party CCTV systems operated by our landlord may capture your image automatically if you visit our offices. We will not typically connect this CCTV data with other personal data we hold about you, unless you or someone else has been injured or there has been another incident which requires investigation (such as if there is damage to our property or theft). 

HOW AND WHY WE USE PERSONAL DATA

We will only process your personal data where we have a legal basis to do so. The legal basis will vary depending on the manner and purpose for which we are collecting your personal information. Note that we may process your personal data on the basis of more than one lawful ground depending on the specific purpose for which we are using your data.  Please contact us at any time if you require further information on the precise legal grounds we are relying on to process your personal data in a particular way.

For Talent, we will most commonly process your personal data in the following circumstances:

  • Where it is necessary for the performance of a contract between us or to take steps at your request before entering into such a contract (eg where you are signing up or have signed up to the Agency and/or where we have entered into a contract for work with a Client on your behalf). 

We are likely to need to process your Name, Contact, ID, Health, Next of kin, Profile, Image, Email, Social media, Booking, Expenses, Feedback, Personnel file, Visa, Passport, Fee and Financial data on this basis to allow us to perform the contract between us, to promote you as Talent, to schedule work for you and make arrangements in respect of bookings and to pay you fees in respect of such work;

  • Where we have your consent to do so (further details provided in “Your rights” below). Much of the information you provide to us will be on the basis of consent because you want to promote your work and enhance your career. Providing such information will often be in your best interests, such as Health data to ensure we can adapt our workplace to meet your needs or Next of kin data to allow us to contact a friend or relative if you become unwell. We are likely to need to process your Name, Contact, ID, Health, Next of kin, Profile, Image, Email, Social media, and Financial data on this basis;
  • Where it is necessary to comply with a legal or regulatory obligation that we are subject to, including our obligation to ensure you are entitled to work in the UK and to obtain visas on your behalf where you are required to travel abroad for bookings. We also have a legal obligation to adhere to public health regulations and guidance, including to ensure we operate a COVID secure business and workplace and to protect our staff. We are likely to process your Name, Contact, ID, Health, Next of kin, Booking, Visa, Passport, Fee and Financial data in connection with this purpose; 
  • Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests. Our legitimate interests in processing your personal data for our own business purposes include the following:
  • To manage our relationship with you (which may include processing Name, Contact, ID, Health, Next of kin, Profile, Image, Email, Social media, Booking, Expenses, Feedback, Personnel file, Visa, Passport, Fee and Financial data);
  • To promote our Talent and our business, including online and via social media (which may include processing Name, Profile, Image, Social media, Feedback, Bookings and Fee data);
  • To make arrangements for work with Clients and to liaise with you regarding such arrangements (which may include processing Name, Contact, Health, Profile, Image, Email, Social media, Feedback, Booking, Personnel file, Visa, Passport, Fee and Financial data);
  • To conduct our business and operate as a talent agency, to further our business interests and operate profitably(which may include processing Name, Profile, Image, Email, Social Media, Booking, Feedback, Fee and Financial data);
  • To ensure we retain the best Talent (which may include processing Name, Contact, ID, Profile, Health, Next of kin, Image, Social media, Booking, Personnel file, Feedback, Visa, Passport, Fee and Financial data);
  • To protect our reputation, including by ensuring the Talent we engage are trustworthy and of suitable character (which may include processing Name, Contact, ID, Email, Social media, Feedback, Personnel file, Passport, Fee, Financial and Criminal data);
  • To provide training and continuous improvement for our Talent (which may include processing Name, Contact, Profile, Image, Social media, Booking and Feedback data);
  • To prevent and detect crime (which may include processing Name, Contact, ID, Financial and Criminal data);
  • To ensure the health and safety of our Talent, including to make special arrangements to cater for any disabilities or health conditions (which may include processing Name, Contact, Health, Next of kin, Personnel file, Booking, Visa and Passport data);
  • To protect our financial interests and to establish, exercise or defend legal claims (which may include processing Name, Contact, Health, Next of kin, Email, Feedback, Personnel file, Criminal and CCTV data);
  • To ensure the safety and security of our people and premises (CCTV data).

To the extent we process special category or criminal data relating to Talent’s health, racial or ethnic origin or criminal record, we shall do this on the basis set out below (in addition to the grounds set out above):

  • With your explicit consent where you have provided this information to us and agreed to the way in which it will be processed (for example, Health data relating to a disability which requires us to ensure you can access Client premises);
  • Where you have manifestly made this information public (for example, we may describe your appearance with reference to your skin tone which may disclose your race or ethnicity);
  • To protect your vital interests(for example, Health data may be processed to enable us to give you medical aid if you suffer from an allergic reaction);
  • To assist with the provision of medical diagnosis or health care or treatment by a first aider or medical practitioner in the event of a medical emergency (for example, Health data may be processed to enable us to provide information to paramedics if you are injured);
  • Where this is necessary for reasons of substantial public interest on the basis of UK law, namely the prevention or detection of an unlawful act (for example, we may use Criminal data to ensure you are not likely to be involved in money laundering);
  • Where this is necessary for reasons of public interest in the area of public health (for example, where Health data relates to you testing positive for COVID-19, we may use this information to take such steps as are recommended or required by the UK Government, local authorities and/or public health officials); and/or
  • Where this is necessary for the purpose of establishing, exercising or defending legal rights (for example, Criminal data may allow us to terminate a contract with you).

If you are a Client representative, we will process your personal data in the following circumstances:

  • Where we have your consent to do so (further details provided in “Your rights” below). For example, during the course of our relationship you may disclose personal information via email or we connect with you via Social media. We are likely to process your Client name, Client ID, Client contact, Client email, Client social media and Marketing data;
  • Where it is necessary to comply with a legal or regulatory obligation that we are subject to, including to conduct anti-money laundering checks and to ensure you are authorised to represent the Client. We are likely to process your Client name, Client ID, Client contact and Client email data in connection with this purpose;
  • Where it is necessary for our legitimate interests (or those of a third party, such as the Client) and your interests and fundamental rights do not override those interests. Our legitimate interests in processing your personal data for our own business purposes include the following:
  • To conduct our business and operate as a Talent agency, to further our business interests and operate profitably (which may include processing Client name, Client ID, Client contact, Client email, Marketing, Client feedback and Client social media data);
  • To conduct our business in accordance with applicable laws and to protect our financial interests and to establish, exercise or defend legal claims (which may include processing Client name, Client ID, Client contact, Client email, Marketing, Client feedback, Client social media and CCTV data);
  • To ensure the safety and security of our people and premises (which may include processing CCTV data).

If you are a Website visitor, we will use your personal data in the following circumstances:

  • Where we have your consent to do so (further details provided in “Your rights” below). For example, you will be asked to consent to cookies when you visit our Website. You will also consent to us contacting you by email if you send us an enquiry that requires a response. We are likely to process your Visitor contact, Technical and Usage data on this basis;
  • Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests. Our legitimate interests in processing your personal data for our own business purposes include:
  • To conduct our business, recruit new Talent, engage new Clients and negotiate contracts (which may include processing Visitor contact data);
  • To administer and protect our Website, including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data (which may include processing Usage and Technical data);
  • To use data analytics to improve our Website (which may include processing Usage and Technical data); and
  • To deliver relevant Website content (which may include processing Visitor contact, Usage and Technical data).
  • Where we process your personal data on the grounds of our legitimate interests, you have the right to object to such processing, in which case we would assess your complaint and determine whether or not we are still entitled to continue the processing and whether any additional safeguards are required.

MARKETING

Marketing communications from us: We may send Client representatives marketing communications from time to time by email if we are in negotiations regarding bookings for work or if a representative has consented to such communications.

Third party marketing: We will not sell your data to any third parties.

Opting out: You can ask us to stop sending you marketing communications at any time, by contacting us at [email protected]

CHANGE OF PURPOSE

We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we wish to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.

We may process your personal data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.

IF YOU FAIL TO PROVIDE PERSONAL DATA

Where we need to collect personal data from you in order to comply with our legal obligations or to perform a contract we have with you and you fail to provide that data when requested, we may not be able to perform the relevant contract (for example, to process your payment or secure a booking). In extreme circumstances, this may lead to us having to cancel the relevant contract with you or with a Client.

HOW WE PROTECT YOUR PERSONAL DATA

We have put in place appropriate security measures to prevent your personal information from being accidentally lost or processed in an unauthorised way. Unfortunately, however, the transmission of information via the internet is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of your data transmitted to us via email or via our Website; any transmission is at your own risk. Once we have received your information, we will use strict procedures and security features to try to prevent unauthorised access.

In addition, the personal information you provide to us is only available to authorised personnel of the Agency who need access to the information in order to fulfil their duties. They will only process your personal information on our instructions in accordance with this Privacy Policy and they shall be subject to a duty of confidentiality.

We have put in place procedures to deal with any suspected data security breach and we will notify you and any applicable regulator of a suspected breach where we are legally required to do so.

Once we no longer require your personal information, we will take reasonable steps to destroy it in a secure manner.

HOW LONG WE HOLD YOUR PERSONAL DATA FOR

We will only hold your personal information for as long as necessary to fulfil the purposes we collected it for.

To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements. Our retention periods take into account legal and regulatory requirements and are subject to change. If you have any questions in this regard, please contact us using the contact details set out in this Privacy Policy.

In some circumstances we may anonymise your personal data (so that it can no longer be associated with you) in order to develop our business methods and strategy or for research or statistical purposes, in which case we may use this information indefinitely without further notice to you.

We will not typically retain personal data relating to Talent who do not sign up to the Agency.

Criminal data will typically only be retained for a short period of time to decide whether it is necessary for us to take any action. If no action is taken, the information will be promptly deleted. If we decide to terminate a contract with you on the basis of such information, it will be retained for so long as is necessary to establish, exercise or defend legal claims (typically six years after the end of the contract). If we decide not to enter into a contract with you on the basis of this information, we will delete it promptly.

We shall not have any liability whatsoever to you for the deletion of personal data in accordance with our data retention policy.

SHARING YOUR PERSONAL INFORMATION WITH THIRD PARTIES

We require third parties to respect the security of your data, keep it confidential, and to treat it in accordance with the law.

We may share your personal data with the following third parties in order to perform a contract with you, comply with a legal obligation or in our legitimate interests of conducting our business:

Third parties who provide services to us, including photographers, IT providers and marketing and advertising providers who we may engage from time to time. These third party service providers are only permitted to process personal data for specified purposes and, where they are processing data on our behalf, in accordance with our instructions.

In the case of Talent, we will share your data with Clients in order to secure bookings and arrange work. We may also publish parts of your personal data, such as your name and a photograph of you, on our Website and social media channels to promote you as one of our Talent.

In the case of Client representatives, we may share your data with Talent to allow us to make arrangements for the Talent to attend the relevant booking.

With our investors, including for the purposes of our regular reporting activities on company performance and operating our business.

Third parties to whom we may choose to sell, transfer or merge parts of our business or assets. Alternatively, we may seek to acquire other businesses or merge with them.

If we are under a duty to disclose or share your personal data in order to comply with any legal obligation, or in order to enforce any agreements, or to protect the rights, property or safety of our business, our Talent or Clients or others. This includes exchanging information with other companies and organisations for the purposes of fraud protection and credit risk reduction, with HM Revenue & Customs, the police, regulators and other authorities and public bodies where we are required to do so by law.

Professional advisers, including lawyers, bankers, auditors and insurers who provide consultancy, banking, legal, insurance and accountancy services.

We require all our data processors to respect the security of your personal data and to treat it in accordance with the law. We do not allow our data processors to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions as set out in our data sharing agreements.

In some instances where we share data with third parties, such as HMRC, those third parties will also be controllers of your data. We shall not be responsible or liable for the way in which other data controllers hold or process your personal data. Please contact those third parties for further information regarding how they will use your data. We shall only share your personal data with third parties in accordance with this Privacy Policy.

COOKIES

On our Website, we use Google Analytics to help analyse the use of, and attract prospective Clients and Talent to, our Website and to help improve and inform the content on our Website. These analytics and advertising tools use “Cookies” which are small data files placed on your computer (or other device) to observe customer retention, user journey and to target visitors to our Website through keyword searches on Google. Overall, cookies help us to provide you with a better website, by enabling us to monitor which pages you find useful and which you do not. You can find out more about the way cookies work and Google Analytics on www.cookiecentral.com and or www.allaboutcookies.org and www.google.com/analytics.

You can set your browser to refuse all or some browser cookies, or to alert you when websites set or access cookies (and the above websites tell you how to do this). If you disable or refuse cookies, please note that some parts of our Website may become inaccessible or not function properly.

INTERNATIONAL TRANSFERS

The personal data that we collect from you may be transferred to, and stored at, a destination outside of the UK and European Economic Area (“EEA”).

Whenever we transfer your personal data out of the UK and EEA, we shall ensure a similar degree of protection is afforded to your personal data by ensuring at least one of the following safeguards is implemented:

We will transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data by the European Commission. For further details, see European Commission: Adequacy of the protection of personal data in non-EU countries.

In some instances, we may use specific contracts approved by the European Commission which give personal data the same protection it has in the UK. For further details, see European Commission: Model contracts for the transfer of personal data to third countries.

Where we use providers based in the US, we may transfer data to them if they are part of the Privacy Shield which requires them to provide similar protection to personal data shared between the EEA and the US. For further details, see European Commission: EU-US Privacy Shield.

Please contact us if you want further information on the specific mechanism used by us when transferring your personal data outside of the UK and EEA.

LINKS TO THIRD PARTY WEBSITES

From time to time we may direct you to third party websites through our Website. We do not control the content of these third party websites. We encourage you to read the privacy policies for these third party websites before submitting personal information to them. Where these third parties are collecting data on our behalf, your personal data will be transferred to us and used in accordance with this Privacy Policy. Alternatively, if the third party has not been authorised to collect information on our behalf, your personal data will be controlled by that third party subject to their privacy policy.

YOUR RIGHTS

You have the following rights in respect of the personal data that we process about you (where we determine the purpose and means for which that personal data shall be processed):

  • the right to request access to your personal data that we hold and to receive certain information relating to that data;
  • the right to ask us to rectify inaccurate data or to complete incomplete data;
  • a right to receive or ask for your personal data to be transferred to a third party (note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you);
  • the right to request the erasure of personal data where there is no good reason for us continuing to process it (note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request);
  • the right to object to how we process your personal data where we believe we have a legitimate interest in processing it (as explained above) (note that in some cases we may demonstrate that we have compelling legitimate grounds to process your data which override your rights and freedoms);
  • the right to restrict processing of your personal data in certain scenarios, for example if you want us to establish the accuracy of the data or you have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it (note that when processing is restricted, we are allowed to retain sufficient information about you to ensure that the restriction is respected in future); and
  • where you have provided your consent to the collection, processing and transfer of your personal information for a specific purpose, you have the right to withdraw your consent for that specific processing at any time. Once we have received notification that you have withdrawn your consent, we will no longer process your information for the purpose or purposes you originally agreed to, unless we have another legitimate basis for doing so in law. If you withdraw your consent, we may not be able to provide certain services to you.

If you wish to make a subject access request please email us at [email protected].

If you wish to exercise any of the other rights set out above, please contact us at [email protected].

We may ask you to verify your identity if you make a request to us to exercise any of the rights set out above. We may also contact you to ask you for further information in relation to your request to speed up our response. You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances. You also have the right to request a copy of the information we hold about you.

HOW TO COMPLAIN

Please let us know if you are unhappy with how we have used your personal information. You may contact us at [email protected] ..

You have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues (www.ico.org.uk). We would, however, appreciate the chance to deal with your concerns before you approach the ICO, so please do contact us in the first instance and we shall endeavour to resolve your complaint.

CHANGES TO YOUR DATA

Please let us know if you change your contact details. You have the right to question any information we hold about you that you think is wrong or incomplete. Please contact us if you want to do this. 

This Privacy Policy was last updated in September 2023

GDPR Policy

Introduction

Choice Model Management needs to gather and use certain information about individuals.

These can include clients, producers, business contacts, employees and other people the organisation has a relationship with or may need to contact.

This policy describes how this personal data must be collected, handled and stored to meet the company’s data protection standards and to comply with the law.

Why this policy exists 

This data protection policy ensures Choice Model Management:

  • Complies with data protection law and follow good practice
  • Protects the rights of staff, clients and partners
  • Is open about how it stores and processes individuals’ data
  • Protects itself from the risks of a data breach

Data protection law

The Data Protection Act 1998 describes how organisations — including Choice Model Management must collect, handle and store personal information.

These rules apply regardless of whether data is stored electronically, on paper or on other materials.

To comply with the law, personal information must be collected and used fairly, stored safely and not disclosed unlawfully.

The Data Protection Act is underpinned by eight important principles. These say that personal data must:

  1. Be processed fairly and lawfully
  2. Be obtained only for specific, lawful purposes
  3. Be adequate, relevant and not excessive
  4. Be accurate and kept up to date
  5. Not be held for any longer than necessary, in any event for a minimum for 6 years, except in the case of Subscribers to our marketing materials.
  6. Processed in accordance with the rights of data subjects
  7. Be protected in appropriate ways
  8. Not be transferred outside the European Economic Area (EEA), unless that country or territory also ensures an adequate level of protection.

People, risks and responsibilities

Policy scope

This policy applies to:

  • The head office of Choice Model Management
  • All staff and volunteers of Choice Model Management
  • All contractors, suppliers and other people working on behalf of Choice Model Management

It applies to all data that the company holds relating to identifiable individuals, even if that information technically falls outside of the Data Protection Act 1998.

This can include:

  • Names of individuals
  • Postal addresses
  • Email addresses
  • Telephone numbers
  • Plus, any other information relating to individuals

Data protection risks

This policy helps to protect Choice Model Management from some very real data security risks, including:

  • Breaches of confidentiality. For instance, information being given out
    inappropriately.
  • Failing to offer choice. For instance, all individuals should be free to choose how the company uses data relating to them.
  • Reputational damage. For instance, the company could suffer if hackers successfully gained access to sensitive data.

Responsibilities

Everyone who works for or with Choice Model Management has some responsibility for ensuring data is collected, stored and handled appropriately.

Each team that handles personal data must ensure that it is handled and processed in line with this policy and data protection principles.

However, these people have key areas of responsibility:

The board of directors ultimately responsible for ensuring that Choice Model Management meets its legal obligations.

The Data Protection Superviser,is responsible for:

  • Keeping the board updated about data protection responsibilities, risks and issues.
  • Reviewing all data protection procedures and related policies, in line with an agreed schedule.
  • Arranging data protection training and advice for the people covered by this policy.
  • Handling data protection questions from staff and anyone else covered by this policy.
  • Dealing with requests from individuals to see the data Choice Model Management holds about them (also called ‘subject access requests’).
  • Checking and approving any contracts or agreements with third parties that may handle the company’s sensitive data.

The Web Developer is responsible for:

  • Ensuring all systems, services and equipment used for storing data meet acceptable security standards.
  • Performing regular checks and scans to ensure security hardware and software is functioning properly.

Evaluating any third-party services the company is considering using to store or process data. For instance, cloud computing services.

The Managing Director is responsible for:

  • Approving any data protection statements attached to communications such as emails and letters.
  • Addressing any data protection queries from journalists or media outlets like newspapers.
  • Where necessary, working with other staff to ensure marketing initiatives abide by data protection principles.

General staff guidelines

  • The only people able to access data covered by this policy should be those who need it for their work.
  • Data should not be shared informally. When access to confidential information is required, employees can request it from their line managers.
  • Choice Model Management will provide training to all employees to help them understand their responsibilities when handling data.
  • Employees should keep all data secure, by taking sensible precautions and following the guidelines below.
  • In particular, strong passwords must be used and they should never be shared.
  • Personal data should not be disclosed to unauthorised people, either within the company or externally.
  • Data should be regularly reviewed and updated if it is found to be out of date. If no longer required, it should be deleted and disposed of.
  • Employees should request help from their line manager or the data protection manager if they are unsure about any aspect of data protection.

Data storage

These rules describe how and where data should be safely stored. Questions about storing data safely can be directed to the Web Developer

When data is stored on paper, it should be kept in a secure place where unauthorised people cannot see it.

These guidelines also apply to data that is usually stored electronically but has been printed out for some reason:

  • When not required, the paper or files should be kept in a locked drawer or filing cabinet.
  • Employees should make sure paper and printouts are not left where unauthorised people could see them, like on a printer.
  • Data printouts should be shredded and disposed of securely when no longer required.

When data is stored electronically, it must be protected from unauthorised access, accidental deletion and malicious hacking attempts:

  • Data should be protected with strong passwords that are changed regularly and never shared between employees.
  • If data is stored on removable media (like a CD or DVD), these should be kept locked away securely when not being used.
  • Data should only be stored on designated drives and servers, and should only be uploaded to approved cloud computing services.
  • Servers containing personal data should be sited in a secure location, away from general office space.
  • Data should be backed up frequently. Those backups should be tested regularly, in line with the company’s standard backup procedures.
  • Data should never be saved directly to laptops or other mobile devices like tablets or smartphones. All servers and computers containing data should be protected by approved security software and a firewall.
  • All servers and computers containing data should be protected by approved security software and a firewall.

Data use

Personal data is of no value to Choice Model Management unless the business can make use of it. However, it is when personal data is accessed and used that it can be at the greatest risk of loss, corruption or theft:

  • When working with personal data, employees should ensure the screens of their computers are always locked when left unattended.
  • Personal data should not be shared informally. In particular, it should never be sent by email, as this form of communication is not secure.
  • Data must be encrypted before being transferred electronically. The IT manager can explain how to send data to authorised external contacts.
  • Personal data should never be transferred outside of the European Economic Area.
  • Employees should not save copies of personal data to their own computers.
  • Always access and update the central copy of any data

Data accuracy

The law requires Choice Model Management to take reasonable steps to ensure data is kept accurate and up to date.

The more important it is that the personal data is accurate, the greater the effort Choice Model Management should put into ensuring its accuracy.

It is the responsibility of all employees who work with data to take reasonable steps to ensure it is kept as accurate and up to date as possible.

  • Data will be held in a few places as necessary. Staff should not create any unnecessary additional data sets.
  • Staff should take every opportunity to ensure data is updated. For instance, by confirming a customer’s details when they call.
  • Choice Model Management will make it easy for data subjects to update the information Choice Model Management holds about them. For instance, via the company website.
  • Data should be updated as inaccuracies are discovered. For instance, if a customer can no longer be reached on their stored telephone number, it should be removed from the database.
  • It is the marketing manager’s responsibility to ensure marketing databases are checked against industry suppression files every six months.

Subject access requests

All individuals who are the subject of personal data held by Choice Model Management are entitled to:

  • Ask what information the company holds about them and why.
  • Ask how to gain access to it.
  • Be informed how to keep it up to date.
  • Be informed of how the company is meeting its data protection obligations.

If an individual contacts the company requesting this information, this is called a subject access request.

Subject access requests from individuals should be made by email, addressed to the data controller at [email protected] The data controller can supply a standard request form, although individuals do not have to use this.

Individuals will not be charged per subject access request. The data controller will aim to provide the relevant data within 30 calendar days.

The data controller will always verify the identity of anyone making a subject access request before handing over any information.

Disclosing data for other reasons

In certain circumstances, the Data Protection Act allows personal data to be disclosed to law enforcement agencies without the consent of the data subject.

Under these circumstances, Choice Model Management will disclose requested data. However, the data controller will ensure the request is legitimate, seeking assistance from the board and from the company’s legal advisers where necessary.

Providing information

Choice Model Management aims to ensure that individuals are aware that their data is being processed and that they understand:

  • How the data is being used
  • How to exercise their rights

To these ends, the company has a privacy statement, setting out how data relating to individuals is used by the company.