Data Protection Policy

DATA PROTECTION POLICY

1. Introduction and Purpose
This Data Protection Policy establishes how Andrew Smith/ Fleeting Year Films collects, uses, stores, and protects personal data in compliance with applicable data protection legislation, including the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
This policy applies to all personal data processed by Andrew Smith/ Fleeting Year Films whether relating to employees, contractors, contributors, programme participants, audience members, clients, or other individuals.

2. Scope
This policy applies to all staff, contractors, freelancers, and anyone working on behalf of Andrew Smith/ Fleeting Year Films who handles personal data in any format, including digital, paper, audio, or video recordings.

3. Key Definitions
Personal Data: Any information relating to an identified or identifiable individual, including names, contact details, images, voice recordings, and location data.

Special Category Data: Sensitive personal data including racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic data, biometric data, health data, and data concerning sex life or sexual orientation.
Data Subject: The individual to whom personal data relates.
Data Controller: Andrew Smith/ Fleeting Year Films
Data Processor: Third parties who process personal data on behalf of Andrew Smith/ Fleeting Year Films

4. Data Protection Principles
Andrew Smith/ Fleeting Year Films processes all personal data in accordance with the following principles. Personal data must be:

Processed lawfully, fairly, and transparently
Collected for specified, explicit, and legitimate purposes
Adequate, relevant, and limited to what is necessary
Accurate and kept up to date
Kept only for as long as necessary
Processed securely with appropriate technical and organisational measures
Processed in accordance with data subjects' rights

5. Lawful Basis for Processing
Andrew Smith/ Fleeting Year Films processes personal data under one or more of the following lawful bases:

Consent: The individual has given clear consent for processing their data for specific purposes
Contract: Processing is necessary for a contract with the individual
Legal obligation: Processing is necessary to comply with legal requirements
Legitimate interests: Processing is necessary for legitimate business interests, except where overridden by the individual's rights

For special category data, Andrew Smith/ Fleeting Year Films relies on additional conditions including explicit consent, substantial public interest, or where data has been manifestly made public by the data subject.

6. Types of Data We Collect

Andrew Smith/ Fleeting Year Films may collect and process the following categories of personal data:

Contributors and Participants:

Contact information (name, address, email, phone number)
Image and voice recordings
Background information relevant to programme content
Payment details for fees or expenses
Health information where relevant to participation (with explicit consent)

Employees and Contractors:

Contact and identification information
Employment history and references
Bank details for payment
Tax and National Insurance information
Emergency contact details
Performance records

Clients and Business Contacts:

Contact information
Communication records
Contractual information

7. How We Collect Data
Data is collected through:

Direct communication (email, phone, meetings, forms)
Contracts and agreements
Filming and recording sessions
Research and casting processes
Website interactions
Third-party sources (with appropriate permissions)

8. Data Storage and Security

Andrew Smith/ Fleeting Year Films implements appropriate technical and organisational measures to protect personal data:

Digital Security:

Password-protected devices and systems
Encrypted file storage for sensitive data
Regular software updates and security patches
Secure cloud storage with reputable providers
Regular data backups
Access controls limiting data access to authorised personnel only

Physical Security:

Locked storage for paper records and physical media
Secure disposal of confidential waste (shredding/secure deletion)
Clear desk policy for sensitive materials
Controlled access to office premises

Production-Specific Measures:

Secure storage of footage and recordings
Controlled access to rushes and raw materials
Anonymisation of sensitive content where appropriate
Secure transfer protocols for sharing materials with post-production partners

9. Data Retention
Personal data is retained only for as long as necessary for the purposes for which it was collected:

Programme materials: Retained for the duration of production plus [6-12 months] for potential re-edits or transmission requirements, then archived or securely destroyed
Financial records: Retained for 6 years in accordance with HMRC requirements
Contracts: Retained for 6 years after contract end
Marketing consent: Reviewed annually; withdrawn consent results in immediate removal

Specific retention periods are documented in our Data Retention Schedule, available from Andrew Smith/ Fleeting Year Films

10. Sharing Data with Third Parties
Andrew Smith/ Fleeting Year Films may share personal data with:

Broadcasters and commissioning platforms (for programme delivery)
Post-production facilities and contractors
Legal and professional advisors
Regulatory bodies (Ofcom, ICO) when required
Insurance providers
Payment processors

All third-party processors are required to maintain equivalent data protection standards through contractual agreements. Data is not sold to third parties.
When transferring data internationally, the Andrew Smith/ Fleeting Year Films ensures adequate safeguards are in place, including Standard Contractual Clauses or transfers to countries with adequacy decisions.

11. Individual Rights

Data subjects have the following rights regarding their personal data:

Right of access: To obtain confirmation of data processing and a copy of their personal data
Right to rectification: To have inaccurate data corrected
Right to erasure: To have data deleted in certain circumstances
Right to restrict processing: To limit how data is used
Right to data portability: To receive data in a structured, commonly used format
Right to object: To object to processing based on legitimate interests
Rights related to automated decision-making: To not be subject to decisions based solely on automated processing

Requests should be submitted in writing to Andrew Smith/ Fleeting Year Films, who will respond within one month of receipt.

12. Consent
Where consent is the lawful basis for processing, Andrew Smith/ Fleeting Year Films ensures:

Consent is freely given, specific, informed, and unambiguous
Clear information is provided about what is being consented to
Consent mechanisms are separate from other terms and conditions
Individuals can withdraw consent as easily as they gave it
Records of consent are maintained

Programme participants receive clear release forms explaining how their data and contributions will be used before filming begins.

13. Special Considerations for Programme Production

Filming and Recording:

All participants sign release forms before filming
Sensitive content is handled with particular care
Children and vulnerable adults receive additional safeguards
Contributors are informed about programme content, transmission platforms, and potential secondary uses

Contributor Welfare:

Appropriate support is offered to contributors discussing sensitive topics
Anonymity is provided where promised
Data about vulnerable individuals is handled with enhanced security

Archive Materials:

Historical footage and materials are reviewed to ensure continued lawful processing
Where original consent is unclear, reasonable efforts are made to contact individuals or apply public interest exemptions appropriately

14. Data Protection Officer

Andrew Smith is responsible for
Monitoring compliance with this policy and data protection law
Advising on data protection impact assessments
Acting as the point of contact for the Information Commissioner's Office (ICO)
Handling data subject requests and complaints

15. Data Breaches
A personal data breach is any security incident resulting in accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access to personal data.
All staff must immediately report suspected data breaches to Andrew Smith who will:

Investigate and contain the breach
Assess the risk to individuals
Notify the ICO within 72 hours if required
Inform affected individuals if there is a high risk to their rights
Document all breaches and responses

16. Training and Awareness
All contractors receive appropriate data protection training upon commencing work and regular refresher training thereafter. This includes:

Understanding of data protection principles
Recognition of personal and special category data
Secure handling procedures
How to respond to data subject requests
Breach reporting procedures

17. Accountability and Governance
Andrew Smith/ Fleeting Year Films demonstrates accountability through:

Maintaining records of processing activities
Conducting Data Protection Impact Assessments for high-risk processing
Regular policy reviews and updates
Internal audits of compliance
Documentation of decisions and risk assessments

18. Complaints
Individuals who believe their data has been mishandled may complain to:
Internal: Andrew Smith
External: Information Commissioner's Office (ICO)
Website: ico.org.uk
Helpline: 0303 123 1113

19. Policy Review
This policy is reviewed annually or following significant changes to data protection legislation or operations. The next review date is 10 November 2026

20. Related Policies
This policy should be read alongside:

Contributor Release Forms
Employee Privacy Notice
Information Security Policy
Social Media Policy