Purple Elephant Productions – Data Protection Policy

  • Purple Elephant Productions CIC – Data Protection Policy

    Purple Elephant Productions needs to process relevant personal data regarding directors, contractors, volunteers, job applicants, families and young people as part of its operation and shall take all reasonable steps to do so in accordance with this Policy. 

    Purple Elephant will appoint a Data Protection Controller (DPC) who will ensure that all personal data is processed in compliance with this Policy and the UK Data Protection Act 2018 and associated regulations. This person is Sue Willis.

    The Principles 

    Purple Elephant shall, so far as is reasonably possibly, comply with the Data Protection Principles contained in the Data Protection Act to ensure all data is:- 

    • Fairly and lawfully processed, 
    • Processed for a lawful purpose, 
    • Adequate, relevant and not excessive,
    • Accurate and up to date, 
    • Not kept for longer than necessary, 
    • Processed in accordance with the data subject’s rights, 
    • Secure.

    We will record how this data is kept and used.


    • Parental consent, includes the consent of a guardian. 
    • Data Subject, an individual who is the subject of the personal data. 

    Personal Data 

    • Personal data covers both facts and opinions about an individual where that data identifies an individual. Processing of Personal Data may also include sensitive personal data as defined in the Act.
    • Any information which falls under the definition of personal data will remain confidential and will only be disclosed to third parties with appropriate consent, with certain exemptions – please see ‘Exemptions’ below.

    Sensitive Personal Data 

    • Purple Elephant may, from time to time, be required to process sensitive personal data. Sensitive personal data includes data relating to medical information, gender, religion, race, sexual orientation, trade union membership and criminal records and proceedings. 

    Rights of Access to Information 

    • Data subjects have the right of access to information held by Purple Elephant, subject to the provisions of the UK Data Protection Act 2018 and the Freedom of Information Act 2000. 
    • Any data subject wanting to see their personal data should put their request in writing to the DPC. 
    • Purple Elephant will respond to written requests as soon as is reasonably possible and in any event, within 40 days for access to records and 21 days to provide a reply to an access to information request. The information will be given to the data subject as soon as is reasonably possible after it has come to attention of Purple Elephant and in compliance with the relevant Acts. 


    Certain data processing because of issues related to:

    • National security and the prevention or detection of crime,
    • Where the processing is necessary to exercise a right or obligation conferred or imposed by law upon Purple Elephant, including Safeguarding and prevention of terrorism and radicalisation.

    The above are examples of exemptions under the Act. Further information on exemptions should be sought from the DPC. 


    Purple Elephant will ensure that personal data held in relation to all data subjects is accurate. Data subjects must notify the data processor of any changes to information held about them. 


    If an individual believes that Purple Elephant has not complied with this Policy or acted otherwise than in accordance with the UK Data Protection Act 2018, the individual should notify the DPC or the Information Commissioners Office. 

    Data Security 

    • Purple Elephant will take appropriate steps to ensure the security of personal data. 
    • All staff will be made aware of this policy and their duties under the Act. 
    • Purple Elephant directors, contractors, volunteers and young people are required to respect the personal data and privacy of others. They must ensure that appropriate protection and security measures are taken against unlawful or unauthorised processing of personal data, and against the accidental loss of, or damage to personal data. 
    • Data stored electronically is kept on devices which are password protected and have firewalls and anti-virus software. Hard copies of data are kept in locked files or cabinets within locked premises. 
    • All data breaches will be reported without undue delay – and within 72 hours – to the Information Commissioner’s Office (https://ico.org.uk).  Purple Elephant will inform any individuals affected without undue delay, where the breach could result in ID theft or fraud; physical harm; significant humiliation and/or damage to reputation.

    External Processors 

    Purple Elephant will ensure that where data processed by external processors, for example, service providers, Cloud services including storage, web sites etc. the processing is compliant with this policy and the relevant legislation. 

    Secure Destruction 

    When data held in accordance with this policy is destroyed, it will be destroyed securely in accordance with best practice at the time of destruction. 

    Retention of Data 

    • Purple Elephant may retain data for differing periods of time for different purposes as required by statute or best practices
    • Purple Elephant may store some data such as registers, photographs, achievements, indefinitely in its archive. 

    Right to erasure

    • Data subjects have the right to ask for their information to be erased from our current data. This request will be granted, providing that it doesn’t conflict with legal proceedings and will not include information archived for legal reasons.

    Dated: April 2020. This policy will be reviewed bi-annually at the AGM.