GDPR Primer for Companies, Teachers, Schools and Theatres

On Monday I received the following email from Northern Ballet Academy:

"Due to changes in the Data Protection law coming into force from May 2018 we now need your approval in advance to contact you with information regarding your classes and Academy opportunities. If this form is not completed and returned by 30th April we will no longer be able to contact you by email on the information listed on the form."

This is just one of many similar requests that I have received in the last few weeks from online and other service providers with whom I have dealt for many, many years.

The GDPR
The change in the law to which the Academy refers is Regulation (EU) 2016/279 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC which is better known as the General Data Protection Regulation ("GDPR"). It comes into force throughout the 28 member states of the European Union including the UK on 25 May 2018.  That Regulation repeals a 1995 Directive that required Parliament to pass the Data Protection Act 1998. Consequently, it will replace that Act from that date.

Changes in the Law
There has been a lot of hype about the GDPR over the last few years which has been used to sell a lot of new hardware, software and training courses. The new law will make a number of changes to our law. It will affect everyone who processes personal data for business purposes whether by computer or otherwise.  As that is likely to include most companies, theatres, ballet schools and even freelance teachers, it will affect many readers of this blog.  However, those changes are evolutionary and not revolutionary. They are perfectly manageable with a bit of common sense. They are far less difficult to my mind than say a pirouette if, like me, you are overweight, not well-coordinated and came to ballet very late in life.

What is Data Protection and why do we need it?
Data protection is the generic term for the laws that protect personal data (that is to say information that identifies living human beings) from misuse.  It is in our interests that businesses, doctors and nurses, local authorities, places of entertainment, schools and others process personal data as it enables us to enjoy goods and services that would not otherwise be provided but personal data can be misused as recent allegations over the manipulation of Facebook users' data show.  Those who wish to use personal data for legitimate purposes such as communicating with audiences, recording students' progress and so on are allowed to do so if, but only if, they abide by certain data protection principles.

What are the Data Protection Principles?
These are set out in art 5 (1) of the GDPR:

"Personal data shall be:
(a) processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’);
(b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; ..... (‘purpose limitation’);
(c)  adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);
(d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);
(e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; ...... (‘storage limitation’);
(f)  processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’)."

There is nothing new about those principles. They have subsisted as part of out law in one form or another since 1984.  The only difference is that those who decide the data to be processed and how they are to be processed ("data controllers") have to demonstrate their compliance with those principles.

What happens if I do not comply?
The GDPR will be enforced in the UK by an official known as "the Information Commissioner".  She already enforces the Data Protection Act 1998, the Freedom of Information Act 2000 and other legislation. She has an office in Wilmslow near Manchester and branches in Belfast, Cardiff and Edinburgh. She will have extensive powers to monitor compliance the Regulation and she can impose fines or other sanctions for non-compliance.  Very serious breaches of the Regulation are offences which may be prosecuted in the Crown or magistrates' courts.  Also, anyone who suffers loss or damage as a result of an infringement of the GDPR may sue the person responsible for injunctions, damages and other remedies in the civil courts.

How do I comply with the GDPR?
The first thing to note is that the Data Protection Act 1998 already covers most of these obligations and has done for the last 20 years.  The Act requires data controllers to notify the Information Commissioner of the personal data that they hold and how they intend to use them.  If you hold personal data for business purposes you will almost certainly need to notify those details to the Commissioner as you risk administrative sanctions or criminal prosecution if you do not do so.  You can find out whether you need to notify and how to do so on the Register (notify) under the Data Protection Act page of the Information Commissioner's website. Unlike the Act the GDPR does not require data controllers to notify their use of personal data to the Commissioner.   However, s.108 (1) of the Digital Economy Act 2017 does and the government has published regulations to that effect which will come into force on 25 May 2018 (see Jane Lambert Information Commissioner's Charges after GDPR 27 March 2018 NIPC Data Protection).

The next thing you should so is to find out as much information as you can about the GDPR. You will find a presentation on GDPR and some articles that I have written in Data Protection - GDPR Resources 24 May 2018 NIPC Law. There is a lot of other information in my Data Protection Blog and even more on the Information Commissioner's website.  I particularly recommend her leaflet Getting ready for the new UK data protection law Eight practical steps for micro business owners and sole traders which can be downloaded from her website.

What about Brexit?
Some readers will have noted that the GDPR is an EU regulation which will cease to apply to us once we leave the EU. While that is true we shall continue to enforce the GDPR during any transition or implementation period that will follow our departure from the EU.  Also, the Commission has made it clear in its negotiation documents that it will expect us to protect personal data under any free trade or other agreement that will govern our long term relationship with the EU after the expiry of that period.  A Data Protection Bill that contains many of the provisions of the GDPR is making its way through Parliament.

Further Information
Anyone wishing to discuss this article or data protection generally should call me on +44 (0)20 7404 5252 during office hours or send me a message through my contact form.

Dance Law #1: PRS for Music Charging Policies

Royal Courts of Justice

Author Anthony M

Creative Commons Licence

Source Wikipedia

Copyright is a property right which subsists in original literary, dramatic, musical or artistic works, sound recordings, films or broadcasts, and typographical arrangement of published editions. It is the exclusive right to do or authorize the following acts in respect of the work:

(a) to copy the work
(b) to issue copies of the work to the public
(ba) to rent or lend the work to the public
(c) to perform, show or play the work in public
(d) to communicate the work to the public
(e) to make an adaptation of the work or do any of the above in relation to an adaptation.

Anyone who does or authorizes any of those acts in the UK without the licence of the owner infringes that right, Such an infringer may be sued in the civil courts or in some circumstances prosecuted in the criminal courts. If found guilty the penalties for copyright infringement are approximately the same as for theft.

As civil litigation can be expensive owners of certain types of copyright works have established organizations known as "collecting societies" to enforce their copyrights. One of those collecting societies is PRS for Music which describes itself as "the home of PRS and MCPS, representing the rights of over 115,000 members in the UK," The PRS and the MCPS are two separate collecting societies representing respectively the rights of the owners of the copyrights in words and music and those of the owners of the copyrights in the sound recordings. PRS for Music offers to license the performance of their  members' works on terms that are regulated by statute. They have reciprocal agreements with collecting societies in other countries to enforce the rights of foreign collecting societies' members' rights here, The foreign collecting societies enforce the rights of British copyright owners elsewhere.

The statute that protects the rights of copyright owners in the United Kingdom is The Copyright, Designs and Patents Act 1988 ("the CDPA"). Section 2 of that Act confers the exclusive tight mentioned above subject to a number of exceptions. One of those exceptions is provided by s,34:

"34 Performing, playing or showing work in course of activities of educational establishment
(1) The performance of a literary, dramatic or musical work before an audience consisting of teachers and pupils at an educational establishment and other persons directly connected with the activities of the establishment--

(a) by a teacher or pupil in the course of the activities of the establishment, or
(b) at the establishment by any person for the purposes of instruction, is not a public performance for the purposes of infringement of copyright. 

(2) The playing or showing of a sound recording, film or broadcast before such an audience at an educational establishment for the purposes of instruction is not a playing or showing of the work in public for the purposes of infringement of copyright.
(3) A person is not for this purpose directly connected with the activities of the educational establishment simply because he is the parent of a pupil at the establishment."

Doubts have arisen over the years as to whether a dance school falls within that exception.  Until the beginning of this year it was the opinion of PRS for Music that it did not. Following representations from the Royal Academy for Dance (see PRS for Music - Educational Exemptions 4 Jan 2016) the collecting society appears to have changed its position. In its PRS for Music Charging Policies the collecting society writes that it has a number of non-charging policies that define circumstances in which it chooses not to make a charge for its licence and one of these is dance schools:

"Section A - Dance Schools that are educational establishments
Where a dance school qualifies as an educational establishment, section 34 of the 1988 Act provides that a public performance licence will not be required from PRS (or any other copyright owner) for performances before an audience of teachers and pupils/students at the school (and other persons directly connected with it) provided that the performance is given

• by a teacher or pupil in the course of the activities of the dance school; or

• at the dance school by any person for the purposes of instruction.

Section B - Dance tuition provided by persons other than educational establishments
Where copyright music is used for the purpose of dance tuition, a licence will ordinarily be required by the course provider. However, if the music is performed within the context of and for the purposes of a lesson and/or examination leading to a qualification aligned with Regulated Qualifications Framework (RQF) Level 1 or above, [for the purposes of calculating charges under the dance tuition session of the current DS tariff and proposed new Fitness and Dance Tariff], PRS is willing to treat such performance as if it were given in circumstances to which section 34 of the Copyright, Designs and Patent Act 1988 applies and accordingly will not make any charge respect of that session."

First, it has to be stressed that that is only a position statement from a collecting society - albeit a powerful one - and not a statute, judgment or other authoritative statement of the law. Having said that, I stress that I do not necessarily disagree with it. If anyone wants to challenge that position in respect of charges made in previous years they can still do so though I am not encouraging (or indeed discouraging) them to do so. Secondly, this statement does not bind copyright owners who are not represented directly or indirectly by PRS for Music. Thirdly, this position statement applies only to the United Kingdom and those other territories to which the CDPA applies.

If anyone wants to learn more about copyright in music or relating to dance, exemptions and licences, collecting societies and enforcement he or she should call me on 020 7404 5252 during office hours or use my contact form.