GDPR Policy

Beverley Community Choir Data Protection policy

 

 Policy approved by Choir  Committee on: June 2019    Next review date: June 2020

 

Introduction

 

In order to operate, Beverley Community Choir needs to gather, store and use certain forms of data about individuals. These may include: choir members, suppliers, volunteers, guests, audiences and potential audiences, business contacts and other people the Choir has a relationship with or regularly needs to contact. This policy explains how this data should be collected, stored and used in order to meet current data protection standards and comply with the law.

 

 This policy ensures that Beverley Community Choir:

protects the rights of our members, partners and supporters

complies with data protection law and follows good practice

is protected from the risks of a data breach

 

Who and what does this policy apply to?

 

This applies to all those handling data on behalf of Beverley Community Choir, including Committee members, Choir members, suppliers and partners.

 

The policy applies to all data that Beverley Community Choir holds relating to individuals, including:  Names, Email addresses, Postal addresses, Phone numbers; any other personal information held such as records of membership payments and any other financial information; and visual data including photographs and videos.

 

 Roles and responsibilities

 

Everyone who has access to data as part of Beverley Community Choir has a responsibility to ensure that they adhere to this policy.

 

Data controllerThe Data Controller for Beverley Community Choir is: Jim Rogers. They, together with the Committee, are responsible for determining how and why data is collected and how it will be used. Any questions relating to the collection or use of data should be directed to the Data Controller.

 

Data Protection Principles

 

  1. We fairly and lawfully process personal data.

 

Beverley Community Choir will only collect data where lawful and where it is necessary for the legitimate purposes of the Choir.

A member’s name and contact details will be collected when they first join the Choir, and will be used to contact the member regarding Choir membership, administration and activities.

Other data may also subsequently be collected in relation to membership, including about their payment history for ‘subscriptions’.

The name and contact details of committee members, employees, volunteers and contractors will be collected when they take up a position, and will be used to contact them regarding Choir administration related to their role.

Further information, including personal financial information and criminal records information may also be collected in specific circumstances where lawful and necessary (in order to process payment to the person or in order to carry out a DBS check).

An individual’s name and contact details will be collected when they make an enquiry about membership of the Choir. This will be used to contact them about places on a waiting list for joining the Choir.

 

An individual’s name, contact details and other details may be collected at any time (including when making an enquiry about membership or when attending an event), with their consent, in order for to Beverley Community Choir to communicate with them about Choir activities, and/or for Direct Marketing. (See ‘Direct Marketing’ below)

 

Visual data may be gathered in the form of photographs and videos at public performances given by the choir, and at choir workshops, guest nights, and presentations to charity partners. Consent will be sought for the storage of any such images and their use in publicity.

 

  1. We only collect and use personal data for specified and lawful purposes.

 

When collecting data, Beverley Community Choir will always explain to the subject why the data is required and what it will be used for, e.g. “Please enter your email address in the form below. We need this so that we can send you email updates for Choir administration including about rehearsal and concert schedules, subs payments and other business.” We will never use data for any purpose other than that stated or that can be considered reasonably to be related to it. For example, we will never pass on personal data to third parties without the explicit consent of the subject.

 

  1. We ensure any data collected is relevant and not excessive Beverley

 

Community Choir will not collect or store more data that the minimum information required for its intended purpose. For example we need to collect email addresses and telephone numbers from members in order to be able to contact them about Choir administration, but data on their marital status or sexuality will not be collected, since it is unnecessary and excessive for the purposes of Society administration.

 

  1. We ensure data is accurate and up-to-date

 

Beverley Community Choir will ask members, and those on the waiting list to check and update their data on an annual basis. Any individual will be able to update their data at any point by contacting the Data Controller.

 

  1. We ensure data is not kept longer than necessary

 

Beverley Community Choir will keep data on individuals for no longer than 12 months after our involvement with the individual has stopped, unless there is a legal requirement to keep records.

 

  1. We process data in accordance with individuals’ rights

 

The following requests can be made in writing to the Data Controller:  Members, suppliers and individuals on the waiting list can request to see any data stored on about them. Any such request will be actioned within 14 days of the request being made.

Individuals can request that any inaccurate data held on them is updated. Any such request will be actioned within 14 days of the request being made.

Individuals can request to stop receiving any marketing communications. Any such request will be actioned within 14 days of the request being made.

Individuals can object to any storage or use of their data that might cause them substantial distress of damage or any automated decisions made based on their data. Any such objection will be considered by the Committee, and a decision communicated within 28 days of the request being made.

 

  1. We keep personal data secure

 

Beverley Community Choir will ensure that data held by us is kept secure.

Electronically-held data will be held within a password-protected and secure environment.  -Physically-held data (e.g. sign-up sheets and attendance lists) will be stored in a cabinet capable of being locked.

Keys for locks securing physical data files should be collected by the Data Controller from any individual with access if they leave their role/position.

Access to data will only be given to relevant Committee members where it is clearly necessary for the running of the Choir. The Data Controller will decide in what situations this is applicable and will keep a master list of who has access to data.

 

  1. Transfer to countries outside the EEA

 

Beverley Community Choir will not transfer data to countries outside the European Economic Area (EEA), unless the country has adequate protection for the individual. We only share members’ data with other members with the subject’s prior consent

Beverley Community Choir may regularly collect data from consenting individuals for marketing purposes. This includes contacting them to promote concerts, updating them about Choir news, fundraising, guest nights and other Choir activities. Any time data is collected for this purpose, we will provide:  A clear and specific explanation of what the data will be used for (e.g. ‘Tick this box if you would like Beverley Community Choir  to send you email updates with details about our forthcoming events, fundraising activities and opportunities to get involved’)

We will also provide a method for users to show their active consent to receive these communications (e.g. a ‘tick box’). Data collected will only ever be used in the way described and consented to (e.g. we will not use email data in order to market 3rd-party products unless this has been explicitly consented to). Every marketing communication will contain a method through which a recipient can withdraw their consent (e.g. an ‘unsubscribe’ link in an email). Opt-out requests such as this will be processed within 14 days.

 

Use of ‘cookies’ on the Choir Website

 

A cookie is a small text file that is downloaded onto ‘terminal equipment’ (e.g. a computer or smartphone) when the user accesses a website. It allows the website to recognise that user’s device and store some information about the user’s preferences or past actions. 

  • Beverley Community Choir uses cookies on our website https://www.beverleycommunitychoir.org.uk/in order to monitor and record activity. This allows us to improve users’ experience of our website by, for example, allowing for a ‘logged in’ state, and by giving us useful insight into how users as a whole are engaging with the website. We will implement a pop-up box on that will activate each new time a user visits the website. This will allow a person  to click to consent (or not) to continuing with cookies enabled, or to ignore the message and continue browsing (i.e. give their implied consent). It will also include a link to our Privacy Policy which outlines which specific cookies are used and how cookies can be disabled in the most common browsers.