DATA PROTECTION POLICY
Langcliffe Singers (“the choir”) is a community choir open to all ages and abilities. We do not hold auditions. We are a non-profit making organisation and a registered charity.
In order to comply with Data Protection law the choir must fairly and lawfully process personal data in a transparent way, only collect and use such data for specified purposes, ensure the data is relevant and not excessive, is accurate and up-to-date, is kept securely and is not kept for longer than necessary
The choir is the Data Controller and will determine what data is collected and how it is used. The Data Protection Officer (“DPO”) for the choir is the secretary, Julie Glossop. She, together with the trustees, is responsible for the secure, fair and transparent collection and use of data by the choir. Any questions relating to the collection or use of data should be directed to the DPO.
Whenever the choir collects data it will provide a privacy statement explaining clearly why it is being collected and how it will be used.
SCOPE OF THE POLICY
The policy will apply to all personal information, whether in electronic or manual form, held by the choir about any other member of the choir or any other person and applies to all those handling data on behalf of the choir.
The main source of such personal information is the membership database held by the DPO. This information will comprise the member’s name, postal address, telephone number(s) and, if the member has one, their e-mail address.
The same information relating to those members who make payments to the choir by direct debit and/or subject to Gift Aid will be kept in a separate database held securely by the treasurer to the choir.
The treasurer will also securely hold such contact information relating to non-members who have applied to take part in a Come & Sing event, the information being held both on computer and by retaining their application forms.
(Although we run a Christmas Raffle we do not use any personal data given to us on ticket counterfoils for any purpose other than to identify and contact winners of prizes in the Raffle – we specifically do not copy any such data or retain it in any form apart from the counterfoils and all the counterfoils are destroyed immediately after the draw apart from those of the winners which are destroyed once the winners have claimed their prize.)
The choir will never contact any individual by email for marketing purposes unless we have obtained their express consent to our doing so. The choir may collect data from consenting supporters for marketing purposes, in particular those who advertise in our concert programmes, provided they have consented to such contact and whenever data is collected for this purpose we will provide a method for recipients to show their consent to such communications, a clear explanation of how the data will be used and a method by which the recipient can withdraw their consent.
RATIONALE FOR INFORMATION HELD
The name and personal contact details for each member are required in order to be able to contact the member as and when necessary to advise them of all matters relating to the running of the choir such as dates and venues for concerts and rehearsals or other choir events and so to enable them to enjoy the benefits of membership of the choir as required.
The contact details for the membership database will be collected on a consent form to be completed at the first rehearsal attendance and passed to the DPO for inclusion on the member database. The database is to be password protected. The password will be issued to trustees and will be regularly changed. The completed consent forms will be held securely by the DPO in order to provide evidence that the requisite consents have been obtained.
The contact details held by the treasurer are kept (a) in order to record subscription and other receipts from choir members with amounts and dates when paid and to record Gift Aid declarations and (b) to enable him to contact non-members wishing to take part in Come & Sing events providing they have consented to such contact.
Such data is only collected and retained for the purposes set out above and is never under any circumstances disclosed to a third party.
RETENTION OF INFORMATION
The choir will keep information for no longer than is necessary in order to meet the intended use for which it was obtained – see below - unless there is a legal requirement to keep records, for example Gift Aid declarations which must by law be retained for six years.
RESPONSIBILITIES OF THE CHOIR
To maintain accurate and up to date records which comply with the requirements as detailed above and with the European Union General Data Protection Regulations.
To ensure that each member has given written consent for personal information to be added to the database.
To enter the information given on the consent forms onto the membership database and retain the forms as evidence that the requisite consents have been obtained.
To maintain security of the database by protecting it with a password and to back it up on a memory stick or other such device and to provide that password, on a need to know basis only, to trustees members and to ensure that the paper records are locked away.
To ensure that the information is not divulged to a third party under any circumstances.
To provide to any member upon written request a copy of the information held concerning him or her.
To update the database each time any information is added or changed and to reissue the updated version to trustees who require a copy.
To ensure that there is a review every two years of the information held for each member.
To ensure that the information is held for no longer than is required by deleting and destroying any personal information relating to a member when that member dies or leaves the choir or requests in writing that the information is deleted and destroyed.
To report to the Information Commissioner’s Office any breaches of the Regulations within 72 hours of discovery of the breach.
To complete a consent form when requested to do so and to pass it immediately to the DPO, who will deal with it as above.
To notify the DPO immediately of any change in their personal information.
To ensure that the confidentiality of information about all members will be respected and will not under any circumstances be divulged to a third party and to adhere to this policy in all respects.
The individual can ask to see the personal information which the choir holds on them and confirmation of how it is being used. Such request should be made in writing to the DPO and will be complied with within 28 days.
Signed and approved on behalf of the Trustees: