Key details
Introduction
The wording of this policy is adapted from a template recommended and provided by Making Music (the UK’s National Federation of Music Societies).
In order to operate, the Joyful Company of Singers (JCS) needs to gather, store and use certain forms of information about individuals.
These can include members, employees, contractors, suppliers, volunteers, audiences and potential audiences, business contacts and other people the group has a relationship with or regularly needs to contact.
This policy explains how this data should be collected, stored and used in order to meet JCS data protection standards and comply with the General Data Protection Regulations.
Why is this policy important?
This policy ensures that JCS
- Protects the rights of our members (singers), volunteers and supporters (including Friends of JCS)
- Complies with data protection law and follows good practice
- Protects the group from the risks of a data breach
Who and what does this policy apply to?
This applies to all those handling data on behalf of JCS:
- Trustees
- Employees and volunteers
- Members (Singers)
- Contractors/3rd-party suppliers
Data protection principles
The policy applies to all data that JCS holds relating to individuals, including:
- Names
- Email addresses
- Postal addresses
- Phone numbers
- Any other personal information held (e.g. financial)
Roles and responsibilities
JCS is the Data Controller and will determine what data is collected and how it is used. The JCS Trustees are responsible for the secure, fair and transparent collection and use of data by JCS. Any questions relating to the collection or use of data should be directed to the Trustees, using the ‘contact’ form on the JCS website www.jcos.co.uk/contact/
Everyone who has access to data as part of JCS has a responsibility to ensure that they adhere to this policy.
JCS might from time to time use third party Data Processors (e.g. Mail Chimp) to process data on its behalf. JCS will ensure all Data Processors are compliant with GDPR.
Data protection principles
a) We fairly and lawfully process personal data in a transparent way. JCS will only collect data where lawful and where it is necessary for the legitimate purposes of the group.
- Members’ and supporters’ names and contact details will be collected when they first join the group and will be used to contact the member regarding group membership, administration and activities. Other data may also subsequently be collected in relation to their membership, including their payment history for project or annual membership.
- Lawful basis for processing this data: Contract (the collection and use of data are fair and reasonable in relation to JCS completing tasks expected as part of the individual’s membership).
- The name and contact details of volunteers, employees and contractors will be collected when they take up a position and will be used to contact them regarding group administration related to their role.Further information, e.g. personal financial information, may also be collected in specific circumstances where lawful and necessary (e.g. in order to process payment to the person).
- Lawful basis for processing this data: Contract (the collection and use of data are fair and reasonable in relation to JCS completing tasks expected as part of working with the individuals).
- An individual’s name and contact details might be collected when they make a booking for an event. This will be used to contact them about their booking and to allow them entry to the event.
- Lawful basis for processing this data: Contract (the collection and use of data are fair and reasonable in relation to JCS completing tasks expected as part of the booking).
- An individual’s name, contact details and other details may be collected at any time (including when booking tickets or at an event), with their consent, in order for JCS to communicate with them about and promote group activities. See ‘How we get consent’ below.
- Lawful basis for processing this data: Consent (see ‘How we get consent’)
- Pseudonymous or anonymous data (including behavioural, technological and geographical) on an individual may be collected via tracking ‘cookies’ when they access our website or interact with our emails, in order for us to monitor and improve our effectiveness on these channels. See ‘JCS website’ below.
- Lawful basis for processing this data: Consent (see ‘How we get consent’)
b) We only collect and use personal data for specific, explicit and legitimate purposes and will only use the data for those specified purposes.
When collecting data, JCS will provide a clear and specific privacy statement explaining to the subject why the data is required and what it will be used for.
c) We ensure any data collected is relevant and not excessive. JCS will not collect or store more data than the minimum information required for its intended purpose.
E.g. we need to collect email addresses and telephone numbers from members in order to be able to contact them about group administration, but data on their marital status or sexuality will not be collected, since it is unnecessary and excessive for the purposes of group administration.
d) We check data are accurate and up-to-date. JCS will on occasion ask all members, volunteers and staff to confirm and/or update their data. Any individual member is able to update their data at any point by contacting the choir administrator; Friends of JCS should contact the Friends administrator; other individuals should contact the choir administrator.
e) We ensure data are not kept longer than necessary
JCS will keep records for no longer than is necessary in order to meet the intended use for which it was gathered (unless there is a legal requirement to keep records).
The storage and intended use of data will be reviewed in line with JCS data retention policy. When the intended use is no longer applicable (e.g. contact details for a member who has left the group), the data will be deleted within a reasonable period.
f) We keep personal data secure
JCS will ensure that data held by us are kept secure.
- Electronically-held data will be held within a password-protected and secure environment
- Passwords for electronic data files will be re-set each time an individual with data access leaves their role/position
- Physically-held data (e.g. membership forms or email sign-up sheets) will be stored in locked premises.
- Access to data will only be given to relevant trustees, administrators, employees, members and contractors where it is clearly necessary for the running of the group. For example, the volunteer project manager for each project will be given the contact details of those members selected to perform.
g) Transfer to countries outside the EEA
JCS will not transfer data to countries outside the European Economic Area (EEA), unless the country has adequate protection for the individual’s data privacy rights.
Individual’s rights
When JCS collects, holds and uses an individual’s personal data, that individual has the following rights over that data. JCS will ensure its data processes comply with those rights and will make all reasonable efforts to fulfil requests from an individual in relation to those rights.
- Right to be informed: whenever JCS collects data it will provide a clear and specific privacy statement explaining why it is being collected and how it will be used.
- Right of access: individuals can request to see the data JCS holds on them and confirmation of how it is being used. Requests should be made in writing to the choir administrator.
- Right to rectification: individuals can request that their data be updated where it is inaccurate or incomplete. Any requests for data to be updated will be processed within one month.
- Right to object: individuals can object to their data being used for a particular purpose. JCS will always provide a way for an individual to withdraw consent in all marketing communications. Where we receive a request to stop using data we will comply unless we have a lawful reason to use the data for legitimate interests or contractual obligation.
- Right to erasure: individuals can request for all data held on them to be deleted. JCS data retention policy will ensure data is not held for longer than is reasonably necessary in relation to the purpose it was originally collected. If a request for deletion is made we will comply with the request unless:
- There is a lawful reason to keep and use the data for legitimate interests or contractual obligation.
- There is a legal requirement to keep the data.
- Right to restrict processing: individuals can request that their personal data be ‘restricted’ – that is, retained and stored but not processed further (e.g. if they have contested the accuracy of any of their data, JCS will restrict the data while it is verified).
Though unlikely to apply to the data processed by JCS, we will also ensure that rights related to portability and automated decision making (including profiling) are complied with where appropriate.
How we get consent
JCS will regularly collect data from members and consenting supporters and other individuals. The purpose for doing so will be made clear – this includes enabling us to contact them to promote and invite participation in JCS performances, updating them about group news, fundraising and other group activities.
JCS website
Users of the JCS website www.jcos.co.uk are invited to receive further communications from JCS. We will provide:
- A method for users to show their positive and active consent to receive these communications (e.g. by using a ‘Follow Us via email’ box or ‘Contact’ page).
- A clear and specific explanation of what the user’s requested personal data will be used for (e.g. ‘Enter your email address to follow this site and receive notifications of new posts by email’)
Data collected will only ever be used in the way described and consented to (e.g. we will not use email data in order to market 3rd-party products that do not relate to the JCS or our performances).
Follow-up communications from JCS will contain a method through which a recipient can withdraw their consent (e.g. an ‘unsubscribe’ option in an email). Opt-out requests such as this will be processed within 14 days.
JCS also uses cookies on its website. New users are told this on-screen when they visit the website. A cookie is a small text file that is downloaded onto ‘terminal equipment’ (e.g. a computer or smartphone) when the user accesses a website. It allows the website to recognise that user’s device and store some information about the user’s preferences or past actions and provide anonymised tracking data to third party applications like Google Analytics. As a rule, cookies will make users’ browsing experience better. However, users may prefer to disable cookies on the JCS site and on others. Our website explains that the most effective way to do this is to disable cookies in the user’s browser and suggests users consult the Help section of their browser or visit the About Cookies website which offers guidance for all modern browsers.
Data retention policy
Introduction
This policy sets out how JCS will approach data retention and establishes processes to ensure we do not hold data for longer than is necessary. It forms part of JCS Data Protection Policy.
Roles and responsibilities
JCS is the Data Controller and will determine what data are collected, retained and how they are used. The Trustees are responsible for the secure and fair retention and use of data by JCS. Any questions relating to data retention or use of data should be directed to the Trustees using the ‘contact’ form on the JCS website www.jcos.co.uk/contact/.
Reviews of all data will take place to establish if JCS still has good reason to keep and use the data held at the time of the review.
Data to be reviewed
- JCS stores data on digital documents (e.g. spreadsheets) stored on personal devices held by Trustees, the Music Director and JCS Administrators.
- Data stored on third party online services (e.g. Mail Chimp)
- Physical data stored at the homes of Trustees, the Music Director and JCS Administrators
Who conducts the review?
The review will be conducted by the nominated Trustees and Administrators, to be decided at the time of the review.
How data will be deleted
- Physical data will be destroyed safely and securely, including shredding.
- All reasonable and practical efforts will be made to remove data stored digitally.
- Priority will be given to any instances where data is stored in active lists (e.g. where it could be used) and to sensitive data.
- Where deleting the data would mean deleting other data that we have a valid lawful reason to keep (e.g. on old emails) then the data may be retained safely and securely but not used.
Criteria
The following criteria will be used to make a decision about what data to keep and what to delete.
Are the data stored securely?
Yes – No action necessary
No – Update storage protocol in line with Data Protection policy
Does the original reason for having the data still apply?
Yes – Continue to use
No – Delete or remove data
Are the data being used for their original intention?
Yes – Continue to use
No – Either delete/remove or record lawful basis for use and get consent if necessary
Is there a statutory requirement to keep the data?
Yes – Keep the data at least until the statutory minimum no longer applies
No – Delete or remove the data unless we have reason to keep the data under other criteria.
Are the data accurate?
Yes – Continue to use
No – Ask the subject to confirm/update details
Where appropriate, do we have consent to use the data?
[This consent could be implied by previous use and engagement by the individual]
Yes – Continue to use
No – Get consent
Can the data be anonymised?
Yes – Anonymise data
No – Continue to use
Statutory Requirements
Data stored by JCS may be retained based on statutory requirements for storing data other than data protection regulations. This might include but is not limited to:
- Gift Aid declarations records
- Details of payments made and received (e.g. in bank statements and accounting records)
- Trustee meeting minutes
- Contracts and agreements with suppliers/customers
- Insurance details
- Tax and employment records
Other data retention procedures
Member data
- When a member leaves JCS and all administrative tasks relating to their membership have been completed any potentially sensitive data held on them will be deleted – this might include bank details
- Unless consent has been given, data will be removed from email mailing lists
- All other data will be stored safely and securely and reviewed as part of the next two-year review
Mailing list data
- If an individual opts out of a mailing list their data will be removed as soon as is practically possible.
- All other data will be stored safely and securely and reviewed as part of the next review
Volunteer and freelancer data
- When a volunteer or freelancer stops working with JCS and all administrative tasks relating to their work have been completed any potentially sensitive data held on them will be deleted – this might include bank details
- Unless consent has been given, data will be removed from all email mailing lists
- All other data will be stored safely and securely and reviewed as part of the next review
Other data
- All other data will be included in the next review.