Black Sheep Harmony Data Protection Policy (v2) Black Sheep Harmony Ladies Chorus (BSHLC) needs to gather and use certain information about individuals in order to operate. These can include members, suppliers, volunteers, audiences and potential audiences, business contacts and other people the group has a relationship with or regularly needs to contact. This policy describes how this data must be collected, handled and stored to comply with the UK General Data Protection Regulation (UK GDPR). This data protection policy ensures that BSHLC: • Protects the rights of its members, volunteers and supporters • Complies with data protection law and follows good practice • Is open about how it stores and processes individuals' data • Protects itself from a data breach Data Protection Law The data protection regime that applies to BSHLC is the UK General Data Protection Regulation (UK GDPR), incorporated into the UK from the EU, tailored by the Data Protection Act 2018 (DPA 2018). It describes how organisations – including BSHLC - must collect, handle and store personal information. These rules apply regardless of whether data is stored electronically, on paper or on other material. To comply with the law, personal information must be collected and used fairly, stored safely and not disclosed unlawfully. BSHLC recognises and understands the consequences of failure to comply with the requirements of UK GDPR may result in: • Criminal and civil action • Fines and damages • Personal accountability and liability • Loss of confidence in the integrity of BSHLC's systems and procedures • Irreparable damage to BSHLC's reputation BSHLC may also consider taking action where members do not comply with the UK General Data Protection Regulation (GDPR). Roles and Responsibilities This policy applies to all members, including officers, directors and committee members or anyone involved in the activities of BSHLC. This policy applies to all personal and sensitive data processed on computers, stored in paper files and on other material. This can include: • Names of individuals • Postal addresses • Email addresses • Telephone numbers • Any other personal information relating to individuals BSHLC is the Data Controller and will determine what data is collected and how it is used. The Data Protection Lead for BSHLC is the Website Manager. They, together with the Committee, are responsible for the secure, fair and transparent collection and use of data by BSHLC. Any questions relating to the collection or use of data should be directed to the Data Protection Lead. Data Protection Principles a) We fairly and lawfully process personal data in a transparent way; BSHLC will only collect data where lawful and where it is necessary for the legitimate purposes of the group. • A member’s name, contact details will be collected when they first join the group and will be used to contact the member regarding group membership, administration and activities. Other data may also subsequently be collected in relation to their membership, including their payment history for ‘subs’ and clothing and date of birth. Where possible BSHLC will anonymise this data. o Lawful basis for processing this data: Contract (the collection and use of data is fair and reasonable in relation to BSHLC completing tasks expected as part of the individual’s membership). • The name and contact details of supporters will be collected when they take up a position and will be used to contact them regarding group administration related to their role. Further information, including personal financial information and criminal records information may also be collected in specific circumstances where lawful and necessary (in order to process payment to the person or in order to carry out a DBS check). o Lawful basis for processing this data: Contract (the collection and use of data is fair and reasonable in relation to BSHLC completing tasks expected as part of working with the individuals), • An individual’s name and contact details will be collected when they make a booking for an event. This will be used to contact them about their booking and to allow them entry to the event. o Lawful basis for processing this data: Contract (the collection and use of data is fair and reasonable in relation to BSHLC completing tasks expected as part of the booking), • An individual’s name, contact details and other details may be collected at any time (including when booking tickets or at an event), with their consent, in order for BSHLC to communicate with them about and promote group activities. o Lawful basis for processing this data: Consent (see ‘How we get consent’) b) We only collect and use personal data for specific, explicit and legitimate purposes and will only use the data for those specified purposes; When collecting data, BSHLC will always provide a clear and specific privacy statement explaining to the subject why the data is required and what it will be used for. c) We ensure any data collected is relevant and not excessive; BSHLC will not collect or store more data than the minimum information required for its intended purpose. BSHLC needs to collect telephone numbers/email addresses from members in order to be able to contact them about group administration and activities. d) We ensure data is accurate and up-to-date; BSHLC will ask members and supporters to check and update their data on a regular basis. Any individual will be able to update their data at any point by contacting their club Membership Secretary in the first instance and then the Data Protection Lead. e) We ensure data is not kept longer than necessary; BSHLC will keep records for no longer than is necessary in order to meet the intended use for which it was gathered (unless there is a legal requirement to keep records). The storage and intended use of data will be reviewed in line with the BSHLC Data Protection and Retention Policy. When the intended use is no longer applicable (e.g. contact details for a member who has left the group), the data will be deleted within a reasonable period. f) We keep personal data secure; BSHLC will ensure that data it holds is kept secure. • Electronically-held data will be held within a password-protected and secure environment • Passwords for electronic data files will be re-set each time an individual with data access leaves their role/position • Physically-held data (e.g. membership forms) will be stored securely by the custodian • Each time an individual with custody of physical data leaves their role/position the data will be
Destroyed by the custodian, or
Transferred to the new individual occupying the role/position, or
Collected by the Data Protection Lead for custody
• Membership data is shared, by consent, among all regular members. • Access to other data will only be given to relevant committee members where it is clearly necessary for the running of the group. The Data Protection Lead will decide in what situations this is applicable and will keep a master list of who has access to data. Individuals' Rights • Right to be informed: whenever BSHLC collects data it will provide a clear and specific privacy statement explaining why it is being collected and how it will be used. • Right of access: individuals can request to see the data BSHLC holds on them and confirmation of how it is being used. Requests should be made in writing to the Data Protection Lead and will be complied with free of charge and within one month. Where requests are complex or numerous this may be extended to two months • Right to rectification: individuals can request that their data be updated where it is inaccurate or incomplete. BSHLC will request that membersand supporters check and update their data with their club Membership Secretary on an annual basis. Any requests for data to be updated will be processed within one month. • Right to object: individuals can object to their data being used for a particular purpose. BSHLC will always provide a way for an individual to withdraw consent in all marketing communications. Where BSHLC receives a request to stop using data, BSHLC will comply unless it has a lawful reason to use the data for legitimate interests or contractual obligation. • Right to erasure: individuals can request for all data held on them to be deleted. The BSHLC Data Retention Policy will ensure data is not held for longer than is reasonably necessary in relation to the purpose it was originally collected. If a request for deletion is made, BSHLC will comply with the request unless: o There is a lawful reason to keep and use the data for legitimate interests or contractual obligation. o There is a legal requirement to keep the data. • Right to restrict processing: individuals can request that their personal data be ‘restricted’ – that is, retained and stored but not processed further (e.g. if they have contested the accuracy of any of their data, BSHLC will restrict the data while it is verified). • Right to data portability: though unlikely to apply to the data processed by BSHLC, we will also ensure that rights related to portability and automated decision-making (including profiling) are complied with where appropriate. Member to Member Contact BSHLC only share members’ data with other members with the subject’s prior consent. However, as a membership organisation BSHLC encourages communication between members. To facilitate this, members can access the personal contact data of other members via the Members' page of the BSHLC website. Personal data on these pages must not be shared with anyone outside BSHLC. Anyone doing this will be in breach of the GDPR. How We Get Consent– Members Members are invited to confirm their consent at the time their membership is registered. Although some data is a necessary adjunct to membership, e.g. contact details and subscription data, much of the additional personal data such as Occupation, Marital Status and Birthday is entirely voluntary. How We Get Consent– Non-members BSHLC will regularly collect data from consenting supporters for marketing purposes. This includes contacting them to promote Club activities, fundraising and other organisations’ activities relating to music. Any time data is collected for this purpose, BSHLC will provide: • A method for users to show their positive and active consent to receive these communications (e.g. a ‘tick box’) • A clear and specific explanation of what the data will be used for (e.g. ‘Tick this box if you would like BSHLC to send you email updates with details about Club activities, fundraising and other organisations’ activities relating to music.) Data collected will only ever be used in the way described and consented to (e.g. BSHLC will not use email data in order to market 3rd-party products unless this has been explicitly consented to). Every marketing communication will contain a method through which a recipient can withdraw their consent (e.g. an ‘unsubscribe’ link in an email). Opt-out requests such as this will be processed within 14 days. Changes to the Policy If we make changes to our privacy statements or processes we will post the changes here. Where the changes are significant, we may also choose to email individuals affected with the new details. Where required by law, will we ask for your consent to continue processing your data after these changes are made. How to complain If you have any concerns about our use of your personal information, you can make a complaint to us at email@example.com
You can also complain to the ICO if you are unhappy with how we have used your data. The ICO’s address: Information Commissioner’s Office Wycliffe House Water Lane Wilmslow Cheshire SK9 5AF Helpline number: 0303 123 1113 ICO website: https://www.ico.org.uk Change Record
Introduction of GDPR
Changes post-Brexit, and addition of complaints process and cookies information
Data Retention Policy This policy sets out how BSHLC will approach data retention and establishes processes to ensure BSHLC does not hold data for longer than is necessary. It forms part of BSHLC Data Protection Policy. Roles and responsibilities:
BSHLC is the Data Controller and will determine what data is collected and how it is used.
The website manager is the Data Protection Lead.
The contact point for any queries relating to Data Protection is the Data Protection Lead. They, together with the Committee are responsible for the secure, fair and transparent collection and use of data by BSHLC. Any questions relating to the collection or use of data should be directed to the Data Protection Lead. Regular Data Review A regular review of all data will take place to establish if BSHLC still has good reason to keep and use the data held at the time of the review. As a general rule a data review will be held every 2 years and no more than 27 calendar months after the last review. Data to be reviewed • Data stored on the BSHLC website • Data stored on digital documents (e.g. spreadsheets, databases) on personal devices held by Committee members • Data stored on third party online services (e.g. Box.com, Dropbox) • Physical data stored at the homes of Committee members Who the review will be conducted by The review will be conducted by the BSHLC Chairman with other Committee members to be decided upon at the time of the review. How Data will be deleted • Physical data will be destroyed safely and securely, including shredding. • All reasonable and practical efforts will be made to remove data stored digitally. o Priority will be given to any instances where data is stored in active lists (e.g. where it could be used) and to sensitive data. o Where deleting the data would mean deleting other data that BSHLC has a valid lawful reason to keep (e.g. on old emails) then the data may be retained safely and securely but not used. Statutory Requirements Data stored by BSHLC may be retained based on statutory requirements for storing data other than on data protection regulations. This might include but is not limited to: • Records of Gift Aid declarations • Details of payments made and received (e.g. in bank statements and accounting records) • Trustee meeting minutes • Contracts and agreements with suppliers/customers • Insurance details Other Data Retention Procedures
Member data • When a member leaves BSHLC and all administrative tasks relating to their membership have been completed, any potentially sensitive data held on them will be deleted – this might include bank details • Unless consent has been given, data will be removed from all email mailing lists • All other data will be stored safely and securely and reviewed as part of the next two-year review Mailing list data • If an individual opts out of a mailing list their data will be removed as soon as is practically possible • All other data will be stored safely and securely and reviewed as part of the next two-year review Supporter data • When a supporter stops working with BSHLC and all administrative tasks relating to their work have been completed, any potentially sensitive data held on them will be deleted – this might include bank details • Unless consent has been given data will be removed from all email mailing lists • All other data will be stored safely and securely and reviewed as part of the next two-year review. Other Data • All other data will be included in a regular two-year review. This policy will be kept under review.
Without cookies, some things on websites would not be able to work: for example, without cookies it might not be possible to know whether or not you are logged in on a website, which would prevent you from being able to see content restricted to logged-in members.
Anonymous analytics cookies Further, every time someone visits our website, software provided by Google Analytics generates an 'anonymous analytics cookie'. These cookies can tell us whether or not you have visited the site before and what pages you visit. Your browser will tell us if you have these cookies and, if you don't, we generate new ones. This allows us to track how many individual users we have, and how often they visit the site. We use them to gather statistics, for example, the number of visits to a page, to help us identify if visitors would benefit from more information on a particular area.
How do I turn cookies off? It is usually possible to stop your browser accepting cookies, or to stop it accepting cookies from a particular website.
All modern browsers allow you to change your cookie settings. You can usually find these settings in the 'options' or 'preferences' menu of your browser. To understand these settings, the following links may be helpful, or you can use the 'Help' option in your browser for more details.