Charity Commission Number >> 275986

Harpenden Choral Society Data Protection Policy

1. Introduction
In order to operate, Harpenden Choral Society needs to gather, store and use certain forms of information about individuals.
These can include members, contractors (e.g. conductors, accompanists and soloists), suppliers, volunteers, audiences and potential audiences, business contacts and other people the society has a relationship with or regularly needs to contact.
This policy explains how this data will be collected, stored and used in order to comply with data protection law.

a) Why is this policy important?
This policy ensures that Harpenden Choral Society:
• protects the rights of our members, volunteers and supporters;
• complies with data protection law and follows good practice;
• protects the society from the risks of a data breach.

b) Who and what does this policy apply to?
This policy applies to all those handling data on behalf of Harpenden Choral Society, e.g. committee members, volunteers, contractors and third-party suppliers.
It applies to all data that Harpenden Choral Society holds relating to individuals, including:
• name
• postal address and telephone number
• email address (if available)
• date of joining
• attendance records
• payment records
• title and signature (if a member has completed a Gift Aid declaration).

2. Roles and responsibilities under the General Data Protection Regulations (GDPR)
Harpenden Choral Society is the Data Controller and will determine what data is collected and how it is used. The Data Protection Officer for Harpenden Choral Society is the Treasurer, Robert Jones. He, together with the trustees, is responsible for the secure, fair and transparent collection and use of data by Harpenden Choral Society. Any questions relating to the collection or use of data should be directed to the Data Protection Officer.
Everyone who has access to data as part of Harpenden Choral Society has a responsibility to ensure that they adhere to this policy.

3. Data Protection Principles
a) We fairly and lawfully process personal data in a transparent way
Harpenden Choral Society will only collect data where lawful and where it is necessary for the legitimate purposes of the society. The collection and use of data is fair and reasonable in relation to Harpenden Choral Society completing tasks expected as part of an individual’s membership and their membership is the lawful basis for processing their data.
• A member’s name and contact details will be collected when they first join the society, and will be used to contact the member regarding society membership administration and activities. Other data may also subsequently be collected in relation to their membership, including their annual payment history.

• The name and contact details of volunteers and contractors will be collected when they take up a position, and will be used to contact them regarding society administration related to their role.

• An individual’s name, contact details and other details may be collected at any time (including when booking tickets or at an event), with their consent, in order for Harpenden Choral Society to communicate with them about and promote society activities.

b) We only collect and use personal data for specific, explicit and legitimate purposes and will only use the data for those specified purposes
When collecting data, Harpenden Choral Society will always provide a clear and specific privacy statement explaining to the subject why the data is required and how it will be used.
c) We ensure any data collected is relevant and not excessive
Harpenden Choral Society will not collect or store more data than the minimum information required for its intended purpose.
d) We ensure data is accurate and up-to-date
Harpenden Choral Society will ask members and volunteers to inform the Data Protection Officer or the Membership Secretary of any change in their details held by the society; these will then be amended as soon as possible.
e) We ensure data is not kept longer than necessary
Harpenden Choral Society will keep records for no longer than is necessary in order to meet the intended use for which it was gathered (unless there is a legal requirement to keep records).
The storage and intended use of data will be reviewed in line with Harpenden Choral Society’s data retention policy. When the intended use is no longer applicable (e.g. contact details for a member who has left the society) the data will be deleted within a reasonable period.
f) We keep personal data secure
Harpenden Choral Society will ensure that data held by the society is kept secure.
• Electronically-held data will be held within a password-protected and secure environment.
• Physically-held data (e.g. membership forms or email sign-up sheets) will be stored securely.
• Each time an individual with data access leaves their role/position their access to any centrally-held electronic data files will be terminated, and they will be asked to confirm that they have deleted any electronic data and shredded any paper copies held by them.
• Access to data will only be given to relevant committee members and volunteers where it is clearly necessary for the running of the society. The Data Protection Officer will decide in what situations this is applicable and will keep a master list of who has access to data.

4. Individual Rights
When Harpenden Choral Society collects, holds and uses an individual’s personal data that individual has the following rights over that data. Harpenden Choral Society will ensure its data processes comply with those rights and will make all reasonable efforts to fulfil requests from an individual in relation to those rights:
• Right to be informed: whenever Harpenden Choral Society collects data it will provide a clear and specific privacy statement explaining why it is being collected and how it will be used.

• Right of access: individuals can request to see the data Harpenden Choral Society holds on them and confirmation of how it is being used. Requests should be made in writing to the Data Protection Officer and will be complied with free of charge and within one month. Where requests are complex or numerous this may be extended to two months.

• Right to rectification: individuals can request that their data be updated where it is inaccurate or incomplete. Harpenden Choral Society will request that members, volunteers and contractors check and update their data on an annual basis. Any requests for data to be updated will be processed within one month.

• Right to object: individuals can object to their data being used for a particular purpose. Harpenden Choral Society will always provide a way for an individual to withdraw consent in all marketing communications. Where we receive a request to stop using data we will comply unless we have a lawful reason to use the data for legitimate interests or contractual obligation.

• Right to erasure: individuals can request that all data held on them be deleted. Harpenden Choral Society’s data retention policy will ensure data is not held for longer than is reasonably necessary in relation to the purpose for which it was originally collected. If a request for deletion is made we will comply with the request unless:
i) There is a lawful reason to keep and use the data for legitimate interests or contractual obligation.
ii) There is a legal requirement to keep the data.

• Right to restrict processing: individuals can request that their personal data be ‘restricted’ – that is, retained and stored but not processed further (e.g. if they have contested the accuracy of any of their data, Harpenden Choral Society will restrict the data while it is verified).

5. Member-to-Member Contact
Harpenden Choral Society will only share members’ data with other members with the subject’s prior consent.
As a membership organisation Harpenden Choral Society encourages communication between members. To facilitate this:
• Members can request the personal contact data of other members in writing via the Data Protection Officer or Membership Secretary. These details will be given, as long as they are for the purposes of contacting the subject and the subject has consented to their data being shared with other members in this way.

6. How We Get Consent
Harpenden Choral Society will regularly collect data from consenting supporters for marketing purposes. This includes contacting them to promote performances, updating them about society news, fundraising and other society activities. Whenever data is collected for this purpose, the following will be provided:
• a method for users to show their positive and active consent to receive these communications (e.g. a ‘tick box’);
• a clear and specific explanation of what the data will be used for (e.g. ‘Tick this box if you would like Harpenden Choral Society to send you email updates with details about our forthcoming events, fundraising activities and opportunities to get involved’).
Data collected will only ever be used in the way described and where consent has been given.
Every marketing communication will contain a method through which a recipient can withdraw their consent. Opt-out requests such as this will be processed within 14 days.

7. Use Of Cookies On Our Website
A cookie is a small file that is downloaded onto ‘terminal equipment’ (e.g. a computer or smartphone) when the user accesses a website. It allows the website to recognise that user’s device and store some information about the user’s preferences or past actions.
Harpenden Choral Society uses cookies to identify which pages are being used. This helps with the analysis of data about web page traffic and improvement of the website in order to tailor it to users’ needs. Harpenden Choral Society only uses this information for statistical analysis purposes; a cookie in no way enables access to be made to a user’s computer or any information about them, other than the data they choose to make available.
A user can choose to accept or decline cookies. Most web browsers automatically accept cookies, but users can modify their browser setting to decline cookies if preferred. This may prevent a user from taking full advantage of the website.

Links to other websites
Harpenden Choral Society’s website may contain links to other websites of interest. However, once these links have been followed, users should note that Harpenden Choral Society does not have any control over those other websites. Therefore, the Society cannot be responsible for the protection and privacy of any information which the user provides whilst visiting such sites and such sites are not governed by this policy. The user should exercise caution and look at the privacy statement applicable to the website in question.

8. Data Retention
Harpenden Choral Society’s policy on data retention is set out in the society’s Data Retention Policy.

  • Policy prepared by: Robert Jones
  • Approved by committee on 14 May 2018
  • Point 7 added by Gill Mourant on 3 January 2019
  • Reviewed & approved without amendments: May 2020
  • Next review date: May 2022

Harpenden Choral Society Safeguarding Policy

Commitment to safeguarding
Membership of Harpenden Choral Society is open to adults (i.e. persons aged 18 or over). The Society does not advertise itself as an activity suitable for vulnerable adults but is committed to safeguarding the well-being of all individuals who come into contact with the Society, and recognises its duty of care and responsibility to protect them from harm.
The Society understands the need to be alert to signs of abuse, the difficulty a participant, particularly a vulnerable adult, may have in reporting it, and the importance of responding appropriately. Any reported incident of abuse will be investigated objectively and will involve listening carefully to all those involved.

About this policy
• This policy recognises vulnerable adults as adults defined as vulnerable by the Safeguarding Vulnerable Groups Act 2006. This might include adults with a learning or physical disability, a physical or mental illness, chronic or otherwise, including an addiction to alcohol or drugs, or reduced physical or mental capacity.
• This policy applies to all members, staff (whether employees or freelances), volunteers, and anyone working on behalf of the Society or taking part in the Society’s activities.
• The purpose of this policy is to provide members, staff and volunteers with the principles that guide our approach to the protection of all participants, and vulnerable adults in particular.
• This policy aims to:
• Protect vulnerable adults who are members of, receive services from, or volunteer to assist, the Society.
• Ensure members, staff and volunteers working with vulnerable adults understand and accept responsibility for safeguarding their wellbeing.
• Ensure that safeguarding of vulnerable adults is a primary consideration when the Society undertakes any activity, event or project.

Types of abusive behaviour
Physical abuse. Examples are:
• assault
• bullying – pushing, kicking, hitting, pinching etc.

Sexual abuse. Examples are:
• sexual comments, suggestions or behaviour
• unwanted physical contact.

Psychological or emotional abuse. Examples are:
• verbal abuse – intimidation, coercion, harassment, use of threats, humiliation, swearing
• addressing a person in a patronising or infantilising way
• threats of harm or abandonment
• cyber bullying.

Discriminatory abuse. Examples are:
• unequal treatment based on age, disability, gender reassignment, marriage and civil partnership, pregnancy and maternity, race, religion and belief, sex or sexual orientation (“protected characteristics”)
• derogatory remarks or inappropriate use of language related to a protected characteristic
• harassment or deliberate exclusion on the grounds of a protected characteristic.

The Society’s involvement with vulnerable adults
The Society runs regular rehearsals for members and puts on concerts for the general public. As such, involvement with vulnerable adults might include, but is not limited to:
• members of the Society who attend rehearsals and concerts
• relatives and friends of members who attend rehearsals and concerts in a volunteering capacity
• audience members at public concerts.

The Society’s involvement with children
Membership of the Society does not include children (i.e. persons under 18). Occasionally, concerts may be held with schoolchildren performing with the choir. In such cases, appropriate joint working arrangements will be made to ensure that school groups will always be in the care of their teachers and helpers and/or parents, who will bear responsibility for their welfare at all times.
Roles and responsibilities

The Committee of the Society will:
• seek to ensure that abusive behaviour is not accepted or condoned.
• take action to investigate and respond to any alleged incidents of abuse
• encourage all members of the Society to play an active part in developing and adopting this safeguarding policy.

Each member or participant will:
• respect the feelings and views of others
• recognise that everyone is important and should be valued
• encourage all members of the Society to play an active part in developing and adopting this safeguarding policy
• be committed to the early identification and reporting of abuse.

Procedures for raising safeguarding concerns and incidents of abuse
• If any member, staff or volunteer in the Society witnesses, suspects or is informed of a witnessed or suspected case of abuse they should immediately report it to the Chair.
• If the Chair is not available, or is involved in or connected to, the abuse, it should be reported to another member of the Committee.
• If an individual wishes to report an incident of abuse against themselves they should report it to a member of the Committee or a choir member they trust.
• When a vulnerable adult joins the Society they will be advised of the persons to speak to if they have concerns or complaints.
• Confidentiality should be maintained as far as possible subject to the principle of the welfare of the individual being paramount, which means that information may have to be shared (but only with people who have a legitimate need to know).

Procedures for dealing with concerns and incidents of abuse
The Chair or other member of the Committee will first make a decision based on the immediacy of the concern and take action as follows:
• If the person at the centre of the allegation is in contact with a (vulnerable) adult at the current time – remove them, in a sensitive manner, from direct contact with the vulnerable adult.
• If the (vulnerable) adult is in immediate danger or needs emergency medical attention – call the police and/or ambulance service.
• Obtain and record information from the individual expressing the concern. Assess the information quickly and carefully, and ask for further clarification as appropriate.
• Speak with members of the Committee (excluding any members involved in the incident) to decide how to handle the reported abuse.
• For serious or possible criminal offences – raise concerns with the police.
• For less serious incidents where it is felt that internal mediation will be successful – organise an internal investigation.
• Where considered appropriate – request an assessment by the local authority social care department about whether a vulnerable adult is in need of protection.

Internal investigations
• When an internal investigation takes place the Committee will:
• Inform all parties involved of the reported abuse as soon as possible.
• Inform the family/guardians of the individual reported as having been abused of the incident.
• Arrange separate meetings with both parties within 10 days of the reported incident.
• A joint meeting may be arranged if appropriate.

 Both parties should be given the chance to bring a friend or representative to the meeting.
 Meetings will be attended by the Chair (or member of the Committee dealing with the case) and at least one other member of the Committee.
 All parties will also be invited to submit a written statement in advance of the meeting.
 Once meetings have taken place the Committee will decide on next steps and communicate them to all parties in writing within 5 days. They will be one of the following:

• Escalate the incident to the relevant authority.
• Further investigation – with established procedures and timelines to work towards a resolution.
• A decision or resolution.

Resolution and disciplinary action
• If abuse is found to have taken place any final resolution or decision will be taken in the best interest of the individual who has suffered the abuse and the best interests of the Society.
• Any decision involving termination of membership will be taken in line with the Society’s constitution.
• The Committee will respond to an individual who has suffered abuse in an appropriate way – for example, with an explanation, an apology or information on any action taken.

Regular policy review
As a general rule a review will be held every 2 years and no more than 27 calendar months after the last review. The next review will take place in March 2021. It will also be reviewed in response to changes in relevant legislation, good practice, or in response to an identified failing in its effectiveness.

15 January 2019

Data Retention Policy

 

1. Introduction

This policy sets out how Harpenden Choral Society will approach data retention and establishes processes to ensure the society does not hold data for longer than is necessary.

 

2. Roles and responsibilities

Harpenden Choral Society is the Data Controller and will determine what data is collected, retained and how it is used. The Data Protection Officer for Harpenden Choral Society is the Treasurer, Robert Jones. He, together with the trustees, is responsible for the secure and fair retention and use of data by Harpenden Choral Society. Any questions relating to data retention or use of data should be directed to the Data Protection Officer.

 

  1. Regular Data Review

A regular review of all data will take place to establish if Harpenden Choral Society still has good reason to keep and use the data held at the time of the review. The review will be conducted by the Data Protection Officer with other committee members to be decided on at the time of the review.

As a general rule a data review will be held every 2 years and no more than 27 calendar months after the last review. The next review will take place in May 2020.

Data to be reviewed will include:

  • data stored on digital documents (e.g. spreadsheets) stored on personal devices held by committee members;
  • data stored on third party online services (e.g. Dropbox);
  • physical data stored at the homes of committee members.

 

4. How data will be deleted

Physical data will be destroyed safely and securely, including shredding. All reasonable and practical efforts will be made to remove data stored digitally.

  • Priority will be given to any instances where data is stored in active lists (e.g. where it could be used) and to sensitive data.
  • Where deleting the data would mean deleting other data that the society has a valid lawful reason to keep (e.g. on old emails) then the data may be retained safely and securely but not used.

 

 

 

  1. Criteria

The following criteria will be used to make a decision about what data to keep and what to delete.

Question Action
  Yes No

Is the data stored securely?

 

 No action necessary Update storage protocol in line with data protection policy
Does the original reason for having the data still apply? Continue to use Delete or remove data

Is the data being used for its original intention?

 

 Continue to use Either delete/remove or record lawful basis for use and get consent if necessary
Is there a statutory requirement to keep the data? Keep the data at least until the statutory minimum no longer applies Delete or remove the data unless there is reason to keep the data under other criteria.
Is the data accurate? Continue to use Ask the subject to confirm/update details
Where appropriate do we have consent to use the data? This consent could be implied by previous use and engagement by the individual. Continue to use Get consent
Can the data be anonymised? Anonymise data Continue to use

 

6. Statutory Requirements

Data stored by Harpenden Choral Society may be retained based on statutory requirements for storing data other than data protection regulations. This might include but is not limited to:

  • Gift Aid declarations;
  • details of payments made and received (e.g. in bank statements and accounting records);
  • committee meeting minutes;
  • contracts and agreements with suppliers/customers and contractors;
  • insurance details.
  1. Other Data Retention Procedures

a)    Member data

When a member leaves Harpenden Choral Society and all administrative tasks relating to their membership have been completed:

  • any data held on them will be deleted;
  • unless consent has been given their data will be removed from all email mailing lists.

 

b)   Mailing list data

If an individual opts out of a mailing list their data will be removed as soon as is practically possible.

c)    Volunteer and freelancer data

When a volunteer or contractor stops working with Harpenden Choral Society and all administrative tasks relating to their work have been completed:

  • any potentially sensitive data held on them (eg bank details) will be deleted;
  • unless consent has been given their data will be removed from all email mailing lists;
  • all other data will be stored safely and securely and reviewed as part of the next two year review.

d)   Other data

All other data will be included in a regular two-year review.

  • Policy prepared by: Robert Jones
  • Approved by committee on: 14 May 2018
  • Reviewed & approved without amendments: May 2020
  • Next review date: May 2022