Charity Commission Number >> 275986
Harpenden Choral Society Data Protection Policy
In order to operate, Harpenden Choral Society needs to gather, store and use certain forms of information about individuals.
These can include members, contractors (e.g. conductors, accompanists and soloists), suppliers, volunteers, audiences and potential audiences, business contacts and other people the society has a relationship with or regularly needs to contact.
This policy explains how this data will be collected, stored and used in order to comply with data protection law.
a) Why is this policy important?
This policy ensures that Harpenden Choral Society:
• protects the rights of our members, volunteers and supporters;
• complies with data protection law and follows good practice;
• protects the society from the risks of a data breach.
b) Who and what does this policy apply to?
This policy applies to all those handling data on behalf of Harpenden Choral Society, e.g. committee members, volunteers, contractors and third-party suppliers.
It applies to all data that Harpenden Choral Society holds relating to individuals, including:
• postal address and telephone number
• email address (if available)
• date of joining
• attendance records
• payment records
• title and signature (if a member has completed a Gift Aid declaration).
2. Roles and responsibilities under the General Data Protection Regulations (GDPR)
Harpenden Choral Society is the Data Controller and will determine what data is collected and how it is used. The Data Protection Officer for Harpenden Choral Society is the Treasurer, Robert Jones. He, together with the trustees, is responsible for the secure, fair and transparent collection and use of data by Harpenden Choral Society. Any questions relating to the collection or use of data should be directed to the Data Protection Officer.
Everyone who has access to data as part of Harpenden Choral Society has a responsibility to ensure that they adhere to this policy.
3. Data Protection Principles
a) We fairly and lawfully process personal data in a transparent way
Harpenden Choral Society will only collect data where lawful and where it is necessary for the legitimate purposes of the society. The collection and use of data is fair and reasonable in relation to Harpenden Choral Society completing tasks expected as part of an individual’s membership and their membership is the lawful basis for processing their data.
• A member’s name and contact details will be collected when they first join the society, and will be used to contact the member regarding society membership administration and activities. Other data may also subsequently be collected in relation to their membership, including their annual payment history.
• The name and contact details of volunteers and contractors will be collected when they take up a position, and will be used to contact them regarding society administration related to their role.
• An individual’s name, contact details and other details may be collected at any time (including when booking tickets or at an event), with their consent, in order for Harpenden Choral Society to communicate with them about and promote society activities.
b) We only collect and use personal data for specific, explicit and legitimate purposes and will only use the data for those specified purposes
When collecting data, Harpenden Choral Society will always provide a clear and specific privacy statement explaining to the subject why the data is required and how it will be used.
c) We ensure any data collected is relevant and not excessive
Harpenden Choral Society will not collect or store more data than the minimum information required for its intended purpose.
d) We ensure data is accurate and up-to-date
Harpenden Choral Society will ask members and volunteers to inform the Data Protection Officer or the Membership Secretary of any change in their details held by the society; these will then be amended as soon as possible.
e) We ensure data is not kept longer than necessary
Harpenden Choral Society will keep records for no longer than is necessary in order to meet the intended use for which it was gathered (unless there is a legal requirement to keep records).
The storage and intended use of data will be reviewed in line with Harpenden Choral Society’s data retention policy. When the intended use is no longer applicable (e.g. contact details for a member who has left the society) the data will be deleted within a reasonable period.
f) We keep personal data secure
Harpenden Choral Society will ensure that data held by the society is kept secure.
• Electronically-held data will be held within a password-protected and secure environment.
• Physically-held data (e.g. membership forms or email sign-up sheets) will be stored securely.
• Each time an individual with data access leaves their role/position their access to any centrally-held electronic data files will be terminated, and they will be asked to confirm that they have deleted any electronic data and shredded any paper copies held by them.
• Access to data will only be given to relevant committee members and volunteers where it is clearly necessary for the running of the society. The Data Protection Officer will decide in what situations this is applicable and will keep a master list of who has access to data.
4. Individual Rights
When Harpenden Choral Society collects, holds and uses an individual’s personal data that individual has the following rights over that data. Harpenden Choral Society will ensure its data processes comply with those rights and will make all reasonable efforts to fulfil requests from an individual in relation to those rights:
• Right to be informed: whenever Harpenden Choral Society collects data it will provide a clear and specific privacy statement explaining why it is being collected and how it will be used.
• Right of access: individuals can request to see the data Harpenden Choral Society holds on them and confirmation of how it is being used. Requests should be made in writing to the Data Protection Officer and will be complied with free of charge and within one month. Where requests are complex or numerous this may be extended to two months.
• Right to rectification: individuals can request that their data be updated where it is inaccurate or incomplete. Harpenden Choral Society will request that members, volunteers and contractors check and update their data on an annual basis. Any requests for data to be updated will be processed within one month.
• Right to object: individuals can object to their data being used for a particular purpose. Harpenden Choral Society will always provide a way for an individual to withdraw consent in all marketing communications. Where we receive a request to stop using data we will comply unless we have a lawful reason to use the data for legitimate interests or contractual obligation.
• Right to erasure: individuals can request that all data held on them be deleted. Harpenden Choral Society’s data retention policy will ensure data is not held for longer than is reasonably necessary in relation to the purpose for which it was originally collected. If a request for deletion is made we will comply with the request unless:
i) There is a lawful reason to keep and use the data for legitimate interests or contractual obligation.
ii) There is a legal requirement to keep the data.
• Right to restrict processing: individuals can request that their personal data be ‘restricted’ – that is, retained and stored but not processed further (e.g. if they have contested the accuracy of any of their data, Harpenden Choral Society will restrict the data while it is verified).
5. Member-to-Member Contact
Harpenden Choral Society will only share members’ data with other members with the subject’s prior consent.
As a membership organisation Harpenden Choral Society encourages communication between members. To facilitate this:
• Members can request the personal contact data of other members in writing via the Data Protection Officer or Membership Secretary. These details will be given, as long as they are for the purposes of contacting the subject and the subject has consented to their data being shared with other members in this way.
6. How We Get Consent
Harpenden Choral Society will regularly collect data from consenting supporters for marketing purposes. This includes contacting them to promote performances, updating them about society news, fundraising and other society activities. Whenever data is collected for this purpose, the following will be provided:
• a method for users to show their positive and active consent to receive these communications (e.g. a ‘tick box’);
• a clear and specific explanation of what the data will be used for (e.g. ‘Tick this box if you would like Harpenden Choral Society to send you email updates with details about our forthcoming events, fundraising activities and opportunities to get involved’).
Data collected will only ever be used in the way described and where consent has been given.
Every marketing communication will contain a method through which a recipient can withdraw their consent. Opt-out requests such as this will be processed within 14 days.
A cookie is a small file that is downloaded onto ‘terminal equipment’ (e.g. a computer or smartphone) when the user accesses a website. It allows the website to recognise that user’s device and store some information about the user’s preferences or past actions.
A user can choose to accept or decline cookies. Most web browsers automatically accept cookies, but users can modify their browser setting to decline cookies if preferred. This may prevent a user from taking full advantage of the website.
Links to other websites
Harpenden Choral Society’s website may contain links to other websites of interest. However, once these links have been followed, users should note that Harpenden Choral Society does not have any control over those other websites. Therefore, the Society cannot be responsible for the protection and privacy of any information which the user provides whilst visiting such sites and such sites are not governed by this policy. The user should exercise caution and look at the privacy statement applicable to the website in question.
8. Data Retention
Harpenden Choral Society’s policy on data retention is set out in the society’s Data Retention Policy.
• Policy prepared by: Robert Jones
• Approved by committee on 14 May 2018
• Point 7 added by Gill Mourant on 3 January 2019
• Next review date: May 2020