Data Protection Policy and Procedures

Introduction

Wollaton Singers is committed to a policy of protecting the rights and privacy of individuals. The choir needs to collect and use certain types of data in order to carry out our work. This Personal Data will be collected and dealt with appropriately.

The General Data Protection Regulation and Data Protection Act 2018 (together the "Data Protection Legislation") govern the Processing of Personal Data. Personal Data can be held on computer or in a manual file, and includes email, minutes of meetings, and photographs. Wollaton Singers will remain the Controller for the information held. Wollaton Singers members will be responsible for processing and using Personal Data in accordance with the Data Protection Legislation.

Management committee members and members running the Wollaton Singers who have access to Personal Data will be expected to read and comply with this policy.

Purpose

The purpose of this policy is to set out the Wollaton Singers commitment and procedures for protecting Personal Data. We regard the lawful and correct treatment of Personal Data as very important to successful working, and to maintaining the confidence of those who we deal with.

The Data Protection Legislation

This contains principles for processing Personal Data with which Wollaton Singers will comply.

Personal Data shall be:

  1. processed lawfully, fairly and in a transparent manner in relation to the data subject
  2. collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes
  3. adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed
  4. accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay
  5. kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the Personal Data are processed
  6. processed in a manner that ensures appropriate security of the Personal Data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures
  7. The Controller shall be responsible for, and be able to demonstrate, compliance with the above principles.

The following list contains definitions of the technical terms we have used and is intended to aid understanding of this policy:

Controller – means the individual or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data.

Data Protection Officer – The person on the management committee who is responsible for ensuring that it follows its data protection policy and complies with the Data Protection Legislation.

Data Subject/Service User – an identified or identifiable individual whose Personal Data is being held or processed by Wollaton Singers, for example a member.

'Explicit' consent – is an explicit, freely given, specific, informed and unambiguous agreement by a Data Subject (see definition) to the processing of Personal Data about them.

Explicit consent is needed for processing sensitive data this includes the following:

  1. racial or ethnic origin of the data subject
  2. political opinions
  3. religious beliefs or philosophical beliefs
  4. trade union membership
  5. genetic, biometric, or physical or mental health or condition
  6. concerning sex life or sexual orientation
  7. criminal record
  8. proceedings for any offence committed or alleged to have been committed

Information Commissioner – The UK's regulatory body responsible for implementing and enforcing the Data Protection Legislation.

Personal Data Breach - a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed

Processing – means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction

Personal Data – any information relating to an identified or identifiable individual (Data Subject); an identifiable individual is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that individual; – e.g. names, addresses, telephone numbers and email addresses. It does not apply to information about organisations, companies and agencies but applies to named persons, such as individual members of the group.

Correcting Data

Data Protection Legislation provides the following rights for individuals:

  1. The right to be informed
  2. The right of access
  3. The right to rectification
  4. The right to erasure
  5. The right to restrict processing
  6. The right to data portability
  7. The right to object
  8. Rights in relation to automated decision making and profiling.

Responsibilities

Wollaton Singers is the Controller, and is legally responsible for complying with Data Protection Legislation, which means that it determines what purposes Personal Data held will be used for.

The management committee will comply with legal requirements and ensure that they are properly implemented through appropriate management and strict application of criteria and controls:

  • Observe fully conditions regarding the fair collection and use of information
  • Meet its legal obligations to specify the purposes for which information is used
  • Collect and Process appropriate information, and only to the extent that it is needed to fulfil its operational needs or to comply with any legal requirements
  • Ensure the quality of information used
  • Ensure that the rights of people about whom information is held, can be fully exercised under the Data Protection Legislation.
  • Take appropriate technical and organisational security measures to safeguard Personal Data
  • Ensure that Personal Data is not transferred abroad without suitable safeguards
  • Treat people justly and fairly whatever their age, religion, disability, gender, sexual orientation or ethnicity when dealing with requests for information
  • All members of Wollaton Singers (the Data Subjects) have the right to access their personal data and any supplementary information held by the choir. Their details will be disclosed on request, either verbal or written, without delay and within one week of the request being made.

The Data Protection Officer will be responsible for ensuring that the policy is implemented and will have overall responsibility for:

  • Everyone processing Personal Data understands that they are responsible for following good data protection practice
  • Everyone processing Personal Data is appropriately trained to do so
  • Everyone processing Personal Data is appropriately supervised
  • Anybody wanting to make enquiries about handling Personal Data knows what to do
  • Dealing promptly and courteously with any enquiries about handling Personal Data
  • Describe clearly how it handles Personal Data
  • Will regularly review and audit the ways it holds, manages and uses Personal Data
  • Will regularly assess and evaluate its methods and performance in relation to handling Personal Data
  • All members are aware that a breach of the rules and procedures identified in this policy may lead to action being taken against them

This policy will be updated as necessary to reflect best practice in data management, security and control and to ensure compliance with any changes or amendments made to the Data Protection Legislation.

In case of any queries or questions in relation to this policy please contact Wollaton Singers Data Protection Officer.

Data Collection

Informed Consent

Informed consent is when:

  • A Data Subject clearly understands why their information is needed, who it will be shared with, and the possible consequences of them agreeing or refusing the proposed use of the data
  • and then gives their consent

Wollaton Singers will ensure that data is collected within the boundaries defined in this policy. This applies to data that is collected in person, or by completing a form.

When collecting data, Wollaton Singers will ensure that the Data Subject:

  • Clearly understands why the information is needed
  • Understands what it will be used for and what the consequences are should the Data Subject decide not to give consent to processing
  • As far as reasonably possible, grants explicit consent, either written or verbal for data to be processed
  • Is, as far as reasonably practicable, competent enough to give consent and has given so freely without any duress
  • Has received sufficient information on why their data is needed and how it will be used

An example of the Privacy Notice we provide to all Data Subjects on collecting their Personal Data is set out in the Data Protection Consent Form.

Data Storage

Information and records relating to service users will be stored securely and will only be accessible to authorised members.

Information will be stored for only as long as it is needed or required by law and will be disposed of appropriately.

It is Wollaton Singers' responsibility to ensure all personal and company data is non-recoverable from any computer system previously used within the organisation, which has been passed on/sold to a third party.

This policy will be updated as necessary to reflect best practice in data management, security and control and to ensure compliance with any changes or amendments made to the Data Protection Legislation.

Data Subject Access Requests

Wollaton Singers regards the lawful and correct treatment of Personal Data as very important to successful working, and to maintaining the confidence of our members.

Anyone whose Personal Data is stored by Wollaton Singers has the right to see their information at any time on request to the Data Protection Officer.

Wollaton Singers intends to ensure that Personal Data is treated lawfully and correctly.

Risk Management

The consequences of breaching Data Protection Legislation can cause harm or distress to service users if their information is released to inappropriate people, or they could be denied a service to which they are entitled. Members should be aware that they may be personally liable if they use other members Personal Data inappropriately. This policy is designed to minimise the risks and to ensure that the reputation of the Wollaton Singers is not damaged through inappropriate or unauthorised access and sharing.

Destroying Personal Data

Personal Data will only be kept for as long as it is needed. The data will be securely disposed of when the member leaves the choir unless the individual requests otherwise (e.g. to be kept in touch regarding future events). The list will be reviewed annually. We will ensure that information relating to employment of paid professionals is confidentially destroyed at the end of the relevant retention period.

Further Information

If members of the public/or stakeholders have specific questions about information security and data protection in relation to the Wollaton Singers please contact the Data Protection Officer

The Information Commissioner's website is another source of useful information.