GENERAL DATA PROTECTION REGULATION (GDPR) POLICY DOCUMENT
- PURPOSE OF THIS POLICY
- ROLES AND RESPONSIBILITIES
- DATA PROTECTION PRINCIPLES
- DATA LOCATION
The New London Music Society, Coxhill Cottage, Station Road, Chobham, Woking GU24 8AU Registered charity number 283630 (NLMS) needs to collect and use certain types of information about the Individuals and Organisations who come into contact with it in order to carry on its work. These can include members, course applicants, employees, contractors, suppliers, volunteers, audiences and potential audiences, business contacts and other people with whom the group has a relationship, or it regularly needs to contact.
This policy explains how this data should be collected, stored and used, whether on paper, stored in a computer database, or recorded on other material in order to meet NLMS’s data protection standards and comply with the law under the General Data Protection Regulation (GDPR 2018).
- PURPOSE OF THIS POLICY
This policy ensures that NLMS:
- Protects the rights of its members, supporters, Board and Committee members, Trustees, Contractors and Suppliers
- Processes data lawfully, fairly and in a transparent manner
- Collects data that are specific and limited to legitimate purposes and not further processed in a manner that is incompatible with those purposes
- Complies with data protection law (GDPR) and follows good practice
- Is protected from the risks of a data breach
- Processes data in a manner that ensures the security of personal data and protects against unauthorised or unlawful processing and against accidental loss, destruction or damage.
- ROLES AND RESPONSIBILITIES
This applies to all those handling data on behalf of NLMS, e.g.:
- Committee members
- Administrative Staff & Officers
- Friends and Patrons
- Members and Course Applicants
- Contractors/3rd-party suppliers.
It applies to all data that NLMS may hold relating to individuals, including but not limited to:
- Email addresses
- Postal addresses
- Phone numbers
- Dates of birth
- email preferences
- Qualifications and other relevant information
- Payment details and purchase history
- Any other relevant personal information held (e.g. financial)
NLMS is the Data Controller, which means that it determines for what purposes personal information is held and for what it will be used. For the purposes of this policy, the Administrator, Suzanne Meaden Suzanne.email@example.com is the first point of contact for the Data Controller.
A Glossary of terms used in the GDPR legislation is included as an Appendix.
- DATA PROTECTION PRINCIPLES
(a) We fairly & lawfully process personal data
NLMS will only collect data where lawful and where necessary for legitimate purposes. In accordance with the GDPR, data will be processed on the lawful bases of Consent, Legitimate Interest, Necessary for contract or legal obligation.
Where consent is required, NLMS will ensure that individuals have given clear consent for the use of their personal data for a specific purpose that has been explained in clear, plain language that is easy to understand. NLMS will ensure that consent is given by positively opting in and can be withdrawn at any time, without detriment, by contacting the Data Controller. NLMS will keep a record of when and how it obtained consent from an individual and a record of exactly what it was told at the time.
Personal data will be processed under the lawful basis of Contract where it is necessary to do so for transactions related specifically to course administration, including but not limited to, payment processing and information regarding event and course information administration.
NLMS may require personal data to be processed under the basis of Legitimate Interest. An assessment will be undertaken to ensure that this is necessary, would be reasonably expected by the data subject, will not create an adverse impact on the data subject, and that we have put safeguards in place to protect data subjects from any potential harm. Any related communication will state the purpose of the procedure and will ensure that consent can be withdrawn for a specific reason, without detriment, by contacting the Data Controller.
- Applicants’ details will be collected when they first apply and will be used as a form of Contract regarding membership services. Other data may subsequently be collected in relation to their participation in the Society’s activities, including but not limited to payment history for course attendance.
- Applicants’ details may be used to communicate promotional and fundraising activities of NLMS where there is a legitimate interest to do so. Where consent is required, this will be secured on an “opt in” basis, clearly explaining why the data are required and for what they will be used.
- The names and contact details of Trustees, Committee members, employees, officers and contractors will be collected when they take up a position and will be used solely to enable communication related to their role, unless prior consent is otherwise given by the data subject.
- Further information, including personal financial information and criminal records information may be collected in specific circumstances where lawful and necessary (e.g. in order to process payment to the person, or in order to carry out a DBS check).
- The name, contact details and other relevant details of an individual who is not an applicant for one of the Society’s activities may be collected at any time, such as showing interest in the organisation. NLMS will communicate with the data subject about its related activities, and/or for Direct Marketing related to its work with the subject’s consent as required.
- Whenever NLMS uses a 3rd party as a processor, a written contract is put in place.
(b) We only collect and use data for specified and lawful purposes
- When collecting data, NLMS will ensure the data subject is notified about what data are required and for what purposes they will be processed.
- We will never use data for any purpose other than that stated or that can be considered reasonably related to that purpose.
(c) We ensure any data collected are relevant and not excessive
- NLMS will not collect or store more data than the minimum required for the intended purpose.
(d) We ensure data are accurate and up-to-date
- NLMS will ask course attendees, members, volunteers and officers to regularly check and update their data.
- Any individual will be able to update their data at any point by contacting the Data Controller.
(e) We ensure data are not kept longer than necessary
- NLMS will keep data on individuals for no longer than 36 months after its involvement with the individual has ceased, unless there is a legal requirement to keep records, or for statistical and archival purposes.
(f) We process data in accordance with individuals’ rights
The following requests can be made in writing to the Data Controller:
- Applicants and supporters can request to see any data stored on or about them. Any such request will be actioned within 30 days of the request being made.
- Applicants and supporters can request that any inaccurate data held on them are updated. Any such request will be actioned within 14 days of the request being made.
- Applicants and supporters can request to stop receiving any marketing communications. Any such request will be actioned within one month of the request being made.
- Applicants and supporters can object to any storage or use of data that might cause them substantial distress of damage, or any automated decisions made based on their data, including the right to erasure, subject to any legal reason that NLMS may have to retain the data. Any such objection will be considered by the Secretary and a decision communicated within 30 days of the request being made.
(g) We keep personal data secure
NLMS will ensure that:
- Data held by us are kept secure.
- Electronically-held data will be held within a password-protected and secure environment
- Physically-held data (e.g. application forms and payment details) will be stored in a secure location
- Access to data will only be given to relevant trustees, officers, members and contractors where it is clearly necessary for the organisation’s operation. The Data Controller will decide in what situations this is applicable and will keep a master list of who has access to relevant data.
(h) We only share applicant’s data with the subject’s prior consent
Applicants can request the personal contact data of other applicants in writing via the Data Controller. These details will be given, as long as they are only for the purposes of contacting the subject (e.g. an email address, not financial or any other personal data) and the subject consents to their data being shared with other applicants in this way.
(i) Direct Marketing
NLMS will regularly send information regarding events, areas of legitimate interest and fundraising activities to consenting individuals. This includes, but is not restricted to, contacting them to promote courses and other events, updating them about NLMS news, fundraising and other interests.
Whenever data is collected for this purpose, NLMS will provide:
- A clear and specific explanation of for what the data will be used
- A method for users to show their active consent to continue receiving these communications (e.g. a ‘tick box’).
Data thus collected will only ever be used in the way described and will never be used to market 3rd-party products unless prior explicit consent has been obtained.
Every marketing communication will contain a method through which a recipient can withdraw their consent from subsequent such communications (e.g. an ‘unsubscribe’ link in an email). Opt-out requests such as this will be processed within one month.
Cookies are small text files which a website may put on the user’s computer or mobile device when they first visit a site or page. Some cookies are essential for the operation of the NLMS website. Other cookies analyse how visitors use our websites and monitor website performance. We use functionality cookies to allow us to remember preferences and to enable the delivery of specific services.
Whenever a cookie is used, NLMS will provide:
- A clear explanation of the purpose and function
- A method for users to show their consent by actively opting-in when required
- A clear explanation that if a user opts to disable cookies, they will not be able to access all of the content.
Training will be provided to all officers and other relevant data handlers to ensure they have the necessary understanding of the GDPR legislation appropriate to their role and responsibilities
- DATA LOCATION
External Data is held on the local devices of the Administrator and the Secretary, and may be securely stored on a Cloud platform. Relevant membership communications are also made outside the European Economic Area where necessary.
APPENDIX – GLOSSARY OF TERMS
Definitions (as per the GDPR)
- Child means anyone under the age of 13 for the provision of online services. It may only lawful to process the personal data of a child under the age of 13 upon receipt of consent from the child’s parent or legal custodian, we reserve the right to decide as the data controller whether a child under the age of 13 has competency or an understanding of their circumstances and therefore as to whether parental consent might be required.
- Data controller may be a natural or legal person, whether a public authority, agency or other body which, individually or jointly with others, is in charge of ascertaining the purposes and means by which personal data shall be processed. Where EU or Member State law predetermines the purposes and means of processing personal data, the data controller or, if appropriate, the specific criteria for selecting the data controller, may be provided for by EU or Member State law.
- Data subject refers to any living person who is the subject of personal data (see above for the definition of ‘personal data’) held by an organisation. A data subject must be identifiable by name, ID, address, online identifier or other factors such as physical, physiological, genetic, mental, economic or social.
- Data subject consent refers to any specific indication by the data subject that signifies consent to the processing of personal data. Consent may take place by way of a written or oral statement or by clear, unambiguous action and must be given freely at all times, without duress, with the data subject being properly informed.
- Establishment refers to the administrative head office of the ‘data controller’ in the EU, where the main decisions regarding the purpose of its data processing activities are made. ‘Data controllers’ based outside of the EU are required to appoint a representative within the jurisdiction in which they operate to act on its behalf and liaise with the relevant regulatory and supervisory authorities.
- Filing system refers to any personal data set which is accessible on the basis of certain benchmarks, or norms and can be centralised, decentralised or dispersed across various locations.
- Personal data – means any information relating to a data subject.
- Personal data breach refers to a security breach which results in the disclosure, alteration, destruction or loss of personal data, as well as unauthorised access to personal data that is stored, transmitted or processed by any other means, whether accidentally or unlawfully. All personal data breaches must be reported to relevant regulatory authority by the ‘data controller’ at all times, whereas the data subject need only be informed of a data breach when it is likely that the breach will have an adverse effect on his or her privacy or personal data.
- Processing refers to any action taken in relation to personal data, including but not limited to collection, adaptation or alteration, recording, storage, retrieval, consultation, use, disclosure, dissemination, combination or deletion, whether by automated means or otherwise.
- Profiling refers to any form of personal data processing that is automated, with the intention of assessing personal aspects of a data subject or analysing a data subject’s employment performance, economic status, whereabouts, health, personal preferences and behaviour. The data subject has a right to object to profiling and a right to be informed of the fact that profiling is taking place, as well as the intended outcome(s) of the profiling.
- Special categories of personal data refers to personal data covering such matters as racial or ethnic origin, beliefs – whether religious, political or philosophical – membership of a trade-union and data relating to genetics, biometric identification, health, sexual orientation and sex life.
- Territorial scope the GDPR applies to all EU based ‘data controllers’ who engage in the processing of data subjects’ personal data as well as to ‘data controllers’ located outside of the EU that process data subjects’ personal data so as to provide goods and services, or to monitor EU based data subject behaviour.
- Third party is a natural or legal person other than the data subject who is authorised to process personal data, whether a public authority, agency or other body controller, processor or any other person(s) under the direct authority of the controller or processor.