This policy has been compiled by the trustees to ensure that as a charitable incorporated organisation (CIO) Brighton Festival Chorus (BFC) meets its legal obligations under the relevant data protection legislation and follows recognised good practice in the processing and protection of personal and organisational data.
This policy relates to all data kept by BFC about an individual and applies to all BFC records.
Data protection and privacy (DPP) is essentially all about how we protect of the personal data of individuals whether they are members, staff, donors, Friends of BFC, clients or audience.
The purpose of this policy is to ensure that BFC
• Complies with the law
• Follows good practice
• Protects members and other individuals as outlined above
• Protects the organisation
What the legislation requires
Legislation in 1998, 2003 and 2007 means that Data Protection and Privacy (DPP) now covers the majority of manual records (files, letters, and paper records etc) as well as any electronic records and electronic channels of communication (email, telephone and fax). The introduction of the EU General Data Protection Regulation (GDPR) in 2018 means that BFC now has significantly more legal liability should it be held responsible for a breach.
Appendix 1 gives details of the areas permitted for charities to collect information. Note that charities such as ours are exempt from registering with the DPP Commissioners providing we meet specific criteria, but charities are still legally obliged to confirm to the principles outlined in Appendix 2.
BFC Policy statement
1. We will only keep data on individuals that is justified for the purposes of establishing or maintaining membership or support for BFC and/or providing or administering other activities in order to fulfil the established purpose of the charity.
2. Permission to do so must be given explicitly by the individual concerned,
i) In the case of Friends and other BFC supporters through signing on to an email distribution list.
ii) In the case of BFC members and its music staff, signing to acknowledge and agree the scope and extent of the data collected and with the knowledge of how that data will be used.
Note that individuals must opt in.
3. The information we keep may relate to information about individuals who are either members of BFC or who have regular contact with the organisation. The 2018 regulations require that in all cases a privacy statement must be given to explain the purpose for collecting the data. The statements are aligned with the purpose for collection.
See Appendix 3a DP statement for members
4. We will restrict any disclosures, other than those made with the consent of the individual, to those third parties which are necessary to fulfil the above purposes, for example the Charities Aid Foundation (CAF) or HMRC for Gift Aid purposes.
5.We will not keep personal data once the need has become either obsolete or after the relationship between BFC and the individual ends, unless it is necessary to do so to comply with legislation.
6. We will be open with individuals about what information is kept about them.
7. Individuals will have the right to view the information kept about them in order to correct any factual inaccuracies.
8. If we wish to collect and keep what is classified as sensitive data* about an identifiable individual we will seek explicit permission from them to do so. We will only collect such information where it is justifiable to do so, e.g. in order to provide appropriate support to the member during choir activities for health and safety reasons.
9. Appropriate technical and organisational measures shall be taken to secure data against unauthorised or unlawful access and processing.
10. If performing abroad, we will not transfer personal data to other countries (except names of singers if required) unless it is necessary for travel/visa purposes.
11. We will not sell personal data to direct marketing companies
12. This policy will be regularly reviewed by the Trustees, will be posted on the BFC public website, and will be included in the pack given to all new members.
*Sensitive data is anything we may record about racial, ethnic origin, beliefs, health, sexual orientation and criminal convictions that can be identified back to an individual.
As a charity we are permitted to collect data about individuals to support the following areas:
3. Realising the Objectives of a Charitable Organisation or Voluntary Body
4. Accounts & Records
5. Advertising, Marketing & Public Relations
6. Information and Databank Administration
7. Journalism and Media
8. Processing for Not for Profit Organisations
Appendix 2 : Data Protection and Privacy Principles
1. Personal data shall be processed fairly and lawfully – i.e. the data subjects must be told who is collecting the information, and the purposes for which the data is being collected.
2. Personal data shall be obtained for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that/those purpose(s).
3. Personal data shall be adequate, relevant and not excessive in relation to the purpose for which it is processed.
4. Personal data shall be accurate and, where necessary, kept up to date.
5. Personal data processed for any purpose(s) shall not be kept for longer than is
necessary for that purpose.
6. Personal data shall be processed in accordance with the rights of data subjects under the Act. Briefly, these rights are:
a) The right to have a copy of information held about them
b) The right to take action for compensation
c) The right to have inaccurate personal data corrected or erased.
3a. Data Privacy Statement for members
BFC collects data about its members in order to run the choir. In line with GDPR 2018 regulations, we only collect information around our legitimate interests.
2. Financial information. The Treasurer holds information about your standing order or direct debits. This is confidential and is not shared elsewhere.
3. Singer Audition and re audition notes. The Music Director holds the details about the audition(s). These details are not shared
4. Duration We hold your name and contact and payment details for the duration of your membership. If you are happy to remain in contact with us we retain your contact details only. For our archives we retain the names of retired singers, which includes the date they left BFC
5. Sharing with third parties The information we hold about you is not released to third parties unless you are participating in a externally promoted event (names only, and any special health and safety requirements required by the organisers to meet an individual member’s needs).
6. Removing information If you do not want us to retain any of this information after you leave, contact the Chair of Trustees to request that your information is deleted. firstname.lastname@example.org
7. Correcting data. You have a right to see any information held about you and to correct any factual inaccuracies. To do so contact the chair of trustees Chair@bfc.org.uk
3b. Data Privacy Statement for Friends of BFC
BFC collects basic data about its Friends in order to run the Friends scheme. In line with GDPR 2018 regulations, we only collect information around our legitimate interests.
1. General administration to carry out the choir’s purpose. We hold your name, address, telephone numbers and email address. This is available to the Fundraising Manager and the Friends scheme administrator, and your name is given to our concert programme editor for recognising your contribution in our programmes.
2. Financial information. The Treasurer holds information about your payments. This is confidential and is not shared elsewhere.
3. Sharing with third parties The information we hold about you is not released to third parties.
4. Removing information If you resign from the scheme we will delete any information we hold after you leave.
5. Correcting data. You have a right to see any information held about you and to correct any factual inaccuracies. To do so contact the Chairman : email@example.com
3c. Data Privacy Statement for BFC Newsletter subscribers.
BFC keeps the email addresses of subscribers to the newsletter in order to distribute it. We hold your preferred email contact only. The information we hold about you is not released to third parties. You can unsubscribe to this newsletter by clicking the link on the newsletter or mailing firstname.lastname@example.org
[Revised 05 November 2020]