Privacy and Data Protection Policy

Key details

Policy prepared by: James Macartney/Roger Mills/John Griffiths
Approved by committee on: 11th June 2019
Reviewed by committee on: 12th July 2022
Next review date: 12th July 2024

Introduction

In order to operate, the Two Castles Male Voice Choir needs to gather, store and use certain forms of information about individuals.

These can include members, employees, contractors, suppliers, volunteers, audiences and potential audiences, business contacts and other people the group has a relationship with or regularly needs to contact.

This policy explains how this data should be collected, stored and used in order to meet the Two Castles Male Voice Choir data protection standards and comply with the General Data Protection Regulations (GDPR).

What is this guide for?

Whenever we need to collect any of your data, we will let you know at that point why we need to do so and what it will be used for, but this guide provides a useful overview of all of those situations and provides more detail on how we keep your data secure and up to date, how long we might hold it for, and what your rights are in relation to it.

Two Castles Male Voice Choir is committed to protecting your personal data and will use any personal or sensitive data we collect from you in line with the General Data Protection Regulations (GDPR).

Who is responsible for data the Choir collects?

Two Castles Male Voice Choir is a Data Controller under the GDPR. The Trustees of the Two Castles Male Voice Choir are collectively responsible for ensuring compliance with the law, but day to day matters are delegated to the Data Protection Officer who can be contacted at: GDPR@twocastlesmvc.org.uk

What data do we collect and what do we use it for?

Two Castles Male Voice Choir collects data from individuals to help us plan, organise and run the day-to-day operations of the group (e.g. co-ordinating rehearsals or collecting subscription payments) and to promote the group’s activities (e.g. mailing lists and photography/video capture). Data may be collected from the following entities:

Members: for administering membership

When you first become a probationary member of the Two Castles Male Voice we will collect the following information on you on a form which allows you to opt in or out of various uses to which your data may be put:

  • Full name

  • Address

  • Telephone number(s)

  • Email address

  • Voice group

During your probationary period this information will be used only by Officers and Committee Members for administrative purposes and will not be published or made available – either in electronic or hard copy form – to the general membership or to any external entity.

Once you become a full member of the Two Castles Male Voice, dependant on the consent you have given us, we will publish your name, email address and telephone number in an area of the choir's secure online 'cloud' storage which is accessible only to Members of the choir and not to the general public. If you give us your consent to do so, we may also use your contact details to send you promotional communications from the Choir relating to our activities, and/or information about musical events organised by other groups which may be of interest.

You can opt out of providing any or all of this information or from receiving promotional communications. You can also withdraw consent at any point by contacting the Data Protection Officer (see above). Please note that if you decide to opt out of providing these contact details, it will be your responsibility to keep yourself informed regarding day-to-day matters relating to all choir members such as rehearsal schedules and the dates of concerts and other events.

Event attendees: for processing and managing tickets for events

Where our events are ticketed, we may need to collect data on the person booking (name and email) in order to allow you access to the event and to send you a confirmation of your reservation/purchase. This data will only be used for administering your access to the event for which you have booked and will not be used to send you promotional messages from the Choir unless you have also provided your consent to receive these (see below).

Employees and contractors: for administration and legal/regulatory purposes

We may need (for administration or for legal/regulatory reasons) to collect personal or sensitive data on contractors of the group. Where this is the case, we will explain what this is for at the point of collection.

Mailing list subscribers: for marketing and promotion

We offer everybody the opportunity to sign up (consent) to receive promotional information on the Choir activities (e.g. emails about forthcoming events).

When you sign-up to our mailing list we will ask for your name, email, phone number, address and will use this data to send you information about our events and activities
(e.g. forthcoming performances, and social events). We will also ask you whether you are willing to receive information about events being staged by other choirs and musical groups.

Anything we send you will include a clear option to withdraw your consent (e.g. to ‘opt out’ of future emails) and you can also do so at any time by contacting the Data Protection Officer.

Do we share your data with anyone else?

We will never pass your details on to third parties for marketing purposes.

Are there special measures for children’s data?

We do not knowingly collect or store any personal data about children under the age of 13.

How can you update your data?

You can contact us at any time at GDPR@twocastlesmvc.org.uk to update or correct the data we hold on you.

How long we will hold your data?

The Two Castles Male Voice Choir data retention policy is to review all data held on individuals at least every two years and remove data where we no longer have a legitimate reason to keep it.

Where you have withdrawn your consent for us to use your data for a particular purpose (e.g. unsubscribed from a mailing list) we may retain some of your data for up to two years in order to preserve a record of your consent having been withdrawn.

How do we keep your data secure?

There are two aspects to data security – preventing accidental loss of data and preventing unauthorised access.

The master copy of all personal data held by the choir is encrypted and stored on secure 'cloud' storage administered and backed up by Box.com. In addition, the Data Protection Officer maintains an additional backup copy of all personal data on a local computer accessible only to himself.

All Officers and Choir Members authorised to access personal data within the cloud storage area have individual Usernames and Passwords. When a member leaves the choir or otherwise becomes ineligible to access this area, his authorisation is removed.

What about website & Facebook visitors?

The Choir maintains a website and Facebook page which are completely separate from the secure cloud storage, and which provide information about the choir for the benefit of the general public. No personal data is stored on the choir website or Facebook page, apart from the names of choir Office Holders and, in some cases, choir-based email addresses. We do not knowingly use cookies on our website. Whilst our website provider and Facebook may collect anonymised usage statistics, no information is collected which would enable individual visitors to be identified, unless a visitor chooses to do so by "liking" the Facebook page or adding comments.

What rights do you have?

Under the GDPR, you have the following rights over your data and its use:

The right to be informed about what data we are collecting on you and how we will use it

  • The right of access – you can ask to see the data we hold on you

  • The right to rectification – you can ask that we update or correct your data

  • The right to object – you can ask that we stop using your data for a particular purpose

  • The right to erasure – you can ask us to delete the data we hold on you

  • The right to restrict processing – you can ask that we temporarily stop using your data while the reason for its use or its accuracy are investigated

All requests related to your rights should be made to the Data Protection Officer at GDPR@twocastlesmvc.org.uk. We will respond within one month.

You can find out more about your rights on the Information Commission Office's website at https://ico.org.uk.

What will we do if anything changes?

If we make changes to our privacy statements or processes, we will post the changes in this policy on the choir website. Where the changes are significant, we may also choose to email individuals affected with the new details. Where required by law, will we ask for your consent to continue processing your data after these changes are made.