Burnham Concert Band Data Privacy Notice, 2018
Policy dated 26th April 2018
In delivering its purpose, Burnham Concert Band processes the personal data of its members and supporters. This data is collected and used by the MD and Committee of the band and shall be handled in accordance with the General Data Protection Regulation (GDPR). Burnham Concert Band Data Protection Policy describes what personal data is collected, where it is stored, who can use it and how the rights of individuals are protected.
Individual band members may have collected and stored personal data, for example email addresses or phone numbers of band members, friends or other contacts which they use for their personal use, not directly associated with the management of the band. Such data is not the subject of this policy.
2. What personal data is collected:
The band collects the following personal information; name, address, phone number(s), email address and emergency contact, if and when applicable.
The band does not collect sensitive personal information as defined in the GDPR. This includes data consisting of racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data, data concerning health or data concerning a natural person's sex life or sexual orientation.
3. Use of personal data
The personal data is collected and processed by members of the Burnham Concert Band Committee and associated Sub-Committees for the purposes of operation of the band, for management of the band’s activities, for fundraising, for marketing and for general communications.
The personal data shall be used in accordance with the permission to use the data given by individuals. The personal data shall not be used for any other purpose and shall not be provided to third parties. Any emails sent out to the whole band will be sent using Blind Copy (BCC) so that other band members will not have access to all other emails.
Personal data shall only be stored for the period for which it is required, for example for the duration of membership tenure. Data which is no longer required, or which is out of date shall be deleted.
4. Where the personal data is stored and who has access to it
Personal data is used by the members of the Band Committee and associated Sub-Committees. It is stored on the personal computers of Committee Members and some personal data is also stored on a shared drive. Personal data which is collected from the band website, such as queries, on-line purchases and box-office bookings is stored on the website server.
The following policies apply to the storage and sharing of this data.
1.Personal data stored on personal computers shall be protected by a login and password security mechanism. In the case where the personal computer is accessible to other parties, the individual files containing personal data should be password protected.
2.Personal data shall not be copied to, or transferred by, usb stick (or other portable storage) unless the files are password protected.
3.Personal data held on a computer programme such as a shared drive shall be password protected and accessible only to authorised committee members. Access permission is controlled by the band’s administrator.
4.Personal data held on the website server shall be password protected and accessible only to authorised committee members. Access permission is controlled by the band’s website administrator.
5.When Committee members cease to serve on the Committee, any personal data they hold shall be deleted.
6.Personal data may be shared with other Committee Members for the purposes of management of the band.
5. Permission to use the data
Prior to collecting personal data, permission shall be obtained from each individual to store their data and to contact them. Such permission may be gained by use of the membership form, or other means. This is an opt-in process, permission should not be assumed.
6. Rights of individuals
Individuals have the right to see what personal data has been stored. When a request to see personal data is received, one committee member will coordinate the response and will ask all other Committee members to provide their relevant stored data for collection into a single response to the request.
Individuals have the right for their personal data to be removed from use by the band and for their history to be deleted. When a request for removal of personal data and/or history is received, one committee member will coordinate the response and ask each committee member to delete the relevant data. The individual concerned will be notified that their personal data and/or history have been deleted.
Individuals have the right to ask for their personal data to be changed. When a request to change personal data is received, one committee member will coordinate the response and will ask all other committee members to change the relevant stored data. The individual concerned will be notified that their personal data has been changed.
7. Registration with the Information Commissioners Office
The Band is a not-for-profit organisation which only processes information necessary to provide or administer activities for people who are members of the organisation or who have regular contact with it. The band qualifies for exemption from the registration requirements with the information commissioner’s office (ICO).
8. Maintenance, audit and review
An initial audit has been carried out to identify what personal data is being held and for what purpose. Such an audit may be repeated from time to time.
It is the responsibility of individual Committee Members to maintain accurate data, and to delete data which is no longer required.
The Committee will review this policy every two years.