Data Protection
AFC Privacy Statement |
Privacy Statement
Applicable from: August 2020
What information do we ask you for?
As a Member (if you are rehearsing and singing in our concerts):
We ask you for your contact details, including:
your name
your telephone numbers (land-line and mobile if applicable)
your email address, if you have one
your address
We ask you for a simple tax status indication, if you indicate that you agree to allow us to reclaim Gift Aid on your behalf.
We also ask you to agree to appear in any photographs taken of the choir.
As a Supporter (if you attend our concerts and other events):
We ask you for your contact details, including:
your name
your email address, if you have one
optionally, your telephone numbers (land-line and mobile if applicable)
optionally, your address
As a Contractor (if you provide services to us for a fee):
We ask you for your contact details, including:
your name
your telephone numbers (land-line and mobile if applicable)
your email address, if you have one
your address
How will information about you be used?
Please note: the information you provide will be retained on a database.
We will never use your data for any purpose other than that stated or that can be considered reasonably to be related to it. For example, we will never pass on personal data to third parties without your explicit consent.
As a Member (if you are rehearsing and singing in our concerts):
We ask you for your contact details so that we can send you updates relating to the administration of Aylesbury Festival Choir. These updates will include, for example: information about rehearsal and concert schedules, subs payments, notices of other concerts, and other business.
We need your name and address for the Gift Aid claims.
We also ask you to agree to appear in any photographs taken of the choir so that these may be used to promote choir activities, or provide information to other members. Such photographs may appear on websites (such as our own) and on occasion you may be identifiable in them.
As a Supporter (if you attend our concerts and other events):
We ask you for your contact details so that we can send you updates relating to the activities of Aylesbury Festival Choir. These updates will include, for example: information about future programmes and rehearsal terms, our concerts, and other events such as workshops.
As a Contractor (if you provide services to us for a fee):
We ask you for your contact details so that we can send you updates relating to the administration of Aylesbury Festival Choir. These updates will include, for example: information about rehearsal and concert schedules, your contract and obligations to the choir, and other business.
How will we contact you?
We prefer to contact you via email, if that is possible, and will ask you for your explicit agreement to do this.
More information?
If you wish to withdraw your consent, check the data we hold on you, or need any further information, please email us at [email protected], or write to us at: Chairman, AFC, Charlotte Cottage, 15 Haddenham Road, Kingsey, HP17 8LS.
AFC Data Protection Policy |
Data Protection Policy
Key details
Policy prepared by: Mike Elliott
Approved by Committee on: 03/09/2024
Next review date: August 2025
Introduction
In order to operate, Aylesbury Festival Choir (hereinafter called 'the Group') needs to gather, store and use certain forms of information about individuals.
These individuals can include members, employees, contractors, suppliers, volunteers, audiences and potential audiences (referred to as “supporters”), business contacts and other people the Group has a relationship with or regularly needs to contact.
This policy explains how this data should be collected, stored and used in order to meet the Group’s data protection standards and comply with the law.
Why is this policy important?
This policy ensures that the Group:
Protects the rights of its members, volunteers and supporters
Complies with data protection law and follows good practice
Protects the Group from the risks of a data breach
Who and what does this policy apply to?
This applies to all those handling data on behalf of the Group, e.g.:
Committee members
Employees and volunteers
Members
Contractors and third-party suppliers
It applies to all data that the Group holds relating to individuals, including:
Names
Email addresses
Postal addresses
Phone numbers
Photographic images in which one or more individuals may be identified
Any other personal information held (e.g. financial)
Roles and responsibilities
Everyone who has access to data as part of the Group has a responsibility to ensure that they adhere to this policy.
Data controller
The Data Controller for the Group is Kate Atherton, Committee Chair. They, together with the Committee, are responsible for why data is collected and how it will be used. Any questions relating to the collection or use of data should be directed to the Data Controller.
We fairly and lawfully process personal data
The Group will only collect data where lawful and where it is necessary for the legitimate purposes of the group.
A member’s name and contact details will be collected when they first join the Group, and will be updated at the start of each subsequent rehearsal term while they remain a member of the Group. These details will be used to contact the member regarding group membership administration and activities. Other data may also subsequently be collected in relation to their membership, including on their payment history for ‘subs’.
Photographic images of one or more members may be taken during choir rehearsals, concerts and other events. These images may be displayed on websites (including social media) to promote the choir, or for informational purposes to members. On occasion, these images may enable the identification of an individual.
The name and contact details of volunteers, committee members, employees and contractors will be collected when they take up a position, and will be used to contact them regarding group administration related to their role.
Further information, including personal financial information and criminal records information may also be collected in specific circumstances where lawful and necessary (in order to process payment to the person or in order to carry out a Disclosure and Barring Server – DBS – check).
An individual’s name and contact details will be collected when they make a booking for an event. This will be used to contact them about their booking and to allow them entry to the event.
An individual’s name, contact details and other details may be collected at any time (including when booking tickets or at an event), with their consent, in order for the Group to communicate with them about Group activities, and/or for Direct Marketing. See ‘Direct Marketing’ below.
We only collect and use personal data for specified and lawful purposes.
When collecting data, the Group will always explain to the subject why the data is required and what it will be used for, e.g.
“Please enter your email address in the form below. We need this so that we can send you email updates for group administration including about rehearsal and concert schedules, subs payments and other business.”
We will never use data for any purpose other than that stated or that can be considered reasonably to be related to it. For example, we will never pass on personal data to third parties without the explicit consent of the subject.
We ensure any data collected is relevant and not excessive
The Group will not collect or store more data than the minimum information required for its intended purpose.
E.g. we need to collect telephone numbers from members in order to be able to contact them about group administration, but data on their marital status or sexuality will not be collected, since it is unnecessary and excessive for the purposes of group administration.
We ensure data is accurate and up-to-date
The Group will ask members to check and update their data at the start of each rehearsal term, while they remain members of the Group. In addition, the Group will ask contractors, volunteers and staff to check and update their data on an annual basis.
Any individual will be able to update their data at any point by contacting the Data Controller.
We ensure data is not kept longer than necessary
In most cases, the Group will keep data on individuals for no longer than 12 months after involvement with the individual has stopped, unless there is a legal requirement to keep records.
In the case of photographic images, these will be kept for as long as they may be of benefit to the Group, which could be indefinitely.
We process data in accordance with individuals’ rights
The following requests can be made in writing to the Data Controller:
Members, contractors, volunteers and supporters can request to see any data stored about them. Any such request will be actioned within 30 days of the request being made.
Members, contractors, volunteers and supporters can request that any inaccurate data held about them is updated. Any such request will be actioned within 30 days of the request being made.
Members and supporters can request to stop receiving any communications not essential for them to fulfil their role. (E.g. members may not wish to receive email notifications of other concerts.) Any such request will be actioned within 30 days of the request being made.
Members, contractors, volunteers and supporters can object to any storage or use of their data that might cause them substantial distress or damage, or any automated decisions made based on their data. Any such objection will be considered by the Committee, and a decision communicated within 30 days of the request being made.
The Group will ensure that data held by it is kept secure.
Electronically-held data will be held within a password-protected and secure environment.
Passwords for electronic data files will be re-set each time an individual with data access leaves their role/position.
Physically-held data (e.g. membership forms or email sign-up sheets) will be stored in a locked cupboard.
Keys for locks securing physical data files should be collected by the Data Controller from any individual with access if they leave their role/position. The codes on combination locks should be changed each time an individual with data access leaves their role/position.
Access to data will only be given to relevant trustees, committee members or contractors where it is clearly necessary for the running of the Group. The Data Controller will decide in what situations this is applicable and will keep a master list of who has access to data.
Transfer to countries outside the EEA
The Group will not transfer data to countries outside the European Economic Area (EEA), unless the country has adequate protection for the individual (e.g. USA).
We only share members’ data with other members with the subject’s prior consent
As a membership organisation the Group encourages communication between members.
To facilitate this:
Members can request the personal contact data of other members in writing via the Data Controller. These details will be given, as long as they are for the purposes of contacting the subject (e.g. an email address, not financial or health data) and the subject consents to their data being shared with other members in this way.
Direct Marketing
The Group will regularly collect data from consenting supporters for marketing purposes. This includes contacting them to promote concerts, updating them about group news, fundraising and other group activities.
Any time data is collected for this purpose, we will provide:
A clear and specific explanation of what the data will be used for (e.g. ‘Tick this box if you would like Aylesbury Festival Choir to send you email updates with details about our forthcoming events, fundraising activities and opportunities to get involved’).
A method for users to show their active consent to receive these communications (e.g. a ‘tick box’).
Data collected will only ever be used in the way described and consented to (e.g. we will not use email data in order to market third-party products unless this has been explicitly consented to).
Every marketing communication will contain a method through which a recipient can withdraw their consent (e.g. an ‘unsubscribe’ link in an email). Opt-out requests such as this will be processed within 30 days.
ADDENDUM 1
This section provides clarification and guidance on processes to support the foregoing Data Protection Policy.
1. In accordance with the Constitution of Aylesbury Festival Choir, only the names of members will be provided to any member, and then only upon request. The Data Controller may then facilitate contact by asking for explicit consent from the party to be contacted.
2. Upon deletion of any individual’s personal data, Committee members, and anyone else with Data Processor responsibility, will be notified of said deletion and instructed to ensure they have no local copy of the relevant data.
3. When any deletion of an individuals’ personal data takes place, the Data controller will review historical and backup personal data files to ensure any relevant data is also deleted from these.
4. In the unlikely event of a data breach being reported by an online storage provider used by the Group:
all individuals affected, or likely to be affected, will be informed of this event;
any passwords used to protect personal data files will be changed.