We have developed a template Data Protection and Retention policy for use by our member groups. It has been designed in line with General Data Protection Regulation (GDPR) and can be used as it is - with just your specific details (e.g. group name) added in, or taken as a starting point with changes made to suit your specific activities and circumstance.
To help you understand, use and adapt the policy we have provided some brief notes on key areas. We also recommend that you use read the guidance in our GDPR Toolkit before using the template policy.
Notes on using the policy
General: all parts in [square brackets] need to be adjusted to suit you group’s needs.
Overview and Roles and Responsibilities Sections
Generally speaking we do not anticipate that groups will need to change much in this section. The main things to consider are:
- the lists of people you work with and that the policy applies to
- types of data you will be collecting
We do not recommend removing anything from these lists – even if they are not currently relevant to your group they will not do any harm being in the policy. But you might want to add extra examples particular to your group that are not included.
Data protection principles section
‘We fairly and lawfully process personal data in a transparent way’ and b) ‘We only collect and use personal data for specific, explicit and legitimate purposes and will only use the data for those specified purposes’.
You may need to make adjustments in these sections to reflect the specific activities of your group. The key thing is that you detail when you will collect data, what data will be collected from individuals and how that data will be used.
Lawful basis of processing: under GDPR you should have a valid lawful reason for collecting and using data. In some circumstances you may not need the person’s consent to use it, as there might be another lawful basis for processing it. Your policy should state the lawful basis of processing. We think our groups will have two main bases:
- Contract: collecting and using data in relation to the way you are working with an individual will probably fall under the lawful process of ‘Contract’ (i.e. you need to do so to fulfil a contractual obligation), so no specific consent is needed. A physical contract does not necessarily have to be in place if the contractual obligation is implied in the activity, such as signing up for membership. Examples:
- Collecting and using member’s data for contact regarding membership subscriptions and group activities is fine.
- If someone books a ticket it is OK to collect and use the data in relation to that booking (e.g. confirmation and a reminder email).
- Consent: where you will be collecting and using information for marketing and to promote your activities specific consent is usually needed. You may collect data from an individual where you can use it under the lawful basis of Contract, this does not mean you can also use it for marketing without consent.
- For example: if someone books a ticket it is OK to collect and use the data in relation to that booking (e.g. confirmation). It would not be OK to use that data to promote another concert 3 weeks later – unless they have expressly given consent for this.
Privacy statements: whatever the lawful basis of processing you should provide a simple and specific privacy statement at the point of collecting the data so the individual knows why it is being collected and how it will be used.
We ensure data is not kept longer than necessary
See the separate guidance for more information on data retention.
Transfer to countries outside the EEA
Under GDPR it is your responsibility to make sure any third party services you use are compliant with GDPR. This includes things like cloud services and email services (e,g. MailChimp).
Most well known companies will be compliant – so this should not pose a problem. A quick internet search will often give you the info you need, if not you should contact them for information. If you are looking to use a less well known company for these types of services, where their credibility is less clear and/or they are housed in a country with less well established data rights for individuals you should ask yourself if you can really guarantee the data is protected.
Under GDPR requests by individuals about their data should be responded to within one month, or two months for complex queries, although complex queries are unlikely for our groups. You could shorten the standard period to less than a month if you want but we don’t recommend making it longer.
Right to object and erasure: with these rights it’s important to note that the request has to be considered but not necessarily actioned. However, there would have to a clear and reasonable reason for refusing the objection. For example:
- A former member asks to have their details removed:
- If they still have membership fees owing it would be fair to keep the details.
- If they have paid all their fees and want no further involvement with the group it would be hard to justify keeping their details
- There may be other statutory regulations that you should follow. For example Gift Aid declarations should be kept for 6 years.
- A current member asks that you stop contacting them by email
- If email is your chosen method of communication it would be fair to say you need to contact them about key administrative issues – e.g. rehearsal schedules.
- But it might be acceptable for them to request other types of use to stop – such as promoting an optional social event.
‘Right to data portability’ and ‘Right related to automated decision making’: we think both of these are unlikly to impact our groups. But they are rights under GDPR so it sensible to be aware of them and reference it in your policy
- Portability - this about giving individuals their data to use for their own purposes, in a usable format. An example is a bank providing data on your account usage so you can upload it to a comparison site to find a better deal.
- Automated decision – this relates to decisions being taken based on an individual’s data without any human interaction. An example is applying for a personal loan online and the website using algorithms and auto credit searching to provide an immediate yes/no decision on the application.
Charitable membership bodies are encouraged to facilitate members contacting each other. This part of the policy sets out that any requests for data from members will be dealt with as and when they arise – with permission being given on a case by case basis.
You could consider detailing a policy where members give prior consent (e.g. when they first join) for their details to be shared with other members. If you do this you must include the option for members to subsequently remove their prior consent.
How we get consent
This section sets out the key things you should be doing in relation to collecting and using email data for Direct Marketing.
We suggest you also read the ICO’s best-practice guidance and The Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR) – especially if you are taking part in any other type of direct marketing (e.g. telephone).
This section covers how you will prevent data breaches and what to do if one occurs. Under GDPR there is greater emphasis on the organisation to a) prevent data breaches and B) be able to identify, and report them, if they do occur.
Prevent: You may need to make adjustment to the prevention section to reflect the specific activities of your group and the physical, manual and automated safeguards you have in place.
Report: the policy sets out that data breaches will, depending on their severity, either be reported:
- To data subjects and relevant authorities (ICO, Charity Commission OSCR etc.).
- Internally (document occurrence and review processes)
GDPR, and this template policy, puts the onus on the organisation to make an assessment of the breach and a judgment about its potential impact.
The question to ask is: is the breach likely to result in a high risk of adversely affecting individuals’ rights and freedoms?
If the answer is yes you should inform those individuals without undue delay and you may have to report it to the authorities.
When assessing the severity of the risk you should think about what the potential negative impact might be on the individuals whose data has been breached. We don’t think breaches of the type of data our groups are likely to hold would pose significant risks:
- Accidently CCing everyone instead of BCCing – this is a breach but pretty low impact (and the subjects will know anyway).
- Emailing someone who has previously opted-out – again it’s a breach but low impact.
- Accidental destruction of data - a breach - but the impact would largely be on you, not the individuals whose data was destroyed.
- The riskier areas are when data has been lost/and or accessed by a third party without permission. Again the type of data here is important.
- A list of names and sandwich preferences is low risk
- A list of names and date of births or passport details (perhaps held for a tour) would be a bigger risk.
Ultimately it is up to the organisation to decide on the level of reporting:
- Breaches should be documented internally.
- If you think the individuals concerned should know and may need to take action based on the breach, then inform them.
- Very serious breaches should be reported to the authorities.
If you decide not to inform the data subject and authorities you should document why and be able to justify the decision. You can find out more about breaches and reporting them on the ICO website.
Cookies on your website
We hope you find this Making Music resource useful. If you have any comments or suggestions about the guidance please contact us. Whilst every effort is made to ensure that the content of this guidance is accurate and up to date, Making Music do not warrant, nor accept any liability or responsibility for the completeness or accuracy of the content, or for any loss which may arise from reliance on the information contained in it.