Data Protection: what are your responsibilities?

Data protection exists to protect individuals from having data about them wrongfully gathered or used by organisations. It boils down to eight key Principles, which any group storing individual’s data must follow in order to comply with the terms of the Data Protection act 1998 (DPA) alongside some additional regulations from the Privacy and Electronic Communications Regulations 2003 (PECR) specific to electronic communications (like email).


  1. What do we have to do?
  2. The Data Protection principles
  3. Direct marketing
  4. Using Cookies

1.  What do we have to do?

Although your group has a responsibility to ensure that data collection, storage and use abides by certain rules, the good news is that these are mostly common sense and quite easy to keep to!

2. The Data Protection principles

1. Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless (a) at least one of the conditions in Schedule 2 is met, and (b) in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met

Essentially this means that if your group holds any personal data on your members or the public, you must have a legitmate reason for collecting and using it, and must not use it in any way that could have a negative impact on the individual. You also have to be clear and open about how you’re planning to use the information, and only use that information in a way the individuals might reasonably expect you to. 

2. Personal data shall be obtained for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that/those purpose(s)

Essentially, if your groups is storing data about individuals (e.g. the names and phone numbers of members), you need to say why it's being stored when you get it from them (e.g. to let them know about rehearsals), and you need to ensure that you only then use it for reasonable related purposes (i.e. not giving their data to a local company for telemarketing!). If you will use the data for marketing or promotion, there are also further requirements.

Making Music member groups and most not-for-profit organisations are exempt from the part of this principle that requires that your Data Controller registers with the Information Commissioner's Office (ICO). You can check if this applies to you by completing a brief self-assessment survey.

3. Personal data shall be adequate, relevant and not excessive in relation to the purpose for which it is processed

You shouldn't store more data than the minimum information needed for your purposes (e.g. you can store someone's home address, but not who else lives there).

4. Personal data shall be accurate and, where necessary, kept up to date

You must take reasonable steps to ensure that the data you collect and keep is accurate and up to date. You don't have to pro-actively check whether details have changed on a regular basis (though this can be good practice), but you should ensure there is a way for people to let you know about changes to their details, and that you update your data as soon as possible after you are informed.

5. Personal data processed for any purpose(s) shall not be kept for longer than is necessary for that purpose

You can't keep information too long. If a member goes on a (long!) holiday for six months, you can keep their data, but if a member leaves and you have no reason to think they will return, you should remove all of their personal data. Likewise, if you collected someone's data to send invitations to concerts and they indicate they are no longer interested, you should remove their data.

6. Personal data shall be processed in accordance with the rights of data subjects under the Act.

This is less intimidating than it sounds - it just means that once an individual has given you their data, they retain some rights over it:

  • To see a copy of the data you hold about them
  • To object to any storage or use of their data that might cause them substantial distress of damage
  • To stop you sending them direct marketing materials
  • To object to any automated decisions made based on their data
  • To have innaccurate data corrected
  • To seek compensation for any loss or damage suffered as a direct result of your organisation failing to abide by the DPA 

7. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data, and against accidental loss or destruction of, or damage to, personal data

If you are holding individuals' data, you must ensure that it is protected from unauthorised access. This would include storing it securely, using strong passwords (if digital) or locks (if physical) and ensuring that noone can access the data unless they have a good reason to.

8. Personal data shall not be transferred to a country or territory outside the European Economic Area (EEA) unless that territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data

Though it is unlikely that you would need to, if you plan to transfer the data to a non EEA country, you should ensure that the country provides adequate protections for data, and obtain the permission of the individuals whose data you hold.

3. Direct Marketing requirements

This covers all advertising or promotional material, including that promoting the aims or ideals of not-for-profit organisations – for example, it covers a charity or political party campaigning for support or funds. There are slightly different requirements for email, phone and fax communications. The full requirements can be found in the ICO's summary guidance. The most important points applicable for most Making Music groups will be:

Get (and keep a record of) consent before you send

You will usually need a person's consent before you can send them a marketing message.

This must be knowingly given, clear and specific: it should cover your organisation, the type of communication you want to use (e.g. phone, email, fax, SMS) and involve a positive action (ticking a box, sending an email, subscribing to a service). Consent for sending someone emails will usually need to be more explicit than for post (e.g. needing the user to actively 'opt-in' rather than just giving them an option to 'opt-out'.


Implied opt-in for post: "We may write to you by post to keep you informed about forthcoming concerts and other events, [and to let you know about offers from organisations approved by us]. If for any reason you would prefer not to receive such information, please write to [a person in your group who will manage this - ideally the Data Controller] and we shall remove your name from our mailing list."

Explicit opt-in for email: "From time to time we send email to members and supporters giving details of our forthcoming concerts and other events, [and to let you know about offers from organisations approved by us]. If you would like us contact you in this way, please tick this box."

Include a clear way to opt out in every communication

Even if someone has previously given their consent for you to send them marketing messages, they have the right to change their mind. You must give them a clear opportunity to tell you so in your communications (this is especially important for emails, where you will otherwise risk being marked as spam).

E.g. "You have been sent this email because you opted in to hear about our forthcoming concerts and other events. If you would no longer like to receive these, please reply to this email with 'unsubscribe'."

Once someone has asked to no longer be sent messages, you must make this change within three months (or ideally within 28 days).

4. Using cookies on your website

A cookie is a small text file that is downloaded onto a computer or smartphone when the user accesses a website. It allows the website to recognise that user’s device and store some information about the user’s preferences or past actions. You may use cookies to track how many users are visiting your website (e.g. through Google Analytics) or to save information about what they have seen (e.g. to auto-complete a form). The PECR regulations extended specific requirements for using cookies.
If you use cookies you should:
  • Tell people which cookies you are using and why (usually on a pop-up or well-signposted 'cookies' page of your website)
  • Get the user's consent to store a cookie on their device (though there is currently some ambiguity about how explicit this needs to be: some websites will show a pop-up message requiring users to agree to cookies being used before continuing, some show a message explaining that cookies are used but do not stop the user from continuing, and some take a user visiting the site as an act of 'implied' consent in itself)

We hope you find this Making Music resource useful. If you have any comments or suggestions about the guidance please contact us. Whilst every effort is made to ensure that the content of this guidance is accurate and up to date, Making Music do not warrant, nor accept any liability or responsibility for the completeness or accuracy of the content, or for any loss which may arise from reliance on the information contained in it.