Data protection is becoming an increasingly prominent issue. The General Data Protection Regulation (GDPR) in May 2018 tightened up the data laws and led to the Data Protection Act 2018, getting a fair bit of media attention in the process.
The new rules can appear complex, hard to apply and perhaps a bit restrictive. For leisure-time music groups though, it’s mostly about common sense and simple reasonable measures to make sure you are using the data you hold in a fair, reasonable and secure way.
This guidance will help you do that; explaining key elements of the data protection laws, how they apply to you, and what actions you might need to take.
Does it really apply to local music groups?
From a music group leader point of view data protection might seem overly regulatory and just more work for you to do. But data protection laws apply to all organisations, from multi-national banks to local community organisations.
It is worth taking some time to think about why the laws exist. You probably care about how organisations use your data; that it is safe and used in a fair way. Most people do - and for good reason. The data laws are there to protect individuals and to make sure organisations are acting responsibly. We expect our banks to be compliant, and a data breach can cause reputational damage. Whilst a music group is clearly different to a bank, people still have the right to expect that their data is well looked after, and a breach can still impact your reputation – arguably more significantly in a smaller community.
Effective data protection should be viewed as a good thing for your group. Most of it is common sense and done well it will help your group in the long run. Policies and rules about how to handle data can make your group more efficient and responsible in how it works. This can help with a huge range of things from reputation to committee recruitment and your long-term sustainability.
A risk-based approach
Having data policies and processes are about minimising risk. The risk will never be zero; it is about taking sensible and reasonable measures to reduce the risk to sensible and reasonable levels.
What those risks are will vary hugely for different organisations. NatWest and the NHS have vastly different data concerns to a community choir. So it follows that their approaches to data and what constitutes sensible and reasonable measures to minimise risk will be very different.
When approaching data protection there are two risks to consider:
1. The risk to the individuals whose data you hold
Ultimately data protection is about protecting the privacy, rights and freedoms of individuals. Some organisations will hold data on individuals that could pose a serious risk to this, whilst others will hold data that poses a much lower risk. For example, data about an individual’s race or sexual orientation could be high risk as it puts them at risk of unlawful discrimination. Similarly, genetic or health data carries a greater risk to a person’s privacy than an email address.
We suspect that the data which most of our groups hold will be towards the lower end of the risk spectrum. That doesn’t mean you shouldn’t take it seriously, just that what constitutes reasonable and sensible measures might be different.
2. The risk to your organisation
Not being compliant with data protection laws carries risks for your organisation (e.g. reputation and, in theory, financially). So, policies and procedures are about minimising these risks too. However, you might also consider balancing this against what is realistic and practical.
The Spirit of the law
You don’t need to get bogged down in the legislation and regulation. Whilst it does all technically apply to you, it will not all affect you. Rules around automatic processing of data (where decisions are taken based on data processing without any human interaction) are unlikely to affect our groups, for example.
It might be useful to think about the spirit of the law. The overarching aim and spirit of data protection laws is that individuals’ data is treated fairly, reasonably and transparently. You may be faced with a situation where there is a choice to make between the absolute letter of the law and acting within the spirit of the law. If acting within the spirt reduces the risk, then you might decide that approach is in the best interests of individuals and your group.
We are not saying ignore data protection – in fact we think you should embrace it and use it as an opportunity to improve your organisation. But at the same time there are different approaches with relative merits and risks. It can be easy to get bogged down in the detail when a common-sense approach and a bigger picture view could be taken.
The Information Commissioner Office (ICO) is the regulator for data protection in the UK and can fine organisations for data breaches. This is unlikely to happen to our groups. The ICO’s approach with small not for profit organisations is one of education rather than punishment. If you were to cause a data breach and come to the attention of the ICO, but you could demonstrate that you take data protection seriously and have reasonable and sensible measures in place to keep the data you hold safe, they would be much more likely to help you improve and avoid further breaches, than punish you for the one that happened.
Do we have to think about all the data we currently hold – or just data we collect in the future?
It should be all the data you hold, but be sensible. Do a review of what you currently do:
- If you have had good data protection practices, then a review of them to make sure you are compliant with the Data Protection Act 2018 is probably all your need – and shouldn’t be too onerous.
- If you haven’t paid much attention to data protection in the past then having a full review of the data you hold is a good idea. It might be a fairly big task – but once done it will help you to understand what policies and procedures to implement and will make ongoing data protection fairly easy. You might find you have lots of data you no longer need and so can delete it – which is good practice (why have it if you don’t need it?) and can be quite cathartic.
Governance and documentation
Data protection can be technical – there is lots of terminology. A lot of it is useful for larger organisations handling big and complex data sets, but not relevant for music groups. However, there are a few bits of jargon which is useful to understand.
- GDPR (The General Data Protection Regulation) - this is the EU regulation that came into effect in May 2018. The UK Data Protection Act 2018 is based on the GDPR.
- Data Controller – if an organisation collects and uses data from individuals, they are the data controller. Your group will be the data controller. It is responsible for deciding what data to collect, how and why.
- Data Protection Officer (DPO) – some organisations (Public authorities and those processing large scale sensitive data) have to appoint a DPO, and that person must have specific training for the role. It is very unlikely our groups will have to appoint an official DPO in this sense, but it is a good idea to have an individual to lead on data protection.
- Data Processor – this is an organisation you use to help you manage the data you hold. An example is using Google Drive to store data or Mail Chimp for emails. See third parties below.
- ICO – this is the regulator for data protection in the UK. All organisations that are data controllers come under their regulation and the data protection laws. Some organisations have to register with the ICO and pay a fee. There is an exemption for not for profit organisations and it is very unlikely that our groups would have to register. There is an ICO self-assessment tool you can use to decide if you have to register or not.
A phrase you might hear used in relation to data protection is ‘data protection by design’. This means having data protection in-built to all your activities. So that ‘what about data protection?’ is a default consideration for everything you do.
Whilst data protection does not need to be too onerous there is a fair bit to think about. Having good documentation and governance practices in place is really important. Having them will mean more often than not the answer to the default ‘what about data protection’ question will be ‘it’s covered by our existing polices/procedures’ - and you will have a set of guidelines and rules to ensure you meet your data protection responsibilities.
Someone in charge
Having a person (or persons) on your committee/management team to lead on data protection can be really helpful. They can oversee and advise on how data is collected, stored and used. They can also make sure that procedures are followed and be the main contact for any data questions – whether it is giving advice or handling a request from individuals regarding their data (see individual’s right below).
Internal documents to help you manage your data protection
- Data protection policy – setting out how your organisation approaches data. Use our template policy to help get you started.
- Data retention policy – sets out how you will approach data retention to make sure you don’t have data for longer than you need. It can be separate to your main policy - or part of it. See Retention below for more information.
Alongside formal policies you might want some other internal procedure documents to help manage your data on a day to day basis:
- Written data processes – simple process and guidelines for committee members and volunteers to use when dealing with data on behalf of your group (e.g. how to send a newsletter). These don’t have to be written – you can make video recordings of browser activity and use the video as a training tool/process.
- Overview of what data you have and where – a simple list of where data is held and who has access to it.
Information for the public/people whose data you hold:
- Privacy statements – a short public statement that you provide whenever you collect data explaining why you are collecting the data and how you will use it. Unlike a privacy notice it is specific to the data you are collecting at the time – and not a catch-all about your general use of data. The privacy statement will often refer to your privacy notice for more info.
We have further guidance about privacy notices and statements - inlcluding templates.
The data laws are about personal data – or more specifically organisations holding personal data.
The definition of personal data is quite broad. If a piece of information is linked to an individual then it will most likely be personal data - this could be contact details, a membership number, their date of birth, a photo of them or an opinion about them.
If a piece of information is not directly linked to an individual it could still be personal data if it could be linked back to them in another way.
A good rule of thumb is that if you are keeping some information because you want to know something about a person (e.g. where they live, if they have allergies) then it’s personal data. We think the data our members are likely to hold about the individuals they work with will be personal data. The only time it might not be is if it is completely anonymous and could not be linked to an individual in any way.
Example: on your joining form you ask members for their name, address and date of birth.
How the data is stored
Is it personal data
You keep the paper form on file
All personal data
You destroy the paper but transfer the name, address and DOB to a spreadsheet
All personal data
You destroy the paper and keep a spreadsheet with the names and address but not the DOB and give each person a membership number. In a separate spreadsheet, you list the Membership number and the DOB.
All personal data - the DOB could be linked to the person via the membership number.
You destroy the paper and keep a spreadsheet with names and address, but not the DOB. You keep the DOB in a separate spread sheet with no other data (so you can track the average age of your members, for example)
The name and address would be personal data but the DOB would not be personal data as it is stored completely anonymously.
Asking for and using data – how much and why
The key thing is not that you have data – but that you have a good reason to have it. You are allowed to hold and use data – but you need what’s called a ‘lawful basis for processing’ it – basically a justification for having it.
The first question to ask is do you need the data? Unless you have a genuine reason for having the data and will actually use it (rather than it just sitting in a spreadsheet) - then don’t ask for it – and if you already have it and don’t use it, delete it. This is common sense really – and good practice. All it will do is take up digital or physical space - and if you have no use for it, it essentially exists only as a risk for you – so why have it all?
If you do need the data, the next question is why? Followed by what is your lawful reason for having it? There are several legitimate lawful reasons for having data. We think there are three that will most commonly apply to our groups.
- Legitimate interests: if an individual asks you to do something (e.g. provide a service) you have a legitimate interest to hold and use their data as part of doing the thing they requested. In this instance you don’t need specific consent – essentially the request for the service legitimises you having the data. If someone wants to join your group asking for their name and contact details for your records is a legitimate interest. As would be using these details to email them about a rehearsal change or subscription fee reminder.
- Contract: this is similar to legitimate interests but relates to when you have a contract in place with someone and you need to use their data to meet your obligations under the contract. An example might be having your MD’s contact details and bank account details so you can manage their working relationship with you and pay invoices.
- Consent: with ‘legitimate interests’ and ‘contract’ the basis for having and using the data is implied in the activity. In some instances, this won’t be the case, and you will need clear consent from an individual to use their data. This is most commonly the case where you are using the data to promote a product or service, such as an event.
Consent means the person has to say ‘yes you can have and use my data to promote things’. Consent needs to be specific and positive, and you need a record that it was given. Specific means that the consent relates to the specific way you will use the data and positive means they have done something to say yes – they tick the box rather than not unticking a pre-ticked box.
A common query about consent and promotional emails is about historical consent. If you have been sending promotional emails to people about events for years but don’t have evidence of if/when they opted-in – you don’t need to email them and ask them to opt-in now. The fact that you have been emailing them for years and they have not objected is consent enough. Of course, for any new data you collect for direct marketing you must get consent – and you should be providing the chance to opt out with every email.
How consent is given
Someone buys an event ticket and included in the terms of purchase is signing up to your e-newsletter.
Someone buys an event ticket at the bottom is a pre-ticked box that means they will sign up to your e-newsletter.
Someone buys an event ticket – there is an un-ticked box that says if they tick it they will sign up to your e-newsletter.
You have a form on your website that says ‘enter your email to sign-up to our mailing list’ with a ‘submit’ button
Whatever your reason for holding the data you should provide the individual with a privacy statement when you collect their data. This should be short and use simple language that explains how you will use the data. It should also explain where they can find more detailed information (privacy notice).
An important point is that you might need different reasons for using the same bit of data in different ways. For example
- Holding a soloist’s email so you can contact them about performing with you = contract
- Holding a soloist’s email so you can tell them about all your group’s events = consent
Use our interactive guidance tool to find out more about the types of data you hold and the lawful reason for holding it that is likely to apply and any actions you might need to take
Secure storage of data
Safe storage of data is really the most important part of data protection. You might have every bit of consent you need – but if you lose the data or allow someone else to access the data, the damage has been done.
It doesn’t have to be complex. Levels of security range massively and it’s about weighing the risk. Simple common-sense measures – ones you most likely take when protecting your own personal data - should be fine. It can be easy to focus on digital/electronic data but security of physically held data is just as important.
- Have a well organised and clear filing system – well organised data is easier to manage and reduces risk of misuse or loss of data. It will make your regular review of data easier too.
- Any electronic data should be password protected. For third party sites/services this is fairly easy as they tend to come with password logins. You should also think about passwords for devices where data is stored (e.g. password to login to laptop) or the file where the data is (e.g. password-protected spreadsheet) – or both.
- Use different passwords for different things – and use strong passwords (at least 8 letters and a mix of lower case, upper case and numbers)
- Where possible passwords should belong to individuals rather than be shared – but of course shared passwords do sometimes have to be used (e.g. if you have a shared inbox for your group e.g. email@example.com):
- Just having a password is not enough. Keep track of who has the passwords and change them regularly. Every six months as standard is a good idea, but also whenever people with passwords leave a role.
- Use additional security features where possible. Some online services offer two-step verification where you link an account to a phone number and receive a text with a code to enter after entering your password. A site might offer this without you realising, so it's worth looking in settings to see if it can be switched on.
- The same applies for physical data, but for ‘password’ read ‘key/combination code’. It’s not uncommon for paper to be in the house of a committee member – you could argue that their house is secure so the data is secure – but ideally any data, especially sensitive data, should be kept in a locked space (drawer, filing cabinet etc.). Certainly if you have some storage space at a local community building then any data should be kept locked. Keep track of who has keys or combination codes. Change codes regularly and if someone leaves a role make sure any data and keys are returned and codes updated.
Thinking about why you have data and if you still need it should be an ongoing process.
Having a good reason to hold and use data and having accurate data are central to good data protection. You might have a member’s address for your membership records – but if they move or leave the group it would no longer be accurate and the reason for having it might no longer apply (although there may be a different reason for having it).
The data you hold should be reviewed regularly to make sure it is still useful and if you still have good reason to keep it. We recommend a data retention review every two years. Read our further guidance and access our template data retention policy.
How data you hold is stored and used by third parties is something you need to consider. This is normally one of two things; passing data to third parties for them to use for their own purpose and using a third party to process data for your own purpose.
- Passing data to third parties for them to use the data for their own purposes. This is perhaps most commonly thought of when we talk about third parties and data. It is when an organisation passes – or sells – the data they hold to a third party so that third party can use it – normally for their own marketing/promotion. If you do want to do this, you must have clear and specific consent from the individual and be clear about what type of organisation you will pass it to and what type of communications they can expect to get. For our groups it is best avoided all together.
- The second way third parties are used is perhaps less thought of but more prominent. It is when you use a third party to process data for your purposes. An example is using Google Drive and Mail Chimp. The third party doesn’t use the data for its own purposes, but by helping you to use it (e.g. storing docs, sending emails) they do have access to it – they are what’s called a ‘Data Processor’
As the data controller it is your responsibility to ensure that any data processors you use are treating the data you give to them in a fair, safe and transparent way. You should also have an agreement in place saying so – this would typically be part of the terms and conditions / service agreement the third party provides when you sign up for their service.
- For companies based in the EU it should be pretty straight forward – their T&Cs should set out how they are compliant with GDPR – which tells you they are treating data in a fair, safe and transparent way.
- Some non-EU companies will mention GDPR compliance in their T&Cs – again this should be straight forward. A quick internet search of the company name and GDPR will normally bring up some useful info.
- For US based companies there is something called the EU-Us privacy shield – companies signed up to this are EU data compliant – again straight forward.
- If a company doesn’t come under any of the above, there is a decision to make. Rather than getting bogged down in understanding how their data processes relate to GDPR take a risk-based approach. If T&Cs don’t explicitly mention GDPR it doesn’t mean your data is not being treated in a fair, safe and transparent way. For large well known third parties the risk is probably small. If it is a smaller less well known organisation and good clear information about their data processes is hard to come by then it might be best to err on the side of caution and look for an alternative.
If you are using third party data processes, you should tell the data subjects that you are using them in your privacy statement.
As a data controller you are responsible for the data you hold, but the data belongs to the individual and they have certain rights over that data. There are 8 rights under the Data Protection Act. Six will be relevant to our groups. Your data policy and privacy notice should inform people of these rights and you should have a process in place to make sure requests can be made and are processed within one month.
- Right to be informed: you should let people know why you are collecting data (see privacy statements above) -
- Right of access: individuals can request to see the data you hold on them and get confirmation of how it is being used.
- Right to rectification: data should be up to date and accurate –individuals can check that it is and update it if it isn’t.
- Right to object: individuals can object to their data being used for a particular purpose (this doesn’t always mean you have to act on their objection – except for direct marketing where individuals have an absolute right to objection)
- Right to erasure: individuals can request for all data held on them to be deleted (this doesn’t always mean you have to act on their request).
- Right to restrict processing: individuals can request that their data is not used. The data can still be stored but not used. This is an alternative to requesting the erasure of their data.
The other two are less likely to be relevant – but are rights none the less.
- ‘Right to data portability’ - this is about giving individuals their data to use for their own purposes, in a usable format. An example is a bank providing data on your account usage so you can upload it to a comparison site to find a better deal.
- ‘Right related to automated decision making’ – this relates to decisions being taken based on an individual’s data without any human interaction. An example is applying for a personal loan online and the website using algorithms and auto credit searching to provide an immediate yes/no decision on the application.
Central to all your data protection procedures is safe use of data, but mistakes do happen. Your documentation and policies should consider how you will handle any data breaches.
A data breach can take many forms – it is basically using data in any way you are not supposed to. Some common examples:
- Accidentally CCing everyone in an email instead of BCCing them.
- Emailing someone about an event when they have opted-out of emails
- Deleting data by accident
- Losing data (e.g. a memory stick or a paper file)
- Passing the data to a third party without a good reason or permission for doing so.
There are two main stages to dealing with a breach
- Understand the breach
If you suspect a breach has occurred, you should confirm that a) it has and b) the extent of it (whose data and what data) c) make sure it is not an ongoing breach (and take measures to stop it if it is).
- Decide how to handle the breach
The default for all breaches should be to look at why it happened and what you can do to stop it happening again.
Depending on the nature of the breach you may also need to consider reporting it. Some breaches are more serious than others. The key thing is to assess the breach and make a judgment about its potential impact. The question to ask is: is the breach likely to result in a high risk of adversely affecting individuals’ rights and freedoms?
If you don’t think it does, then conducting an internal review might be enough. This should document what happened, why you don’t think it poses a high risk and the measures you are taking to improve processes/avoid further breaches. This should be reported to your committee/management team.
If the answer is yes, you should inform those individuals without undue delay and very serious breaches should be reported to the authorities (e.g. the ICO, Charity Commission, OSCR etc.).
We don’t think breaches of the type of data our groups are likely to hold would pose significant risks:
- Accidentally CCing everyone instead of BCCing – this is a breach but pretty low impact (and the subjects will know anyway).
- Emailing someone who has previously opted-out – again it’s a breach but low impact.
- Accidentally deleting data - the impact would largely be on you, not the individuals whose data was destroyed. But you may have to contact them to ask for the data again
- The riskier areas are when data has been lost/and or accessed by a third party without permission. The type of data here is important.
- A list of names and sandwich preferences is low risk
- A list of names and date of births or passport details (perhaps held for a tour) would be a bigger risk.
Ultimately it is up to the organisation to decide on the level of reporting. If you have a breach and think you might need to report it then you can contact us for advice.
Finally – what about Brexit?
The UK Data Protection Act 2018 is the current legislation. It is based on the GDPR - an EU regulation. Once the UK has left the EU changes to this act will be theoretically possible. However, the principles of data protection, and the way you should handle data, are very unlikely to change. The current legislation and the rules you should follow are likely to be in place for a good while after 31 January 2020 (or whenever the UK leaves the EU).
We hope you find this Making Music resource useful. If you have any comments or suggestions about the guidance please contact us. Whilst every effort is made to ensure that the content of this guidance is accurate and up to date, Making Music do not warrant, nor accept any liability or responsibility for the completeness or accuracy of the content, or for any loss which may arise from reliance on the information contained in it.