In order to operate, WorleWind Band needs to gather, store and use certain forms of information about individuals. These can include members, contractors, suppliers, volunteers, audiences and potential audiences, business contacts and other people the group has a relationship with or regularly needs to contact.
This policy explains how this personal data must be collected, handled and stored to meet the Charity’s data protection standards — and to comply with the law.
This data protection policy ensures WorleWind Band, complies with data protection law and follows good practice; protects the rights of members, customers and partners; and protects itself from the risks of a data breach
This policy applies to all data that the charity holds relating to identifiable individuals, even if that information technically falls outside of the General Data Protection Regulation (GDPR). This can include:
Names of individuals; Postal addresses; Email addresses; Telephone numbers; Media (e.g. photos) where the individual is identifiable …plus any other information relating to individuals.
This policy helps to protect WorleWind Band from some very real data security risks, including:
Breaches of confidentiality. For instance, information being given out inappropriately; Failing to offer choice. All individuals should be able to choose how the Charity uses data relating to them; Reputational damage. For instance, the Charity could suffer if hackers gained access to sensitive data.
The only people able to access data covered by this policy should be those who need it for their role in WorleWind Band. Data should not be shared informally. WorleWind Band will provide training as appropriate to understand responsibilities when handling data.
Everyone who works for or with WorleWind Band has some responsibility for ensuring data is collected, stored and handled appropriately. Each person that handles personal data must ensure that it is handled and processed in line with this policy and data protection principles. However, these people have key areas of responsibility:
- The trustees ultimately responsible for ensuring that WorleWind Band meets its legal obligations.
- The data protection officer(DPO), Andy Ractliffe, is responsible for for ensuring that our data protection policy is followed and kept up to date in line with current regulation and best practice.
They are responsible for why data is collected and how it will be used. Any questions relating to the collection or use of data should be directed to the Data Protection Officer.
5. Data Storage and Principles
We fairly and lawfully process personal data in a transparent way.
We only collect and use personal data for specific, explicit and legitimate purposes and will only use the data for those specified purposes.
When collecting data, WorleWind Band will always provide a clear and specific privacy statement explaining to the subject why the data is required and what it will be used for.
We ensure any data collected is relevant and not excessive, we will not collect or store more data than the minimum information required for its intended purpose.
We ensure data is accurate and up-to-date and ensure data is not kept longer than necessary
We keep personal data secure. Access to data will only be given to relevant trustees where it is clearly necessary for the running of the group. The Data Protection Officer will decide in what situations this is applicable and will keep a master list of who has access to data.
WorleWind Band will not transfer data to countries outside the European Economic Area (EEA), unless the country has adequate protection for the individual’s data privacy rights.
Right of access: individuals can request to see the data WorleWind Band holds on them and confirmation of how it is being used. Requests should be made in writing to the Data Protection Officer and will be complied with free of charge and within one month. Where requests are complex or numerous this may be extended to two months
Right to rectification: individuals can request that their data be updated where it is inaccurate or incomplete. WorleWind Bandwill request that members, staff and contractors check and update their data on an annual basis. Any requests for data to be updated will be processed within one month.
Right to object: individuals can object to their data being used for a particular purpose. WorleWind Band will always provide a way for an individual to withdraw consent in all marketing communications. Where we receive a request to stop using data we will comply unless we have a lawful reason to use the data for legitimate interests or contractual obligation.
Right to erasure: individuals can request for all data held on them to be deleted. WorleWind Bands’ data retention policy will ensure data is not held for longer than is reasonably necessary in relation to the purpose it was originally collected. If a request for deletion is made we will comply with the request unless:
- There is a lawful reason to keep and use the data for legitimate interests or contractual obligation.
- There is a legal requirement to keep the data.
WorleWind Band will regularly collect data from consenting supporters for marketing purposes. This includes contacting them to promote performances, updating them about group news, fundraising and other group activities.
Any time data is collected for this purpose, we will provide:
A method for users to show their positive and active consent to receive these communications (e.g. a ‘tick box’). Data collected will only ever be used in the way described and consented to (e.g. we will not use email data in order to market 3rd-party products unless this has been explicitly consented to). Every marketing communication will contain a method through which a recipient can withdraw their consent (e.g. an ‘unsubscribe’ link in an email). Opt-out requests such as this will be processed within 14 days.
6. Data Access
WorleWind Band takes reasonable steps to ensure data is updated and annually confirms the membership data held. Data should be updated as inaccuracies are discovered.
All individuals who are the subject of personal data held by WorleWind Band are entitled to ask what information the Charity holds about them and why and ask how to gain access to it. Requests from individuals should be made by email, addressed to the DPO at firstname.lastname@example.org. The data controller will aim to provide the relevant data within 14 days. The data controller will always verify the identity of anyone making a subject access request before handing over any information.