London Forest Choir and GDPR

London Forest Choir (LFC) is committed to ensuring that all personal information handled by the choir will be processed according to legally compliant standards of data protection and data security. The purpose of this policy is to help the choir to achieve its data protection and data security aims by notifying members of the types of personal information that LFC may hold about them and what the choir does with that information. It is also to ensure that members understand the choir's rules and the legal standards for handling personal information relating to members and others, and clarifying the responsibilities and duties of members in respect of data protection and data security

 

This is a statement of policy only. London Forest Choir may amend this policy at any time and at the discretion of the committee.

 

Who is responsible for data protection and data security?

 

Maintaining appropriate standards of data protection and data security is a collective task shared by the committee and members of London Forest Choir, irrespective of their position within the choir. The committee has special responsibility for leading by example and monitoring and enforcing compliance, and has overall responsibility for ensuring that all personal information is handled in compliance with the law. The choir membership secretary has been appointed LFC's Data Protection Officer, with day-to-day responsibility for data processing and data security.

 

Any breach of this policy will be taken seriously and may result in disciplinary action as outlined within London Forest Choir's Code of Conduct.

 

What personal information and activities are covered by this policy?

 

This policy covers personal information which we obtain, hold or store, organise, disclose or transfer, amend, retrieve, use, handle, process, transport or destroy, which relates to a living individual who can be identified either from that information in isolation or by reading it together with other information the choir has. Personal data may be stored electronically or on paper in a filing system, and may relate to members (present, past or future) or to any other individual whose personal information the choir handles or controls.

 

The choir collects personal information about members which members provide, or is gathered before, during or immediately after their membership of London Forest Choir. Unless otherwise requested and agreed, the choir will delete all personal information within one year of the member leaving.

 

Personal data that the choir may collect, store and process includes home and/or work addresses, mobile and/or landline telephone numbers, email addresses and social media details, as well as contact details for members' next of kin; subscription records, including details of any donations, Gift-Aid claims made and any Gift-Aid declarations in favour of LFC; attendance records at rehearsals and concerts, members' voice range, physical and/or mental health details as they apply to activities undertaken by the choir, dates of birth, for social and insurance purposes, as well as photos, videos and sound recordings of rehearsals, concerts and other performances, both public and private.

 

London Forest Choir uses members' personal data to maintain adequate records for the efficient operation of the choir, including the administration of memberships, rehearsals, concerts and other public performances, and to deal with any problems or concerns. Personal data may be compiled and circulated as membership lists, to allow members to be contacted outside rehearsal or concert hours, and attendance records, to maintain a record of choir members' attendance at rehearsals, concerts and other public appearances. LFC may also compile and circulate records of music borrowed, lost, bought or sold, as well as fines levied for late return of music. Rotas may be kept for the choir's social activities, including (but not limited to) providing interval drinks during rehearsals and performances. The choir may also keep members' personal information in relation to complaints, grievances, legal or compliance matters.

 

For the purposes of the Data Protection Act 1998, London Forest Choir confirms that it is a Data Controller of the personal information in connection with membership of the choir. If any member considers any information held about them is inaccurate, they should inform their Part Rep, the Data Protection Officer or a member of the committee so it can be corrected.

 

London Forest Choir will take all reasonable steps to ensure that personal information is kept secure. In general, personal information will not be disclosed to others outside the choir, except to comply with legal obligations, to outside parties who provide products or services to the choir, including insurance services, to assist in criminal investigations or to seek legal or professional advice in relation to membership issues, which may involve disclosure to lawyers, accountants or auditors and/or to legal and regulatory authorities, such as HM Revenue and Customs. The choir may also disclose personal information in connection with any complaint, grievance, legal, regulatory or compliance matters or proceedings that may involve members.

 

By providing their personal data, each member consents to the use of personal information (including any sensitive personal data) in accordance with this policy. We do not sell personal data with third parties.

 

Data protection principles 

 

London Forest Choir members whose work involves using personal data relating to members or others comply with this policy and with the eight legal data protection principles which require that personal information is: 

 

(1) Processed fairly and lawfully. The choir must always have a lawful basis to process personal information. In most (but not all) cases, the person to whom the information relates (the Subject) must have given consent, must be told who controls the information (the choir's management committee), the purpose(s) for which the choir is processing the information and to whom it may be disclosed.

 

(2) Processed for limited purposes and in an appropriate way. Personal information must not be collected for one purpose and then used for another. If the choir wishes to change the way it uses personal information, it must first tell the Subject.

 

(3) Adequate, relevant and not excessive for the purpose.

 

(4) Accurate. Regular checks must be made to correct or destroy inaccurate information.

 

(5) Not kept longer than necessary for the purpose. Information must be destroyed or deleted when the choir no longer needs it.

 

(6) Processed in line with the Subject's rights. Subjects have a right to request access to their personal data, to prevent that information being used for direct marketing, to request the correction of inaccurate data and to prevent their personal information being used in a way likely to cause them or another person damage or distress.

 

(7) Secure. See Data Security below.

 

(8) Not transferred to people or organisations without adequate protection.

 

Some personal information, including details of a person's racial or ethnic origin, political opinions, religious or similar beliefs, trade union membership, physical or mental health or condition or sexual life, or about criminal offences, requires more careful handling. Strict conditions apply to processing this sensitive personal information. The Subject must give specific and express consent to each way in which sensitive personal data is used.

 

Data security

 

All members of London Forest Choir are responsible for protecting personal information in their possession from being accessed, lost, deleted or damaged, through the use of data security measures. Members must ensure that only those who are authorised to use the information can access it and that the information is accurate and suitable for the purpose for which it is processed. The choir must also make sure that anyone authorised to use such personal data can access this information if they need it for authorised purposes.

 

By law, London Forest Choir must keep secure all personal information, in obtaining it, using it and destroying it. Personal information must not be transferred to any person to process (for example, a person or company providing services for the choir or on the choir's behalf), unless that person has either agreed to comply with London Forest Choir's data security procedures or the choir is satisfied that other adequate measures exist.

 

The choir's member database is password-protected and available only to committee members who have a need to use it. Security procedures include physically securing information: any desk, drawer or cupboard containing confidential information must be kept secure, computers should be locked with a password or shut down when they are left unattended and memory sticks or other external memory devices containing personal data will be kept secure. When viewing personal information on a monitor, members must ensure it is not visible to others. Members dealing with telephone enquiries must verify the identity of callers and ensure they are authorised to process personal data before any such information is disclosed; if that cannot be verified, they should be asked to put their query in writing.

 

When personal data is no longer needed, it is physically destroyed, whether on paper, in which case it is shredded, or on other physical storage devices like CDs and memory sticks, which are wiped and rendered permanently unreadable.

 

Requests for access to personal data

 

By law, anyone may make a formal request for the information that London Forest Choir holds about them. The request must be made in writing. In some cases it may not be possible to release such information, for example, if the requested information contains personal data about another person. Any choir member who receives a written request should forward it to the Data Protection Officer immediately.

 

How to make a complaint

 

If you are unhappy with the way in which your personal data has been processed by us, you may in the first instance contact the Data Controller using the contact details above. If you remain dissatisfied, then you have the right to apply directly to the Information Commissioner for a decision. The Information Commissioner can be contacted by phone on 0303 123 1113 or via their online notification system at www.ico.org.uk/make-a-complaint.