The EU General Data Protection Regulation or “GDPR” is the most important change to data protection and privacy law in two decades. It comes into force in the UK on 25th May 2018. The GDPR will replace the Data Protection Act 1998 and, while it is similar to the current regime in many ways, it takes into account major advances in information technology.
1.1 Policy statement
The GDPR 2018 establishes a framework of rights and duties which are designed to safeguard personal data. This framework balances the legitimate needs of organisation to collect and use personal data for business and other purposes against the right of individuals to respect the privacy of their personal details.
Rising Voices Wessex is committed to a policy of protecting the rights and privacy of individuals, members, volunteers, staff and others in accordance with the GDPR 2018. The policy applies to all members, staff and individuals who access our website and/or services. Any breach of The Data Protection Act 1998 is considered to be an offence and in that event, disciplinary procedures apply.
As a matter of good practice, other organisations and individuals working with the Rising Voices Wessex, and who have access to personal information, will be expected to have read and comply with this policy. It is expected that any staff who deal with external organisations will take responsibility for ensuring that such organisations sign a contract agreeing to abide by this policy.
1.2 What type of information is protected by the GDPR 2018?
It is important for all of us to care for anyone else’s personal or sensitive information in the same way that we would want them to look after ours.
The GDRP regulates the use of “personal data”.
Data meaning information which is:
Being processed by means of equipment operating automatically in response to instructions given for the purpose;
- Recorded with the intention of being processed by means of such equipment;
- Is recorded as part of a relevant filing system or with the intention that it should form part of a relevant filing system.
What is personal data?
Personal data means data which relates to a living individual who can be identified:
a) From that data; or
b) From that data and other information which is in the possession of, or is likely to come into the possession of, the data controller;
c) This also includes any expression of opinion about the individual and any indication of intentions of the data controller or any other person in respect of the individual.
In relation to Rising Voices Wessex this means:
Names, addresses, telephone numbers, e-mail addresses and birthdays.
We do not currently collect sensitive personal data related to racial or ethnic origin; religious or similar beliefs; trade union membership; physical, mental or sexual health; political opinions; criminal offences. This data may only be held in strictly defined situations or where explicit consent has been obtained.
Under the regulations Rising Voices Wessex must keep a record of how and when an individual gives consent to store and use their personal data
What activities are regulated by the GDPR 2018 Act?
The Act regulates the “processing” of personal data. Processing meaning: obtaining, recording or holding the information or data or carrying out any operation or set of operations on the information or data, including –
a) Organisation, adaptation or alteration or information/data;
b) Retrieval, consultation or use of the information/data;
c) Disclosure of information or data by transmission, distribution or otherwise making available;
d) Placement, grouping, blocking or destruction of the information/data.
1.3 The eight principles of data protection:
- Processed fairly and lawfully
- Obtained for specific and lawful purposes
- Adequate, relevant and not excessive
- Accurate and up to data
- Not kept any longer than necessary
- Processed in accordance with the data subject’s (the individual’s) rights
- Securely kept
- Not transferred to any other country without adequate protection in situ.
1.4 How do these principles affect Rising Voices Wessex?
Collection and processing or personal data (Principles 1 and 2)
- Data is collected solely for the purposes of assisting an individual with their enquiry, helping Rising Voices Wessex with its service delivery or fundraising and monitoring and improving the services we offer.
- Where it is clear at the point of initial enquiry that an individual cannot assist us or us them, no personal data is collected or recorded.
- Individuals contacting Rising Voices Wessex are advised during the initial call/conversation or in a thank you letter that their personal data is being collected and the purposes for which this will be used.
- Rising Voices Wessex website provides details of how and when personal data will be collected.
Maintaining accuracy of personal data (Principle 4)
- All personal information should be accurately recorded and, where necessary, kept up to date.
- Personal details should be repeated back to check for accuracy.
Retention or destruction of personal data (Principle 5)
- Personal data should not be kept for longer than it is needed.
- Printed information should be destroyed properly using a shredder or secure disposal facility to ensure that no personal data can be retrieved.
- Emails in your personal mailbox should not be retained indefinitely
- Any emails to be stored should be copied and stored in the appropriate place in the Rising Voices Wessex shared drive or printed out and placed on a paper file, then deleted from your personal mailbox.
Security of personal data (Principle 7)
Your personal Rising Voices Wessex passwords should never be disclosed to anyone outside of the Rising Voices Wessex team.
- You should keep your own record of your passwords.
- Personal data should be stored in secure drawers and cupboards. No personal data to be kept in working areas e.g. on Post It notes.
- Letters which contain any details of a personal nature should be clearly marked Private and Confidential to help ensure they are not opened by anyone other than the intended recipient.
- All financial records are to be kept in a secure cupboard.
All governance folders to be kept in a secure cupboard.
1.5 Inventory of Rising Voices Wessex personal data systems
Personal information recorded at the time of a phone call, conversation or receipt of a letter, including:
- Contact telephone number and /or address and /or email
- Other notes essential to their enquiry.
- Permissions for use of photos – a folder of scanned permissions is to be kept on the shared drive. Original documents need to be kept in a file in a secure cupboard.
- Access only information for the purpose of completing assigned authorised task(s).
- Access and retain only such information as is needed to effectively conduct the business of Rising Voices Wessex community choirs.
- Handle such information in a secure, confidential and appropriate manner in compliance with relevant laws, regulations, policies and procedures.
- Protect the privacy of members’ records, and prevent inappropriate or unnecessary disclosure of such records.
Information stored electronically on Rising Voices Wessex database.
- Rising Voices Wessex database is protected by virtue of access only being available to team members when they are logged on to the system using their personal passwords.
- Records are only accessible to individuals who work for (paid or volunteer) Rising Voices Wessex
2. Legal Requirements
Data are protected by the GDPR 2018, which came into effect on 25th May 2018. Its purpose is to protect the rights and privacy of individuals and to ensure that personal data are not processed without their knowledge, and, wherever possible, is processed without their consent.
The Act requires us to register the fact that we hold personal data and to acknowledge the right of ‘subject access’ –members, staff and others who contact or use our services must have the right to copies of their own data.
2.1 Managing Data Protection
We will ensure that our details are registered with the Information Commissioner.
Purpose of data held by Rising Voices Wessex
Data may be held by us for the following purposes:
Realising the Objectives of a Charitable Organisation or Voluntary Body
Accounts & Records
Advertising, Marketing & Public Relations
Information and Databank Administration
Journalism and Media
Processing For Not For Profit Organisations
2.2 Data Protection Principles
In terms of the GDPR 2018, we are the ‘data controller’, and as such determine the purpose for which, and the manner in which, any personal data are, or are to be, processed.
Rising Voices Wessex must ensure that we have:
- Fairly and lawfully processed personal data:
We will always put our logo on all paperwork, stating their intentions on processing the data and state if, and to whom, we intend to give the personal data. Also provide an indication of the duration the data will be kept.
- Processed for limited purpose:
We will not use data for a purpose other than those agreed by data subjects (voluntary and community group members, staff and others). If the data held by us are requested by external organisations for any reason, this will only be passed if data subjects (voluntary and community group members, staff and others) agree. Also external organisations must state the purpose of processing, agree not to copy the data for further use and sign a contract agreeing to abide by the GDPR 2018 and (your name here) Data Protection Policy.
- Adequate, relevant and not excessive data:
Rising Voices Wessex will monitor the data held for our purposes, ensuring we hold neither too much nor too little data in respect of the individuals about whom the data are held. If data given or obtained are excessive for such purpose, they will be immediately deleted or destroyed.
- Accurate and up-to-date data:
We will provide our members (voluntary and community group members, staff and others) with a copy of their data once a year for information and updating where relevant. All amendments will be made immediately and data no longer required will be deleted or destroyed. It is the responsibility of individuals and organisations to ensure the data held by us are accurate and up-to-date. Completion of an appropriate form( provided by us) will be taken as an indication that the data contained are accurate. Individuals should notify us of any changes, to enable personnel records to be updated accordingly. It is the responsibility of Rising Voices Wessex to act upon notification of changes to data, amending them where relevant.
- Not kept data longer than necessary:
We discourage the retention of data for longer than it is required. All personal data will be deleted or destroyed by us after one year of non-membership has elapsed.
- Processed data in accordance with the individual’s rights:
All individuals that Rising Voices Wessex hold data on have the right to be informed, upon request, of all the information held about them within 40 days and have the right to prevent the processing of their data for the purpose of direct marketing.
Compensation if they can show that they have been caused damage by any contravention of the Act and the removal and correction of any inaccurate data about them.
- Secure data:
Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of data.
All Rising Voices Wessex computers should have a log in system and our Contact Database is password protected, which allow only authorised staff to access personal data. Passwords on all computers are changed frequently. All personal and financial data is kept in a secure filing cabinet and can only be accessed by the Trustees. When staff members are using the laptop computers out of the office care should always be taken to ensure that personal data on screen is not visible to strangers.
Data must not be transferred to countries outside the European Economic Area without the explicit consent of the individual. Rising Voices Wessex takes particular care to be aware of this when publishing information on the Internet, which can be accessed from anywhere in the globe. This is because transfer includes placing data on a web site that can be accessed from outside the European Economic Area.
3.1 What is collected
The Rising Voices Wessex website does not store or capture any personal information when someone visits it. The system will log the users IP address along with other information provided by the browser. This may include the name and version of the browser, the operating system and any website address that referred the user to the Rising Voices Wessex website. This information will only be used for producing anonymous website statistics and will be used to help us with the delivery of the services on the website.
When you visit the Rising Voices Wessex website pages, a small text files called a 'cookie', is downloaded onto your computer. This is called a session cookie. This will only remain on your computer until you close your browser. This cookie is not used to identify you personally in any way. We will use this type of cookie to collect aggregated website statistics that allow us to understand how visitors use the site. All of the information collected will be anonymous and only used to help us improve the website and report to funders on usage.
A persistent cookie will be downloaded when you first visit the site. These remain in your browsers cookie store between sessions. This type of cookie will allow us to identify repeat visitors to the site. Persistent cookies are also used to allow registered users to use the site without logging in on every visit. You may opt to view the site without cookies by adjusting your browser's settings. If you do disable cookies some functions of the site may no longer work correctly.
For more information on cookies see the ‘All About Cookies’ website.
3.3 The system will record personal information if you:
- subscribe to or apply for services that require personal information;
- register for an event;
- report a fault and give your contact details for us to respond; or
- contact us and leave your details for us to respond.
Any information that is collected by Rising Voices Wessex from this website will only be used for monitoring purposes unless you have given consent for your information to be used – e.g. Providing us with your email on a contact form so that we can get back to you.
If you have subscribed to a service on the Rising Voices Wessex website then please see the terms and conditions relating to this. We will not share this information with third parties.
We will ensure that all personal information supplied is held securely, in accordance with the GDPR 2018. The data controller is Rising Voices Wessex. If you have any queries regarding this please contact us