Data Protection Policy

Approved at committee on: 2018-04-10
Next review date: 2020-04-01

Overview

In order to operate, Bristol A Cappella Limited needs to collect, store, and use information about individuals. This policy explains how these activities comply with the General Data Protection Regulations (GDPR).

This policy applies to anyone handling personal data on our behalf.

Data Register

Where possible we'll make sure that our audiences aren't identified in recordings or photos so that they don't need to be covered by this policy.1)

Roles and Responsibilities

Data Controller: Bristol A Cappella Limited
Data Protection Officer: the current Secretary of Bristol A Cappella, ex officio

The Data Protection Officer along with the committee, representing the company directors, are responsible for our secure, fair and transparent collection and use of data. Any questions relating to the collection or use of data should be directed to the Data Protection Officer.

Where we use third party Data Processors (such as Google Drive), we’ll ensure they are compliant with GDPR.

Data Protection Principles

  1. We fairly and lawfully process personal data in a transparent way
    See our data register for specific details of the data we hold, how it is held, who has access to this data, the legal bases on which we process it, and the retention periods.
  2. We only collect and use personal data for specific and legitimate purposes
    When collecting data, we will always provide a specific and clear privacy statement explaining why the data is required and what it will be used for.
  3. We ensure any data collected is relevant and not excessive
  4. We ensure data is accurate and up-to-date
    We’ll ask people to check and update their data on an annual basis, but any individual can update their information at any time by contacting the Data Protection Officer.
  5. We ensure data is not kept longer than necessary
    We’ll keep records only to meet the intended use unless there’s a legal requirement. Storage and use will be reviewed every two years.
  6. We keep personal data secure
    • Electronic data will be held in a password-protected, secure environment
    • Shared passwords will be reset each time an individual with data access leaves their role/position
    • Physical data will be held in a locked cupboard
    • Keys for locks securing physical data will be collected by the Data Protection Officer from any individual with access if they leave their role/position
    • Access will only be given to relevant people where it is necessary and the Data Protection Officer will keep a register for this.
  7. We won’t transfer data to countries outside the European Economic Area (EEA) unless the country has adequate protection for individual data privacy rights

Individual Rights

For data we process, the individual subject has the following rights in regard to that data. Bristol A Cappella will ensure we comply with those rights and make all reasonable efforts to fulfil requests related to them.

  1. Right to be informed
  2. Right of access
    Individuals can see the data we hold about them; requests should be made in writing (such as an email) to the Data Protection Officer, and will be complied with in one month. In complex cases, this may be extended to two months.
  3. Right to rectification
    To update our information, speak with the Data Protection Officer.
  4. Right to object
    Individuals can withdraw their consent for marketing communications or other data processing, unless we have a lawful reason to continue to use the data for legitimate interests or contractual obligations.
  5. Right to erasure
    Individuals can request we delete all information about them unless there is a lawful reason for us to continue to hold the data for legitimate interests or contractual obligation, or there is a legal requirement.
  6. Right to restrict processing
    Individuals can request that we stop processing their information, for instance if information is being updated when it is not accurate.

Bristol A Cappella Limited will also comply with requests related to portability and automated decision making, though these are likely to be uncommon in practice.

Member-to-member Contact

We don’t give out information unless the subject has given prior consent. In most cases, shared communications tools will be used.

Any time data is collected other than for legitimate interests or contractual obligations, we’ll use a method to show positive and active consent, such as an un-ticked checkbox, and a clear and specific explanation of what the data will be used for.

Every consent-based communication will include a method for withdrawing consent, such as an unsubscribe link, which will be processed within 14 days.

3rd Parties

Data stored by Bristol A Cappella limited may be stored in a number of third-party systems. Bristol A Cappella Limited will never sell or give away protected data for marketing purposes.

  • Asana
  • Barclays Bank
  • Dropbox
  • Facebook
  • Go Cardless
  • Google (Drive)
  • MeetUp
  • Microsoft (OneDrive)
  • PayPal
  • QuickFile
  • Slack
  • Ticket Source
  • Twitter
  • YouTube
1)
At public events different laws cover recording, so this policy doesn't necessarily apply then.