10th May 2018
The General Data Protection Regulation (GDPR) comes into force across all EU member states on 25th May 2018, requiring organisations’ compliance from day one. This is an overhaul of the current Data Protection Act to cover biometrics and genetic data, bringing the regulatory environment up to date in relation to Big Data and places obligations on organisations in relation to the protection of personal data and requirements to report data breaches.
The EU General Data Protection Regulation (GDPR) will unify data protection laws in the European Union and will apply to all 28 EU member states including the UK.
The main principles for the management of personal data are that it is:
- processed lawfully, fairly and in a transparent manner in relation to individuals;
- collected for specified, explicit and legitimate reasons;
- adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
- accurate and, where necessary, kept up to date
- kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed
- processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
For the Phil, as a small charity, these general principles all still apply with respect to only holding what is necessary, holding it with consent and holding it safely etc. The main points are:
- We will never transfer your personal information we hold to a third party other than noted below, nor do we transfer or hold it outside of the EU. Where ever possible this data is held on secure shares or on password protected devices and access to the data is controlled to a limited number of individuals.
- Singing members’ names and voice parts only are listed in concert programmes.
- Trustees and other officer names are listed in Phil brochures, promotional leaflets and on the website.
- Details with respect to Gift Aid donations will be supplied to government bodies as necessary and as required by legislation.
- Images of the choir as a whole and of sub groups may be used in choir publicity material.
- Allegations or incidents with respect to Safeguarding will be logged by the current Safeguarding Lead and may be forwarded to appropriate authorities if deemed necessary. See our Safeguarding Policy.
- Members have a right to view the data held about themselves, explicitly consented to its collection when they joined, and can ask for it to be corrected or removed.
- Members are responsible for notifying the Membership Manager of any change in name or contact details. The Chorus Master is responsible for notifying the Membership Manager of any change in assigned voice part (and colour where applied). In addition the Membership Trustee and Phil IT Manager will regularly liaise to ensure data is accurate, secure and backed up.
- The Data Protection Officer role in the Phil sits with the Phil IT Manager.
- Governance of Data Protection sits with the Trustees as a whole.
This Policy will be reviewed and updated as required annually.