PRS FOR MUSIC MEMBERS BENEVOLENT FUND
The General Data Protection Regulation (GDPR) is enforced in the UK from 25 May 2018. This policy sets out how the PRS For Music Members Benevolent Fund (henceforward referred to as The Charity) will comply with the GDPR by covering the following areas:
1. Definition of key terms
2. Our understanding of the GDPR
3. How the GDPR fits into our objectives
4. Meeting our responsibilities under the GDPR
5. Respecting the rights of the individuals we work with under the GDPR
6. How our fundraising work complies with GDPR
1. Definition of the key terms:
Personal data: data conveying any information relating to an identified or identifiable natural person. This may include name, address, identifier numbers (e.g. telephone); it also includes online or electronically stored identifiers, if they can be used alone or in combination to identify a person. In addition, there is a category of ‘sensitive personal data’ which includes genetic, biometric and medical data; racial and ethnic identity; religious and political beliefs; and sexual orientation.
Data controller: the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of processing personal data
Data processor: a natural or legal person, public authority, agency or other body which is responsible for processing personal data on behalf of the controller
Data processing: any operation or set of operations which is performed on personal data or on sets of personal data, whether by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction
Data subject: the individual to whom the personal data belongs. This could be an applicant, beneficiary, donor, potential donor, trustee, employee, volunteer, contractor, or any other individual whose personal data are held by us.
Consent: means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
2. Our understanding of the GDPR
The GDPR is an EU-wide law that replaces the previous Data Protection Act (1988). The purpose of the GDPR is to help EU citizens better understand and control how their personal data is being used, and how to raise objections if necessary. The GDPR achieves this by placing responsibilities on data controllers and data processors; and by giving rights to data subjects.
In the UK, compliance with the GDPR is overseen by the Information Commissioner’s Office (ICO). The Charity is registered with the ICO as a data controller (registration number Z5734202). The Charity is also a data processor under the GDPR. The Trustees of The Charity has assessed the scale of our data processing and decided that the quantity of data being processed justifies appointing a Data Protection Officer, who can be contacted at firstname.lastname@example.org
3. How GDPR fits into The Charity’s charitable objectives
The Charity is a registered charity that exists to financially assist PRS members, ex-members and their dependants who may be in straitened circumstances. The Charity does this by offering grants or loans, offering advice, and fundraising. To carry out this work fairly and effectively, The Charity processes personal data from individuals making an enquiry about our work, grant applicants, beneficiaries, potential donors, and existing donors. The Charity also holds personal data from our employees, contractors, volunteers, trustees, and Committee members and we use this data to ensure that our organisation functions effectively. The Charity has contracts with other organisations and may need to share personal data to fulfil obligations made to applicants, beneficiaries, volunteers, donors, trustees, and staff. The Charity recognises that these uses of personal data fall within the remit of the GDPR.
The Charity will only process personal data where we have a legal basis to do so and will always respect our data subject’s rights. We may process personal data because the data subject has consented to us doing so or because we consider we have a legitimate interest to do so. Where we do rely on a legitimate interest to process personal data information, we will always ensure that this is done in a way that respects the rights of our data subjects. Other reasons may include using information because we have a legal obligation to do so or because we must fulfil contractual obligations.
4. Meeting our responsibilities under the GDPR
The GDPR sets out responsibilities for organisations processing personal data. These responsibilities are recognised by the Trustees and in practice will be delegated to the Data Protection Officer for the Charity. The responsibilities are:
Personal data must be ‘processed lawfully, fairly and in a transparent manner in relation to individuals’ (ICO website 2018)
In our work with applicants, beneficiaries, donors and potential donors, The Charity processes some personal data under the lawful basis of consent. To comply with this The Charity informs individuals about the data we require from them and sets out how it will be used. The Charity explains our use of personal data in our data protection policy, application form, website, and fundraising documentation. The Charity will usually ask for written consent from the individual where possible. Where explicit consent is not gathered for a processing activity, data will only be processed where it is necessary for our legitimate interests, to comply with legal obligations, or fulfilling contractual obligations.
Wherever we rely on your consent, you will always be able to withdraw that consent. Data subjects can tell us to stop contacting them, or change the way in which we do so, e.g. email, post, telephone, SMS etc by getting in touch with us at email@example.com We will keep a record of any requests to stop receiving marketing from us to ensure that we do not communicate with those data subjects in the future, unless they tell us they want to hear from us again. Please note that if you opt-out of marketing emails, you will still receive non-marketing emails which may contain essential information about your grant.
4.2 Purpose of using personal data and Disclosure
Personal data must be ‘collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes’ (ICO website 2018)
The Charity uses personal data to carry out our charitable objectives as set out in section 3 above.
The Charity principally collects personal information to provide data subjects with the services, products or information they have requested. Where we use personal data, it may be because the data subject consented to us doing so. Some examples can be found below:
– The data subject has given consent to use the information for a specified purpose (including grant administration, marketing emails and newsletters)
• For internal administration, analyses, impact measurement and service reviews
• For fundraising support, feedback surveys and sending newsletters
– We have a legal obligation to use personal data, for example to provide Gift Aid information to HMRC
– We are using personal data in pursuit of a legitimate interest, for example:
• To collect money that is owed to us
• To manage our relationship with members, supporters, volunteers and donors, for example to invite people to events.
We may also keep a record of conversations we have with a data subject, feedback a data subject provides and any marketing/fundraising materials we send out to a data subject.
We may also need to share data with third parties, called ‘data processors’, (e.g. suppliers of goods or services) to fulfil our agreement with an individual. Where this is the case, we have a GDPR-compliant agreement with those third parties.
We may also need to disclose personal data if required to do so by law. For example, we are legally required to provide personal data to HMRC if a data subject has agreed to us claiming Gift Aid on their behalf.
4.3 How we collect personal data
Personal data must be ‘adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed’ (ICO website 2018)
The Charity carries out regular audits on all its data collection, processing, and storage functions to check that data are adequate, relevant and limited to that which is necessary to fulfil our charitable objectives and run our organisation effectively.
The charity receives and stores personal information supplied to us in writing, via email, via the telephone, in person or online when applying, enquiring, or registering for help, employment, trusteeship, or volunteering opportunities or when attending events or donating money to the Charity.
We may also receive personal information from third parties, for example, a welfare officer, charity, agency or organisation who refers you to our service.
Where grant recipients have provided information about their experience of applying for a grant, by whatever means, we will explain what the information will be used for and whether it will be held anonymously or not/ or it will always be used anonymously unless you agree otherwise. For example, to write case studies which can be used in our communications including PR and media activity, digital and social media, campaigning, fundraising materials and internal communications, to help us raise awareness of our mission. We would never use a personal story without obtaining the data subject’s consent first, we would always contact the data subject to discuss the use of their story in further detail each time.
4.4 Personal data must be ‘accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay’(ICO website 2018)
The Charity takes care to collect data accurately by using an application form; telephone questionnaire; documented face-to-face interviews and has reasonable administrative procedures for amending or erasing inaccurate data as necessary. There is regular training for staff and volunteers on how data is to be collected and updated or erased.
4.5 How long we keep your personal data
Personal data must be ‘kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed’ (ICO website 2018)
The Charity has set out a timescale for erasing data that we no longer need for processing purposes. When no longer needed, paper records will be shredded, and electronic records will be deleted or permanently anonymised. This process is documented as part of our regular data audit.
Enquiries – that do not progress beyond this stage – keep 1 year
Applications and Beneficiary information – keep for 6 years after the involvement has ended in line with HMRC’s requirements for tax records
Trustee information – in line with Charity Commission requirements and keep 1 year after a Trustee has left for Annual Return purposes
Donor information, including Gift Aid declarations and records to be kept until 6 years after the end of the accounting period they relate to.
4.6 Security of your personal data
Personal data must be ‘processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.’ (ICO website 2018)
The Charity’s data audit has assessed the risks to personal data. We have put in place appropriate managerial procedures to safeguard and secure the information we collect. We have set up reasonable levels of protection for physical and electronic records to include locked filing cabinets with control of access to keys; locked offices, again with key control; fire precautions; password protected computers; adequate levels of permission to access computer files; adequate anti-virus software; adequate back-up procedures; adequate agreements for data stored in the cloud or offsite; encryption of personal data if it being transferred electronically; regular training for staff and volunteers on data security.
The Charity recognises that serious breaches of unencrypted personal data must be reported to the ICO within 72 hours of our becoming aware of the breach.
4.7 Staff Training
The Charity will raise awareness of the GDPR regulations, its policy and the legal obligations upon it to all staff who have access to personal data. It will also ensure that there is appropriate data protection training for personnel on an ongoing basis.
4.8 Data Transfers
We share information with organisations outside the EEA where it is necessary to do so to fulfil our agreements and commitments to beneficiaries and applicants. Data is adequately protected by EU Commission approved standard contractual clauses, an appropriate Privacy Shield certification or a vendor’s Processor Binding Corporate Rules.
5. Respecting the rights of the individuals we work with under the GDPR
The GDPR sets out rights for individuals (i.e. data subjects), which The Charity recognises and respects.
5.1. The right to rectification: The Charity will correct data that is wrong when told to do so by data subject
5.2. The right to erasure: The Charity will delete some, or all, of a data subject’s information on request, unless it needs to be kept for legal reasons.
5.3. The right to restrict processing: The Charity will stop processing some, or all, data on request, unless there are overriding legal reasons.
5.4. The right to data portability: The Charity will provide data in a suitable format to another data controller when requested to do so.
5.5. The right not to be subject to automated decision-making (sometimes called ‘profiling’): The Charity will not use automated decision-making.
5.6. The right to access: The Charity recognises data subjects’ right to file a written subject access request (SAR) for a copy of any personal data held.
5.7. The right to object: Where we don’t have to process the data to meet a contractual or other legal requirement, The Charity will comply with objections to our processing of your personal data.
Please note that these rights may be limited, for example if fulfilling your request would reveal another person’s personal data, or if you ask us to delete information which we are required by law to keep or have compelling legitimate interests in keeping.
To exercise any of these rights, please get in touch with us using the contact details provided above.
6. How our fundraising complies with GDPR
We fundraise from members of PRS for Music Ltd, and our supporters. When we contact individuals for fundraising purposes, we are clear that fundraising is our aim. We refer individuals to our Data Protection Policy and obtain their informed consent before collecting personal data (this is sometimes called ‘opt in’ consent). We contact individuals by post or email. Our post and email requests contain an ‘unsubscribe’ facility, and this is used to prevent further unwanted email contact.
The Charity does not pass our fundraising contacts to other parties and does not buy mailing lists for fundraising purposes.