West Byfleet Community Choir Data Protection policy

Policy written & approved by WBCC Committee on: August 2025

Introduction

Next review date: August 2026

In order to operate, West Byfleet Community Choir (WBCC) needs to gather, store and use certain forms of data about individuals. These may include: choir members, suppliers, volunteers, guests, audiences and potential audiences, business contacts and other people the Choir has a relationship with or regularly needs to contact.

This policy explains how this data should be collected, stored and used in order to meet current data protection standards and comply with the law. This policy ensures that WBCC:

• protects the rights of our members, partners and supporters

• complies with data protection law and follows good practice

• is protected from the risks of a data breach Who and what does this policy apply to? This applies to all those handling data on behalf of WBCC, including Committee members, Choir members, suppliers and partners. The policy applies to all data that WBCC holds relating to individuals, including: Names, Email addresses, Phone numbers; any other personal information held such as records of membership payments and any other financial information; and visual data including photographs and videos.

Roles and Responsibilities

Everyone who has access to data as part of WBCC has a responsibility to ensure that they adhere to this policy.

Data Controller

The Committee are responsible for determining how and why data is collected and how it will be used. Any questions relating to the collection or use of data should be directed to the Chair of the committee.

Data Protection Principles

• We fairly and lawfully process personal data.

WBCC will only collect data where lawful and where it is necessary for the legitimate purposes of the Choir. A member’s name and contact details will be collected when they first join the Choir and will be used to contact the member regarding Choir membership, administration and activities. Other data may also subsequently be collected in relation to membership, including about their payment history for ‘subscriptions’.

The name and contact details of committee members, employees, volunteers and contractors will be collected when they take up a position and will be used to contact them regarding Choir administration related to their role. Further information, including personal financial information and criminal records information, may also be collected in specific circumstances where lawful and necessary (e.g. to process payment to the person or to carry out a DBS check).

An individual’s name and contact details will be collected when they make an enquiry about membership of the Choir. This will be used to contact them about whether they wish to join the Choir.

An individual’s name, contact details and other details may be collected at any time (including when making an enquiry about joining or when attending an event), with their consent, in order for to WBCC to communicate with them about Choir activities.

Visual data may be gathered in the form of photographs and videos at public performances given by the choir, and at choir workshops, guest nights, and presentations to charity partners. Consent will be sought for the storage of any such images and their use in publicity. (See separate Safeguarding Policy regarding the use of video recording during concerts involving young people and local children’s choirs).

• We only collect and use personal data for specified and lawful purposes.

When collecting data, WBCC will always explain to the subject why the data is required and what it will be used for, e.g. “Please enter your email address in the form below. We need this so that we can send you email updates for Choir administration including about rehearsal and concert schedules, subs payments and other business.” We will never use data for any purpose other than that stated or that can be considered reasonably to be related to it. For example, we will never pass on personal data to third parties without the explicit consent of the individual.

• We ensure any data collected is relevant and not excessive.

WBCC will not collect or store more data that the minimum information required for its intended purpose. For example, we need to collect email addresses and telephone numbers from members in order to be able to contact them about Choir administration, but data on their address, marital status or sexuality will not be collected, since it is unnecessary and excessive for the purposes of Choir administration.

• We ensure data is accurate and up to date.

Choir members are required to inform the committee of any updates to their contact details - any individual will be able to update their data at any point by contacting the Membership Secretary.

• We ensure data is not kept longer than necessary.

WBCC will keep data on individuals for no longer than 6 months after our involvement with the individual has stopped, unless there is a legal requirement to keep records.

• We process data in accordance with individuals’ rights.

The following requests can be made in writing to the Committee:

Members, suppliers and individuals can request to see any data stored on about them. Any such request will be actioned within 14 days of the request being made. Individuals can request that any inaccurate data held on them is updated. Any such request will be actioned within 14 days of the request being made. Individuals can object to any storage or use of their data that might cause them substantial distress of damage or any automated decisions made based on their data. Any such objection will be considered by the Committee, and a decision communicated within 28 days of the request being made.

• We keep personal data secure.

WBCC will ensure that data held by us is kept secure. Electronically-held data will be held within a password-protected and secure environment. Physically-held data (e.g. sign-up sheets and attendance lists) will be stored in a cabinet capable of being locked. Access to data will only be given to relevant Committee members where it is clearly necessary for the running of the Choir. The Chair of the Committee will decide in what situations this is applicable and will keep a master list of who has access to data.

• Transfer to countries outside the EEA

WBCC will not transfer data to countries outside the European Economic Area (EEA), unless the country has adequate protection for the individual. We only share members’ data with other members with the subject’s prior consent.