Find A Group Training At Home In Hospitals Commission About Contact
About Contact

GDPR Policy

Context

Singing Mamas Choir CIC (T/A ‘Singing Mamas’) holds personal data about its directors, staff, network members, suppliers and beneficiaries for a variety of business purposes. We have a legal obligation under the UK General Data Protection Regulation to make sure that we protect the rights and freedoms of all of the individuals whose data we hold and that we safely and securely process their data. We also have a responsibility to report any breach of GDPR to the relevant supervisory body and to respond to any requests from individuals to see or have deleted any information held about them.

Definitions

‘Business purposes’ include the following: -

  • Personnel, administrative, financial, regulatory, payroll and business development purposes.
  • Compliance with our legal, regulatory and corporate governance obligations and good practice
  • Gathering information as part of investigations by regulatory bodies or in connection with legal proceedings or requests
  • Ensuring business policies are adhered to (such as policies covering email and internet use)
  • Operational reasons, such as recording transactions, training and quality control, ensuring the confidentiality of commercially sensitive information, security vetting, credit scoring and checking
  • Investigating complaints
  • Checking references, ensuring safe working practices, monitoring and managing staff access to systems and facilities and staff absences, administration and assessments
  • Monitoring staff conduct and disciplinary matters
  • Marketing our business and improving services

‘Personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. Personal data we gather may include: individuals' phone number, email address, educational background, financial and pay details, details of certificates and diplomas, education and skills, marital status, nationality, job title and Curriculum Vitae.

‘Special categories of data’ include information about an individual's racial or ethnic origin, political opinions, religious or similar beliefs, trade union membership (or non-membership), physical or mental health or condition, criminal offences or related proceedings and genetic and biometric information. Any use of special categories of personal data should be strictly controlled in accordance with this policy.

‘Data controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by law.

‘Data processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

‘Data Subject’ is an individual or ‘natural person’ whose data is collected, processed and held.

‘Processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

‘Supervisory authority’ means the national body responsible for data protection. The supervisory authority for our organisation is the Information Commissioners Office (ICO).

‘The Principles’ are a set of 6 guideposts set out in the UK General Data Protection Regulation which explain the scope of GDPR. These are:
1. Lawful, fair and transparent
2. Limited for its purpose
3. Data minimisation
4. Accurate
5. Retention
6. Integrity and confidentiality


Interpretation

Singing Mamas is classified as a data controller and a data processor and must maintain appropriate registration with the Information Commissioners Office to continue lawfully controlling and processing data.

Singing Mamas Network Members (by which we mean Registered Practitioners and Community Leaders) are also classed as a data processor as they collect and hold information about their local group members / beneficiaries.

Directors, Network Members and local group members / beneficiaries are all ‘data subjects’ as we hold some information about them.

 

Procedures

Singing Mamas operates procedures to make sure we comply with each of the principles of data protection. These are explained below:

  1. Lawful, fair and transparent

This mean data collection must be fair, for a legal purpose and we must be open and transparent as to how the data will be used. We comply with this by explicitly gaining consent before we collect data, only asking Directors, Network Members and local group members for the minimum amount of information we need in order to provide an effective service to them. We also state explicitly at the start of every data collection form why we are asking for the information and how it will be used.

  1. Limited for its purpose

This means data can only be collected for a specific purpose. We comply with this by reviewing all of our data collection methods and purposes annually (as set out in the table at the end of this policy)

  1. Data minimisation

This means any data collected must be necessary and not excessive for its purpose. We comply with this by reviewing all of our data collection methods and purposes annually (as set out in the table at the end of this policy)

  1. Accurate

This means that data we hold must be accurate and kept up to date. We comply with this by deleting information in line with appropriate retention periods and prompting our data subjects to update their information annually.

  1. Retention

This means we cannot store data longer than necessary. We comply with this by reviewing all of our data collection methods and purposes annually (as set out in the table at the end of this policy)

  1. Integrity and confidentiality

The data we hold must be kept safe and secure. We comply with this by:

  • Holding any sensitive data (which covers ‘special categories’) on an anonymised online spreadsheet which can only be accessed with a password. The password will only be known to members of the Board of Directors.
  • Holding personal data on Network Members on an online spreadsheet which can only be accessed with a password. The password will only be known to members of the core team whose role involves supporting Network Members.
  • Only requiring personal data on local group members / beneficiaries who take part in funded projects (where the funder requires such monitoring)
  • Only making personal data on local group members / beneficiaries available to the staff working on the project they are attending and for the duration of the project.

 

Responsibilities

The Board of Directors is responsible for:

  • Ensuring that Singing Mamas is registered with the ICO if required
  • Reviewing this policy annually
  • Ensuring an induction to this policy is provided to all board members and network members
  • Reporting any serious breaches of this policy to the ICO
  • Ensuring that requests from individuals wishing to see information held about them or requests to have information deleted are responded to within a month.

The Core Team are responsible for:

  • Following this policy as part of their working practice
  • Only saving data on password protected devices
  • Reporting any breaches of this policy to the Board of Directors

Network Members are responsible for:

  • Keeping information about local group members / beneficiaries on password protected devices
  • Storing any physical copies of information securely
  • Destroying / deleting copies of information after a project has been completed or when a beneficiary has stopped accessing the service
  • Reporting any GDPR breaches to the Board of Directors

 

 

 

 

 

 

 

 

 

 

 

 

Data Collection Review

 

Data Subject

Scope of Data

Use of Data

Consent

Method

Confidentiality

Retention

Board of Directors

Name, address, email, phone number, DOB, qualification to act as a Director

Registration on Companies House and information to grant funders

Explicit consent required as part of induction

Declaration and commitment (Word document)

Kept on password protected system only accessible to other board members.

3 years from resignation

Network Members

Name, address, email, phone number, emergency contact, access needs, details of relevant skills & qualifications

Assessment of suitability for training programme and license as a Registered Practitioner or Community Leader. Receipt of monthly newsletter.

Explicit consent required at registration

Built into the online registration process within Kajabi.

Kept on password protected system only accessible to Core Team.

1 year from end of membership

Local group members / beneficiaries of funded projects

Name, address, email, phone number, emergency contact, access needs (both parent and child).

Providing support for them to attend project and reporting to funder

Explicit consent required at registration

Electronic or paper-based registration form and weekly register

Transferred from hard copy to electronic once completed. Then kept on password protected system only accessible to core team and local leader.

 

1 year after end of project

Local group members / beneficiaries of Community Projects

Name and email address

Registration as a supporter member and / or recipient of monthly newsletter

Explicit consent required at registration

Supporter member registration and / or newsletter sign up.

Held securely on password protected Kajabi / Mailchimp system

Until they select to ‘opt out’

Community Leader Trainees

Contact details, medical conditions that might be relevant, communication needs and experience and intentions. 

Access and participation in Community Leader Training, including any support needs. 

 

Explicit consent required as part of registration

Spreadsheet (Google Drive)*

Held securely on password protected system

6 months from completion of training course?

Community Leader Trainees

Recording of live group tutorial, in which trainees may choose to share life experiences, views and reflections, as relevant to training material. 

For trainees within the same cohort to access if they have missed a session or re-watch for learning purposes. 

Make more explicit?

Integrate into T&C of training?

Currently: 

Saved on Kajabi as 'recordings' 

 

Future: Keep within google drive, so that they have to be requested by trainees, access authorized by SM and a log of access is automatically created?

Future: Keep within google drive, so that they have to be requested by trainees, access authorized by SM and a log of access is automatically created

6 months from completion of training course?

All stakeholders

Equalities data (age, disability, gender reassignment, race (including colour, nationality, and ethnic or national origin), religion or belief, sex and sexual orientation)

Anonymous evaluation of company’s inclusivity and diversity

Explicit consent required on form

Anonymous Google form sent as an annual census

This is held on a password protected spreadsheet which is only available to the Board of Directors

Delete / replace annually with updated information