Data Protection Policy
General Statement of Duties
- The Foundation for Young Musicians (“FYM”) is the data controller and is required to process personal data and shall take all reasonable steps to do so in accordance with this Policy, the Data Protection Act 1998 (the “DPA”) and any subsequent applicable regulation. The FYM aims to have transparent systems for holding and processing written personal data. Any reference to personal data in this Policy includes reference to sensitive personal data. Processing may include obtaining, recording, holding, disclosing, destroying or otherwise using data.
- Any individual is entitled to request access to information relating to their personal data held by the FYM.
The Data Protection Act 1998 (“DPA”) and the General Data Protection Regulation (“GDPR”)
- The FYM has the responsibility to comply with the DPA and any applicable successive law or regulation.
- The DPA applies to information relating to both “personal” and “sensitive personal” data.
- Personal Data is defined in the DPA as information relating to and identifying a living individual (“data subject”). The FYM may process a wide range of personal data of individuals donating to the FYM, pupils of the Centre for Young Musicians (the “CYM”), their parents or guardians as part of their operation. Personal Data is biographical in a significant sense, having the data subject as its focus and affective the data subject’s privacy. It includes facts, any expression opinion about an individual and any indication of the intentions of anyone in respect of that individual. For example, names, addresses, bank details, academic and disciplinary records.
- Sensitive Personal Data is a sub-category of Personal Data and is defined in the DPA as information in respect of racial or ethnic origin, political opinions, religious beliefs or “other beliefs of a similar nature”, membership of a trade union, physical or mental health, sexual life, criminal convictions and alleged offences.
- In order to comply with the DPA, the FYM must comply with the eight Data Protection Principles which state that personal data must be:
- Processed fairly and lawfully;
- Obtained only for one or more specified and lawful purposes;
- Adequate, relevant and not excessive;
- Not kept longer than is necessary;
- Processed in accordance with the individual’s rights under the DPA;
- Kept secure; and
- Not transferred to countries outside the European Economic Area unless there is adequate protection to the individual in relation to processing.
Processing of Personal Data
- Processing includes obtaining, holding, recording, adding, deleting, augmenting, disclosing, destroying, printing or otherwise using the data.
- Consent may be required for the processing of personal data unless the FYM has any other lawful purpose. Personal Data, unless exempt from restriction on processing under the DPA, will only be disclosed to third parties under the terms of this Policy or otherwise with the consent of the appropriate individual. Once the GDPR is in force, it is expected that consent will generally be required.
- The rights in relation to personal data set out under the DPA are those of the individual to whom the data relates. In most cases the FYM will rely on the appropriate consent of the data subject to process any personal data.
Exemptions which Allow Disclosure of Personal Data to Third Parties
- There are a number of exemptions in the DPA which allow disclosure of personal data to third parties, and the processing of personal data by the FYM, which would otherwise be prohibited under the DPA. The majority of these exemptions only allow disclosure and processing of personal data where specific conditions are met, namely:
- the data subjects have given their consent (with regard to sensitive personal data, this may require explicit, written consent, depending on the circumstances);
- for the prevention or detection of crime;
- for the assessment of any tax or duty;
- where it is necessary to exercise a right or obligation conferred or imposed by law upon the FYM (other than an obligation imposed by contract);
- for the purpose of, or in connection with, legal proceedings (including prospective legal proceedings);
- for the purpose of obtaining legal advice; and
- for research, historical and statistical purposes (so long as this neither supports decisions in relation to individuals, nor causes substantial damage or distress).
Use of Personal Information by the FYM
- It is required under the DPA that the personal data held about data subjects must only be used for specific purposes allowed by law. The FYM holds personal data on data subjects, in particular from individuals who have supported the FYM by making a donation, signing up for an event or otherwise. The personal data that is collected and may be used by the FYM includes names, contact details, bank details or credit card details (relating to donations), information relating to the CYM and photographs.
- The data is used in order to effect the mandate of the FYM, to monitor and report on its progress, and to assess how well the FYM as a whole is doing, together with any other uses normally associated with this provision of a charitable function.
- The FYM may make use of limited personal data (such as contact details) relating to pupils of the CYM, their parents or guardians for fundraising, marketing or promotional purposes and to maintain relationships with pupils of the CYM.
- In particular, the FYM may use personal information to:
- transfer information to any association, society or club set up for the purpose of maintaining contact with pupils or for fundraising, marketing or promotional purposes relating to the CYM;
- disclose photographs and names of pupils of the CYM to the media and third parties (or allow the media to take photographs of pupils) for promotional and congratulatory purposes where a pupil may be identified by name when the photograph is published e.g. where a pupil has won an award or has otherwise excelled;
- make personal data, including sensitive personal data, available to staff for planning fundraising or associated activities;
- keep the information on a database for administrative purposes;
- provide individuals with any services and/or information that have been requested;
- update individuals about any changes;
- administer donations, including Gift Aid processing;
- analyse and improve the operation of the CYM/FYM website;
- ensure that targeted communications can be sent;
- contact individuals where they have been identified as a contact person for an organisation or otherwise and where individuals have indicated that they may be contacted.
- Photographs with names identifying pupils will not be published on the CYM website without the express permission of the appropriate individual.
- Any wish to limit or object to any use of personal data should be notified to the board of the FYM in writing, which notice will be acknowledged by the board of the FYM in writing.
Disclosure of Personal Data to Third Parties
- The FYM may receive requests from third parties (i.e. those other than the data subject, the FYM, and employees of FYM) to disclose personal data it holds. This information will not generally be disclosed unless one of the specific exemptions under the DPA which allows disclosure applies; or where necessary for the legitimate interests of the individual concerned or the FYM.
- The following are the most usual reasons that the FYM may have for passing personal data to third parties:
- to coordinate fundraising activities on behalf of the CYM and its related regional centres;
- to coordinate fundraising activities in conjunction with the Guildhall Young Artists Division, of which the CYM is a part.
- Any wish to limit or object to any use of personal data by third parties, except as stated in paragraph 19 above, should be notified to the board of the FYM in writing.
- Where the FYM receives a disclosure request from a third party it will take reasonable steps to verify the identity of that third party before making any disclosure.
Accuracy of Personal Data
- The FYM will endeavour to ensure that all personal data held in relation to an individual is accurate. Individuals must notify the relevant FYM in writing of any changes to information held about them. An individual has the right to request that inaccurate information about them is erased or corrected.
Security of Personal Data
- The FYM will take reasonable steps to ensure that members of staff or its board will only have access to personal data where it is necessary for them to do so. All staff will be made aware of this Policy and their duties under the DPA. The FYM will take all reasonable steps to ensure that all personal information is held securely and is not accessible to unauthorised persons. However, despite all reasonable precautions the FYM cannot guarantee the security of any information disclosed via electronic means.
Retention of Personal Data
- The FYM will have retention policies in place to ensure that personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
Rights of Access by Data Subjects to their Personal Data
- Under the DPA, individuals have a right of access to their personal data held by the FYM. This is known as a “subject access request” and is subject to exemptions and constraints within the DPA. Any request in writing will be responded to as long as the appropriate fee is paid, satisfactory identification is given and the information request is clear.
Requests for Access to Records (Subject Access Requests)
- A subject access request must be made in writing. Where the request is not complete or clear, the fee has not been paid, or satisfactory identification has not been given, a Personal Data Request Form must be sent to the individual concerned within two working days of when the request is received by the FYM.
- The FYM’s Data Protection Officer will be informed of all requests for access to records.
Responding to Requests for Access to Records
All requests for access to records must be passed to the board of the FYM.
- The board of the FYM must authorise the applicant’s request for access before any information is disclosed (see also paragraphs 33-35 below).
- A written response acknowledging the application form must be sent to the applicant within 5 working days of the request.
- The DPA (this may change once the GDPR is in effect) requires a response to a request to be given within 40 calendar days of the written request being received. The 40 day period does not begin until:
- a written application is received by anyone within the FYM (not when it has been passed on to and received by the Data Protection Officer);
- the FYM has received sufficient information to enable it to identify the individual who is seeking access;
- the FYM has received sufficient information to enable it to access the information requested; and
- where applicable the fee of £10 has been received, unless otherwise waived at the FYM’s discretion.
- Where the conditions set out in paragraph 30 are fulfilled, in responding to the request, the FYM must confirm whether personal data is being processed and where that is the case, give a description of the personal data that is being processed, the purposes for which the personal data is being processed, and the persons to whom the personal data are or may be disclosed. The FYM must also provide, in an intelligible form, a copy of the information held and, where possible, details of the source of the information. Finally, where processing results in automated decision making which evaluates matters relating to the data subject (for example, in the marking of multiple choice questions), the data subject should be informed and informed also of the logic involved in that decision-making.
- Data subjects are not entitled to information where exemptions to the right of access apply (see paragraphs 48-50 below). Moreover, in these circumstances, the FYM must only give a notification to the data subject that no information has been identified which is required to be supplied under the DPA.
Authorisation of Access to Records on Behalf of a Child or Young Person
- A child or young person may appoint a person with parental responsibility for him or her to request access to their records. In such circumstances the FYM must have written evidence that the child or young person has authorised the person with parental responsibility to make the application.
- The board of the FYM will determine what information will be shared with the person with parental responsibility. Access to records will be refused in instances where, for example, information sharing may place a child at risk of significant harm or jeopardise police investigations into any alleged offence(s).
- Where a child or young person does not have sufficient understanding to make his or her own request, a person with parental responsibility can make a request on their behalf. The board of the FYM must, however, be satisfied that:
- the child or young person lacks sufficient understanding; and
- the request made on behalf of the child or young person is in their interests.
Disclosure of Information
- Any individual is, subject to exemptions and constraints within the DPA, entitled to have access to all information specifically held about him or her where:
- it is automated data being personal data held or processed electronically, for example, on a computer, word processor, audio and video system or telephone logging system;
- it is manual data which consists of non-automated information such as paper or microfiche files or records, which record information as part of a relevant filing system. A relevant filing system is defined as a set of information relating to individuals and structured either by reference to individuals or specific criteria relating to those individuals, so that specific information relating to a particular individual is readily accessible in a way broadly equivalent to information accessed within a computerised system.
- The personal data must be provided in permanent form (e.g. paper, microfiche, CCTV images) unless:
- the supply of such a copy is not possible;
- supplying it in permanent form would involve disproportionate effort (in which case another way of viewing the data must be agreed with the applicant); or
- the data subject agrees otherwise.
- Only relevant documents from the individual’s file will be duplicated and disclosed to the applicant who, if requested, should be given a copy of the duplicated document.
- An individual is not entitled to information where:
- exemptions to the right of access apply (see paragraphs 48-50 below); or
- another person, including any family member, has not given their written consent to disclose information that identifies them (but see paragraph 48 below) .
- Information contained in an individual’s records is likely to contain information about persons other than the individual. Generally, information about or identifying another person must not be disclosed to the individual seeking access to the information without that person’s written consent.
- There may be circumstances where the board of the FYM considers it reasonable in all the circumstances to disclose information without the consent of the other person. For example, when the person cannot be traced.
- In determining what is reasonable in all the circumstances it is necessary to have regard to:
- any duty of confidentiality owed to the other person;
- any steps taken with a view to seeking consent of the other person to the disclosure;
- whether the other person is capable of giving consent; and
- any express refusal of consent by the other person.
- In instances where the board of the FYM has decided information concerning other people, or their identities, may not be disclosed, it is acceptable to blank out the relevant information.
- There is also a general presumption in favour of disclosing personal data relating to employees, where this information is integral to the personal data of the applicant.
- Any request by an individual for access to information held about them must be complied with subject to this paragraph and to the exemptions set out in paragraphs 48-50 below. The FYM may, however, make a request for more specific details of the information sought.
- A request for access to files without the permission of the individual must be directed to the Data Protection Officer.
- A record of the information disclosed in response to a request for access to information should be kept including details of any exemptions to disclosure relied upon (see paragraphs 48-50 below).
Exemptions to Access by Data Subjects
- Confidential references given, or to be given by the FYM, are exempt from access. The FYM will therefore treat as exempt any reference given by them for the purpose of the education, training or employment, or prospective education, training or employment of any individual.
- It should be noted that confidential references received from other parties may also be exempt from disclosure, under the common law of confidence. However, such a reference can be disclosed if such disclosure will not identify the source of the reference or where, notwithstanding this, the referee has given their consent, or where disclosure is reasonable in all the circumstances.
- Where a claim to legal professional privilege could be maintained in legal proceedings, the information is exempt from disclosure unless the privilege is waived.
Repeated Requests for Access to Records
- Unless a reasonable period of time has lapsed between the compliance with one request and receipt of the next, under the DPA the FYM is not obliged to comply with subsequent identical or similar requests from that applicant.
Individuals’ Rights and Complaints
- An individual has the right to withdraw consent for the processing of their personal data. There may be some instances where the FYM may legally be required to retain the personal data for audit or other purposes.
- If an individual believes that the FYM has not complied with this Policy or acted in accordance with the DPA they should utilise the FYM’s complaints procedure.
- If the individual is still not satisfied, he/she may make representations to the Information Commissioner, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF. Tel (01626) 545 700.
- The GDPR is expected to become law in the UK in May 2018 and will confer a number of additional rights including:
- The right to rectification
- The right to erasure
- The right to data portability
- The right to object
- Rights in relation to automated decision making and profiling.
This Policy may be updated to reflect the changes introduced by the GDPR.
Foundation for Young Musicians