The Data Protection Act 1998
(DPA)
This
document describes the relevance and provisions under the DPA regarding storing
and using people’s personal information, and how the Derby Choral Union (DCU)
complies with the provisions of the DPA.
Exemption and Compliance
It has
not been necessary formally to notify (register) with the Information
Commissioner since being a non-profit organisation, DCU is exempt. This applies to most amateur music making
societies, so long as (a) they comply with the set of data protection principles (see below), and (b) they display a
clear “Use of Data” statement on the website.
We believe that the DCU is compliant with the DPA and all of its data
protection principles.
Key Points
1.
The DPA deals with any personal information that is
collected or stored on paper or electronically. Personal information includes someone’s e-mail
address, postal address, or phone number where this could be used to identify
them in any way. It only applies to a living
person. If such information is being stored and/or used by an organisation, it must
comply with the set of data protection principles listed below.
We
believe that DCU complies with all 8 data protection principles.
2.
An organisation is legally obliged to state what it will be
using personal information for in a 'Use of Data’ notice, and such information must not be used for any purpose other than that stated. Furthermore, the DPA recommends that the 'Use
of Data’ notice should not just be available generally on the website, but
should be displayed specifically on the page(s) on which the information is collected.
We clearly state
our purpose on the website - see “DCU’s Use
of Data” below. This is displayed on all pages where e-mail registering is
invited.
3.
Personal information must not be passed on to third parties
without the express agreement of the user. Many websites use such information
for marketing, promotional or research purposes, but to do this the website
must seek permission first, and the page from which the information is
collected should have a tick-box to enable the user to 'opt-in' or 'opt-out' of
the option to pass on their personal information. If this box isn't there, then
the website cannot use your information.
We have no intention of passing such
information on, and the website makes this quite clear.
4.
Although such personal information is on the internet, that
doesn't mean it is in the public domain. Under the DPA, users have a legal
right to know how their personal information is securely stored and to see such
information stored on record whether on paper and online.
On written request,
we would show users where and how their personal information was being stored. All
organisations have to provide this within 40 days or we can be reported to the
Information Commissioner.
5.
An organisation must ensure that user’s personal
information is accurate, up-to-date, secure, relevant, and not stored for longer
than necessary.
Provision has been made for users to update (re-register) or be
removed (un-register) from the DCU registers at any time. When members leave
the choir, their information will be removed promptly.
DCU’s Privacy Policy
When Audience, Friends of the DCU or Choir
Members register their personal information (e.g. e-mail addresses) with the DCU,
it will be used purely for the sending of information regarding concerts and
events exclusively promoted by DCU. Information about other organisations’
events will not be sent (this is not because other organisations’ events aren’t
worth promoting, but that when people give DCU their contact details, the
'contract' is purely with DCU). Audience, Friends of the DCU and Choir Members’ personal
information is held securely, and it will not be displayed or passed on to anyone else.
DCU’s Use of Data
The following statement
appears in all pages on the website where registration is invited:
“Please
note that:
·
the e-mail Register will be used solely for the
purposes of communicating with registered people on DCU matters.
·
the Register will NOT be displayed nor
will it be forwarded to anyone outside the DCU committee or officers of the
choir.
·
registering
implies that you are happy for us to store your e-mail address in our records,
until such time that you ask to be removed."
The data protection principles
DPA governs the use
of data through the eight principles. These require that personal information
is:
·
processed fairly and lawfully
·
processed for one or more specified and lawful
purposes, and not further processed in any way that is incompatible with the
original purpose
·
adequate, relevant and not excessive
·
accurate and, where necessary, kept up to date
·
kept for no longer than is necessary for the
purpose for which it is being used
·
processed in line with the rights
of individuals
·
kept secure with appropriate technical and
organisational measures taken to protect the information
·
not transferred
outside the European Economic Area (the European Union member states plus
|