Privacy Policy
The Music Mind Spirit Trust
Data Protection Policy
Policy information
Organisation
The Music Mind Spirit Trust (MMST)
Policy operational date
from 25 May 2018
Policy prepared by
Dr J C Robertson
Policy review date
updated annually: next review 25 May 2024
Introduction
Purpose of policy
· complying with the law
· following good practice
· protecting MMST, clients, staff and other individuals
Data Protection Principles
The EU General Data Protection Regulation (GDPR) offers increased protection of the collection and processing of personal data, including contact details.
Policy statement
The MMST Policy statement:
· complies with both the law and good practice to respect individuals’ rights
· ensures that MMST is open and honest with individuals whose data is held; ie, MMST Friends, donors and staff
· aids in providing training and support for staff who handle personal data, so that they can act confidently and consistently.
Key risks
The two key areas of potential risk about which MMST takes extra precautions to guard against:
· information about individuals getting into the wrong hands, through poor security or inappropriate disclosure of information
· individuals being affected through data being inaccurate or insufficient.
Responsibitilies
Trustees
MMST Trustees have overall responsibility for ensuring that the organisation complies with its legal obligations.
Data Protection Officer
The Data Protection Officer’s responsibilities include:
· Briefing the board on Data Protection responsibilities
· Reviewing Data Protection and related policies
· Advising other staff on Data Protection issues
· Ensuring that Data Protection induction and training takes place
· Handling subject access requests
· Approving unusual or controversial disclosures of personal data
· Approving contracts with Data Processors.
Team/Department managers
Each MMST team where personal data is handled is responsible for drawing up its own operational procedures (including induction and training) to ensure that good Data Protection practice is established and followed.
Also, the managers ensure that the Data Protection Officer is informed of any changes in their use of personal data that might affect MMST’s Notification.
Staff & volunteers
MMST staff and volunteers are required to read, understand and accept any policies and procedures that relate to the personal data they may handle in the course of their work.
Confidentiality
Scope
Confidentiality applies to a much wider range of information than Data Protection. Therefore, the following are likely to be confidential, but may well not be subject to Data Protection:
· Information about MMST (and its plans or finances, for example)
· Information about other organisations, since Data Protection only applies to information about individuals
· Information which is not recorded, either on paper or electronically
· Information held on paper, but in a sufficiently unstructured way that it does not meet the definition of a “relevant filing system” in the Data Protection Act.
Understanding of confidentiality
When working with all ages, including children, young people and the elderly, procedures from the MMST’s Safeguarding Policy are strictly followed.
Communication with staff
Staff and volunteers are informed and trained in their responsibilities, and about correct procedures regarding disclosure and access.
Security
Specific risks
Staff and volunteer contact details are not given over the phone.
Subject access
Responsibility
MMST ensures that subject access requests regarding the contact details held about an individual are handled within the legal time limit of 40 days.
Procedure for making request
Subject access requests must be in writing or via email. There is a clear responsibility for all staff to pass on anything which might be a subject access request to the appropriate person without delay.
Provision for verifying identity
Where the person managing the access procedure does not know the individual personally, identity is required and verified before handing over any information.
Transparency
Procedure
Data protection information is conveyed through:
· staff handbook
· newsletters
· initial interviews
· website
Consent
Forms of consent
Consent for MMST to use email addresses to send updates about events and activities can be given via email, in writing or by verbal consent, which is safely documented.
Opting out
Individuals are free to opt out of receiving email updates at anytime via the website.
Withdrawing consent
MMST acknowledges that, once given, consent can be withdrawn, but not retrospectively.
Direct marketing
Underlying principles
Activities include providing information about donations, goods and services, and forthcoming and historic events.
Opting out
As individuals have the right to require their data not to be used for notification about the above activities, they are free to opt-out (via email, including from the website) at any time.
Electronic contact
Because of the Data Protection and Privacy (EC Directive) Regulations 2003 most electronic marketing (by phone, fax, e-mail or text message) either requires consent in advance or electronic consent.
Staff training & acceptance of responsibilities
Documentation
Procedures relating to Data Protection are maintained and documented.
Induction
All staff who have access to any kind of personal data have their responsibilities outlined during their induction procedures.
Continuing training
Data Protection issues are raised at opportunities including staff training, team meetings, supervisions, etc.
Policy review
Responsibility
MMST has responsibility for carrying out the next policy review.
Procedure
Dr C Robertson will consult with staff members with responsibility for complying with the Data Protection Act in the review.
Timing
The next major review will commence in Feb 2025 for 25 May 2025.