Compliant with GDPR, effective 25 May 2018
Date: 1 September 2022
Review date: 1 September 2024
Author: James Underwood, Chief Executive, West Sussex Music Trust
Trustee: Chairman of West Sussex Music Trust 2
Purpose of the policy
West Sussex Music Trust (the Trust) is committed to complying with privacy and data protection laws including:
1. The General Data Protection Regulation (“the GDPR”) and any related legislation which applies in the UK, including, without limitation, any legislation derived from the Data Protection Bill 2017;
2. The Privacy and Electronic Communications Regulations (2003) and any successor or related legislation, including without limitation, E-Privacy Regulation 2017/0003; and
3. All other applicable laws and regulations relating to the processing of personal data and privacy, including statutory instruments and, where applicable, the guidance and codes of practice issued by the Information Commissioner’s Office (“ICO) or any other supervisory authority
(together “the Legislation”)
This policy sets out what we do to protect individuals’ personal data.
Anyone who handles personal data in any way on behalf of the Trust must ensure that we comply with this policy. The ‘definitions’ section of this policy describes what comes within the definition of ’personal data’. Any breach of this policy will be taken seriously and may result in disciplinary action or more serious sanctions.
This policy may be amended from time to time to reflect any changes in legislation, regulatory guidance or internal policy decisions.
About this policy
The types of personal data that we may handle include, without limitation, details of pupils, parents, employees, candidates, contractors, suppliers and partners.
James Underwood is Chief Executive of the Trust and is responsible for ensuring compliance with GDPR. The Senior Leadership Team is responsible for day to day data protection matters and will be responsible for ensuring that all members of staff and relevant individuals abide by this policy. 3
|Definitions Business purposes||
The purposes for which personal data may be used by us:
Personnel, administrative, financial, regulatory, payroll and business development purposes.
Business purposes include the following but not limited to:
– Compliance with our legal, regulatory and corporate governance obligations and good practice
– Gathering information as part of investigations by regulatory bodies or in connection with legal proceedings or requests
– Ensuring business policies are adhered to (such as policies covering email and internet use)
– Operational reasons, such as recording transactions, training and quality control, ensuring the confidentiality of commercially sensitive information, security vetting, credit scoring and checking
– Investigating complaints
– Checking references, ensuring safe working practices, monitoring and managing staff access to systems and facilities and staff absences, administration and assessments
– Monitoring staff conduct, disciplinary matters
– Marketing our business
– Improving services
|Data subjects||All living individuals about whom we hold personal data, for instance, an employee or a pupil. A data subject need not be a UK resident or UK national. All data subjects have legal rights in relation to their personal data|
|Personal data||‘Personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. Personal data we gather may include: individuals’ phone number, address, email address, educational background, financial and pay details, details of certificates and diplomas, education and skills, marital status, nationality, job title, and CV.|
|Special categories of personal data||Special categories of data include information about an individual’s racial or ethnic origin, political opinions, religious or similar beliefs, trade union membership (or non-membership), physical or mental health or condition, criminal offences, or related proceedings, and genetic and biometric information — any use of special categories of personal data should be strictly controlled in accordance with this policy.|