The Music Education Partnership Group has published the following documents to support good data protection practice and to comply with current Data Protection Law.
WHO WE ARE
The Music Education Partnership Group (MEPG) is a charitable organisation (SC050352) forming a network of music-based organisations across Scotland. MEPG advocates for the life-long benefits of music education, enriched by singing and playing, for the people of Scotland.
MEPG will process your personal data to provide you with MEPG services. Our Data Protection lead can be contacted at email@example.com
HOW WE LOOK AFTER YOUR DATA
We will comply with data protection law which means your personal data will be:
1. Processed lawfully, fairly and in a transparent manner
2. Collected for specific, explicit and legitimate purposes
3. Adequate, relevant and limited to what is necessary
4. Accurate and up to date
5. Kept in a form which could identify individuals for no longer than is necessary and securely deleted thereafter
6. Processed in a manner that ensures appropriate security of the personal data.
HOW WE COLLECT YOUR DATA
We collect personal information about you in order to create and maintain adequate records in relation to your interactions with the MEPG. We will collect and process personal information directly from you, or from an authorised third party, for example, a parent or guardian enrolling their child on an MEPG event.
HOW YOUR DATA IS USED
Your data is used by us for a number of interdependent purposes. These can include:
· sending you publications (e.g., newsletters, event guides and updates about MEPG/SIMTN)
· administering tickets and audience communications
· conducting surveys and research on when and whether particular events, donations or funding appeals may be of interest to you
· sending you tailored proposals, appeals and requests for support/donations
· inviting you to MEPG events
· the promotion of other opportunities and services available to you
· internal record keeping, including the management of any feedback or complaints
· administrative purposes (e.g., to administer an event you have registered to attend or in order to process a donation you have made)
· sending you information on SIMTN and other MEPG learning opportunities
· Ensuring adequate health, safety & security measures are in place while you are visiting MEPG premises
WHY WE PROCESS YOUR DATA
As a data controller, MEPG will process your personal data under the provisions of the UK General Data Protection Regulation (UK GDPR) and subsequent legal provisions. In particular, we will process your data most commonly under the following circumstances:
- Where we need the data to fulfil our contract to you.
- Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests.
- Where we need to comply with a legal obligation.
- With your explicit consent. For any situation where we will be using your data for any further purpose, we will not do so without your explicit consent. Your consent will always be asked for freely and will involve a positive “opt-in” from you.
We may also collect and process certain “special category” data, such as:
- Information about your health, including any access issues you may have. This is to allow us to ensure that you have the best experience possible when visiting our premises.
If we collect special category data about you, we will have safeguards and justification in place to allow us to process and store that data securely.
IF YOU DO NOT PROVIDE US WITH PERSONAL INFORMATION
If you do not provide us with the personal information we ask for, we may not be able to perform all or part of the contract we have entered into with you (for example, sending you information regarding events or training opportunities).
It is also important that the personal information we hold about you is accurate and current. Please keep us informed if your personal information changes or you would like to make any changes.
PROTECTING YOUR PERSONAL INFORMATION
We have in place appropriate security measures to prevent your personal information from being accidently lost, used, accessed, altered or disclosed in an unauthorised way. We limit access to your personal information to those employees and third parties who have a business need to access your data. This applies equally to paper and electronic records. We have in place procedures to deal with any security breaches and will notify you and the regulator of any suspected breach where we are legally required to do so.
We may share your personal data with approved third parties (for example mailing services). All our third-party service providers are required to afford you the same level of personal information data security as the RCS. These third parties will only process your information at our instruction and that processing will be limited to the agreed specified purposes.
HOW LONG WILL WE HOLD YOUR PERSONAL INFORMATION
We will only retain your personal information for as long as it is necessary to fulfil the purposes for which we collected it and to fulfil any legal, financial, accounting or reporting requirements. The MEPG Record Retention Schedule (RRS) sets out the maximum amount of time that we keep different types of records and applies to records in whatever form they are held (paper, electronic etc.). It supports our staff to comply with data protection law that requires us to keep records forno longer than necessary.
You have a range of rights under data protection legislation. You have the right to:
· Be informed: about the collection and use of your data
· Access: your personal information (commonly known as a “subject access request”)
· Rectification: if information we hold about you is wrong, please ask us to correct it
· Erasure: you can ask us to delete information about you
· Restrict Processing: you have the right to ask us to restrict or suppress the processing of your information
· Data portability: allows you to move, copy or transfer your data easily from one IT environment to another
· Object to our processing where we rely on a legitimate interest (or those of a third party) and you object
Please note that you also have rights regarding automated decision making and profiling, however, MEPG does not make any use of any automated decision making or profiling tools. If this changes, we will let you know.
Please get in touch with us if you have any questions about any aspect of this Privacy Notice, and in particular if you would like to exercise any of your rights as outlined above.
We take your privacy very seriously. You can contact us at: