Annie Mawson’s Sunbeams Music Trust
Overarching responsibility for the activities at Sunbeams lies with the Board of Trustees.
The data protection officer is the staff member with responsibility for this policy
Who this policy applies to
Everyone who works for or with Sunbeams has the responsibility for ensuring data is collected, stored, handled and used appropriately.
The type of personal information we collect
Personal data or personal information means any information about an individual from which a person can be identified. We currently collect and process the following information:
- Names of individuals
- Postal and email addresses
- Telephone numbers
- Any other information relating to individuals which the donor/beneficiary themselves chooses to share
How we get the personal information and why we have it
Most of the personal information we process is provided to us directly by individuals for one of the following reasons:
- Donating (donations made by phone, post or direct debit/standing order. On line donations go through Just Giving, PayPal or CAF)
- Signing up for events
- Signing up for training
- Hiring of rooms
- Parents/guardians of beneficiaries signing up for Sunbeams Music For Life® and Music For Dignity®.
You may give us personal data information through our website for example an online contact booking; Facebook or twitter; phone; post, email or otherwise. It is in the interest of every individual and their own responsibility, to review the privacy and data policy of any website they visit.
We use the information that individuals give us in order to:
- Deliver Sunbeams objectives (outlined in this policy)
- Communicate fundraising activities/events/concerts
- Contact beneficiaries regarding Sunbeams programmes/holiday group activities
- Provide information on our services eg hiring of rooms/recording studio
We do not share personal data information with third parties unless consent is given by individuals. Consent can be withdrawn at any time by contacting the data protection officer at Sunbeams. UK law may sometimes require information such as for safeguarding reasons and we would be required by law to share information.
We keep your personal data for as long as necessary to fulfil the purposes we collected it for; or if an individual validly exercises his or her right of erasure, the personal data will be securely deleted at that point. The rights and duties related to data storage include that we should not store data that is unnecessary. Data is also stored for a limited period. This means:
- If someone informs us of a change in circumstances, previous data on the former circumstances will be deleted
- If we become aware that someone has moved from their old address, changed email address, changed names etc we will amend the data we hold accordingly
- If we have not heard from someone within a reasonable time (say 3 years), we may ask for confirmation that that person still wishes to receive information from us, or simply delete the data
- If you leave a comment on our website, the comment and its metadata are retained indefinitely. This is so we can recognise and approve any follow-up comments automatically instead of holding them in a moderation queue.
- For users that register on our website (if any), we also store the personal information they provide in their user profile. All users can see, edit, or delete their personal information at any time (except they cannot change their username). Website administrators can also see and edit that information.
How your data is used is protected by law and we only use your data where we have an acceptable reason for doing so.
Under the GDPR, the lawful bases we rely on for processing this information are:
- Your consent.
- An individual is able to remove consent at any time. They can do this by contacting the data protection officer – email firstname.lastname@example.org or telephone number 01768 892909
- We have a contractual obligation
- For example, contracts with individual musicians who deliver music therapy to our beneficiaries
- We have a legal obligation
- In certain circumstances we can disclose personal data to law enforcement agencies without the consent of the data subject
- We have a legitimate interest
- In a way which might reasonably be expected as part of running a charity
- We have a public interest
- The processing is necessary for us to perform a task in the public interest, for example take up contracts for third parties like Government
- We have vital interests
- The processing is necessary to protect someone’s life
We rely on the lawful bases to support us in delivering Sunbeams’ objectives:
Sunbeams key objectives are to relieve sickness and assist in the treatment of children and adults who are suffering physically, emotionally, psychologically and mentally by the provision of music therapy and to provide introductory music therapy training to individuals working with such persons.
Our legitimate interests
GDPR allows Sunbeams to collect and process individuals’ personal data if necessary to achieve our legitimate interests.
Where Sunbeams processes personal data in reliance on legitimate interests, we consider and balance any potential impact on individuals and their rights under data privacy law and will not process personal data in reliance on this lawful basis where relevant legitimate interests are overridden by the impact on relevant individuals.
In order to achieve our legitimate interests, we rely upon the support of our donors, volunteers, supporters and business contacts.
As a donor, an individual donates money to Sunbeams then we have a legitimate interest in processing and retaining their data and to send them information about our fundraising activities for example.
Another example of our legitimate interests is when musicians, volunteers, staff and others involved in the organisation leave, they will be asked about their contact details remaining on the database for future opportunities, marketing and organisational news updates. The individual has the right to request their details be removed.
An individual will always have the opportunity to opt out of receiving any messages from Sunbeams or to exercise any of their legal rights.
Data processed with your Consent
Where we use consent as our lawful basis for processing an individual’s data or process special categories of their data on the basis of their explicit consent, the individual has given clear consent for us to process their personal data for a specific purpose. They have the right to withdraw their consent at any time.
Social Media and Media
If you upload images to the website, you should avoid uploading images with embedded location data (EXIF GPS) included. Visitors to the website can download and extract any location data from images on the website.
Internal Database Records and Image Archive
Personal data is held at Sunbeams’ internal database and is used solely to enable Sunbeams and the staff to achieve the Sunbeams objectives, held for contractual or legal obligations, in line with our legitimate interest qualifier or with your explicit consent. The information on our database is for internal use only, is protected in line with our data protection policy and will not be shared with any external people or organisations without an individual’s clear permission.
GDPR gives people rights over their data.
The eight rights are:
- The right to be informed
- An individual has the right to be informed about the collection and the use of their personal data. This is a key transparency requirement under GDPR
- The right of access
- An individual has the right to ask us for copies of their personal information. This is known as a subject access request. We follow the Information Commissioner’s Office (ICO)’s “subject access code of practice” when dealing with requests.
- The right to rectification
- An individual has the right to request that inaccurate and incomplete data that we hold about them is corrected.
- The right to erasure
- An individual has the right to ask us to erase their personal information in certain circumstances
- The right to restrict processing
- An individual has the right to ask us to restrict the processing of their personal information in certain circumstances
- The right to data portability
- An individual has the right to ask that we transfer the personal information they gave us to another organisation, or to us in certain circumstances
- The right to object
- An individual has the right to object to processing of their personal information in certain circumstances
- Rights in relation to automated decision making and profiling
- This is not currently relevant to the charity but we recognise our legal obligation under the GDPR rules
If our processing of an individual’s personal data relies on their consent, they also have the right to withdraw their consent at any time and the right to ask for their personal data to be transferred to another organisation (data portability). They are not required to pay any charge for exercising their rights. If an individual makes a request, we have one month to respond to them. To make a request, please contact the data protection officer, email – email@example.com or telephone 01768 892909.
In summary, different lawful basis gives different rights to individuals. For example, if we rely on consent as a lawful basis, individuals have stronger rights to have their data deleted. For more information or to exercise an individual’s data protection rights please contact our data protection officer.
An individual can set their browser to refuse all or some browser cookies, or alert them when websites set or access cookies. To learn more about cookies and how to control them visit. www.AboutCookies.org.
Here is a list of cookies currently on our website, why we use them and how long they will last:
If you leave a comment on our website you may opt-in to saving your name, email address and website in cookies. These are for your convenience so that you do not have to fill in your details again when you leave another comment. These cookies will last for one year.
If you visit our login page, we will set a temporary cookie to determine if your browser accepts cookies. This cookie contains no personal data and is discarded when you close your browser.
When you log in, we will also set up several cookies to save your login information and your screen display choices. Login cookies last for two days, and screen options cookies last for a year. If you select “Remember Me”, your login will persist for two weeks. If you log out of your account, the login cookies will be removed.
If you edit or publish an article, an additional cookie will be saved in your browser. This cookie includes no personal data and simply indicates the post ID of the article you just edited. It expires after 1 day.
Embedded content from other websites
Articles on this site may include embedded content (e.g. videos, images, articles, etc.). Embedded content from other websites behaves in the exact same way as if the visitor has visited the other website.
Data security arrangements
The security of personal data is paramount to Sunbeams. We ensure that appropriate technical and organisational measures are in place to protect it and these are outlined in the Sunbeams data protection policy.
If we plan to use personal data for a new purpose, we update our privacy information and communicate the changes to individuals before starting any new processing.
Sunbeams is committed to keep all its data secure at all times. In the event of it being informed of a data breach, we will move swiftly to work with its IT partner to remedy the situation and will contact those affected.
Our Contact Details
Annie Mawson’s Sunbeams Music Trust
Sunbeams Music Centre
Phone number: 01768 892909
Email address – firstname.lastname@example.org
You can also complain to the ICO if you are unhappy with how we have used your data. We would however appreciate the chance to deal with your concerns before you approach the ICO so please contact us in the first instance.
The ICO address:
Information Commissioner’s Office
Telephone: 0303 123 1113
ICO website: https://www.ico.org.uk
This document is reviewed regularly and was last updated on 22 October 2020.