Introduction

 

Crib Notes Choir is committed to respecting the privacy and confidentiality of all members, including vulnerable adults and children connected to the choir. We comply with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. This policy outlines how the choir collects, stores, and shares personal information, ensuring that data is handled lawfully, fairly, and transparently.

 

Purpose of the Policy

 

The purpose of this policy is to:

• Explain how personal information is shared within the choir and with external parties.

• Ensure compliance with GDPR and other relevant data protection laws.

• Outline the rights of choir members regarding their personal data.

 

Scope

 

This policy applies to all choir members, staff, volunteers, and any third parties who may have access to personal information collected by the choir.

​

Crib Notes Choir collects personal data in the following ways: through our email address, our website, ticket bookings via our website or third-party booking systems, and through in-person sign-up forms or contact sheets at rehearsals and events. This policy applies to all personal data collected through these channels, whether online or offline.

 

Data Protection Principles

 

Crib Notes Choir adheres to the following GDPR principles:

1. Lawfulness, fairness, and transparency: Data must be processed lawfully, fairly, and in a transparent manner.

2. Purpose limitation: Data is collected for specified, explicit, and legitimate purposes.

3. Data minimisation: Only the data that is necessary for the intended purposes is collected.

4. Accuracy: Personal data must be accurate and, where necessary, kept up to date.

5. Storage limitation: Data is retained only for as long as necessary.

6. Integrity and confidentiality: Data must be processed securely to prevent unauthorised access, loss, or damage.

 

What Information Is Collected?

 

Crib Notes Choir may collect the following personal data:

• Contact details: Name, address, phone number, email.

• Medical information: Relevant health information for safety and safeguarding purposes. The lawful basis for processing medical information is either explicit consent (where you provide it) or a condition under the Data Protection Act 2018 where processing is necessary for health and safety purposes. We collect and process medical information to ensure we can respond appropriately if a member becomes unwell during choir activities and to make reasonable adjustments to keep you safe.

• Emergency contact information, including the name, phone number, and relationship of the contact. This allows us to communicate appropriately and effectively in the event of an accident or injury during choir activities. The lawful basis for processing this information is our legitimate interest in member safety and welfare. 

• Performance-related data: Photos, videos, and recordings for choir promotion (subject to consent as outlined in the Choir Terms and Conditions).

• Parents and guardians may provide an alternative emergency contact for their child if they wish. We retain this information to respond appropriately in the event of a medical emergency or safeguarding concern during rehearsals or events.

• Payment information: For choir fees, subscriptions, merchandise, or event bookings.

• Website user information: Including user journeys and cookie tracking.

 

Members must notify the Director of any changes to their personal data, including their emergency contact details, as soon as the change takes place.

​

Why Is Information Collected?

 

Personal data is collected for the following purposes:

• Communication: To keep members informed about choir activities, events, and rehearsals.

• Safeguarding: To ensure the safety and well-being of every member, especially children and vulnerable adults.

• Legal compliance: To comply with health and safety regulations, child protection laws, and GDPR.

• Marketing and promotion: With consent, as outlined in the Choir Terms and Conditions and ticket information for any public workshops and events, to use photos, videos, or recordings for publicity materials.

• Membership management: To keep accurate records of choir membership and subscriptions.

 

Lawful Bases for Processing

 

The lawful bases for processing personal data under GDPR include:

• Consent: Where specific permission has been granted for particular uses of data (e.g., photos, videos).

• Contractual necessity: Where processing is required for choir membership or event participation.

• Legal obligation: To comply with laws (e.g., safeguarding and child protection).

• Legitimate interest: Where processing is necessary for the operation of the choir and does not override individual rights.

• Vital interest: Where someone’s physical or mental health or wellbeing is at urgent or serious risk. This includes an urgent need for life-sustaining food, water, clothing or shelter.

• The lawful basis for processing medical information is either explicit consent (where you provide it) or a condition under the Data Protection Act 2018 where processing is necessary for health and safety purposes.

 

How Information Is Stored

​​

• Personal data is stored securely in physical or digital formats.

• Digital data is protected using password-protected systems and encrypted storage where necessary.

• Access to personal data is restricted to authorised personnel only, such as the Choir Director, choir administrators, and relevant staff.

 

Information Sharing

 

Internal Sharing:

• Personal information will only be shared with authorised choir staff and volunteers who require it to carry out their responsibilities.

• Medical information will be shared with relevant staff members only for safeguarding purposes during rehearsals, performances, or choir trips.
   

External Sharing:

• Personal information may be shared with third parties only when necessary, such as:

  • Emergency services in the event of an incident. Medical information will only be shared with emergency services or medical professionals in the event of a genuine medical emergency during choir activities.

  • Regulatory authorities if legally required (e.g., in the case of safeguarding concerns).

• Personal data will not be shared with third parties for marketing or promotional purposes without explicit consent.

 

Special Categories of Data:

• Sensitive personal data, such as health information, will only be shared if absolutely necessary for safeguarding purposes or legal compliance, and always in line with GDPR requirements.

 

Consent

 

For specific uses of personal data (e.g., taking photos, videos, or promotional materials), the choir will seek explicit consent from:

• Parents or guardians for children under the age of 18.

• Adults for their own data.

• You can request withdrawal of consent at any time by contacting Crib Notes Choir.

 

Parental Consent for Children

 

Children under the age of 13 may attend choir rehearsals and events with a parent or guardian. Where we collect personal data about a child (including name and any allergy or medical information necessary for their safety during choir activities), we require consent from the person with parental responsibility before processing that data. We collect medical information solely to ensure we can respond appropriately if a child becomes unwell or has an allergic reaction during rehearsals or events. This data is processed on the lawful basis of protecting vital interests and our legitimate interest in child safety. Parents or guardians may withdraw consent at any time by contacting us using the details at the end of this policy. We do not use children's personal data for marketing or promotional purposes.

​

Safeguarding

 

We are committed to the safety and wellbeing of children in our care. Where we have concerns about a child's welfare or safety, we may share relevant personal data with parents or guardians, and where necessary, with local safeguarding authorities, social services, or the police. This sharing is necessary to protect the vital interests of the child and is permitted under data protection law. We do not require consent to share information in these circumstances, as the child's safety takes precedence. Parents and guardians will be informed of any safeguarding disclosure unless doing so would put the child at further risk.

 

Withdrawal of Consent for Children's Images

 

Parents and guardians may withdraw consent for the use of children's images at any time by contacting us. Once we receive a withdrawal of consent, we will immediately stop using new images of that child for the purposes covered by the withdrawn consent.

​

If consent is withdrawn for public promotional use, we will not create new marketing materials using the child's image. However, we are not obliged to remove images that have already been published or to delete images from our archives, provided those images were published with the original consent.

If consent is withdrawn for all uses, we will cease all processing of that child's images and, where reasonably practicable, delete them from our systems. Images that are part of printed materials or have been widely distributed may not be retrievable.

​

Parents and guardians should note that withdrawal of consent does not affect the lawfulness of processing that took place before the withdrawal.

 

Data Retention

​​

• Personal data will only be retained for as long as necessary to fulfil the purposes for which it was collected or as required by law. 

• For choir members this will be as long as the individual remains a member and up to 3 months after, to allow membership to be wound up. The exception to this is media taken during rehearsals and events, which may be kept and used indefinitely unless consent is withdrawn. 

• For individuals who join the mailing list this will be until/unless they choose to unsubscribe, which they can do at any time.

• For individuals who contact us with questions or who book taster, workshop and event tickets, this will be until the event has passed or the questions has been answered, and up to one month after. 

​

Retention Periods:

​​

• Contact information: Kept for the duration of choir membership and deleted within 3 months of membership ending.

• Medical information: Kept for the duration of participation in choir activities and deleted within 3 months of membership ending.

• Photos/videos: Retained for marketing purposes unless consent is withdrawn. If you withdraw consent, we will cease all marketing use of your images from that date. We are not obliged to delete images already published or to purge our archives, but we will not create new marketing materials using your likeness.

 

Breach Notification

 

In the event of a data breach that poses a risk to individual rights and freedoms, the choir will:

• Notify the affected individuals without undue delay.

• We will report the breach to the ICO only if it poses a high risk to your rights and freedoms. Where we do report, we will do so without undue delay and in any event within 72 hours of becoming aware of the breach.

 

Data Subject Rights

 

Under UK data protection law, we must have a “lawful basis” for collecting and using your personal information. There is a list of possible lawful bases in the UK GDPR. You can find out more about lawful bases on the Information Commissioner's Office (ICO) website https://ico.org.uk.

​

Which lawful basis we rely on may affect your data protection rights which are in brief set out below. You can find out more about your data protection rights and the exemptions which may apply on the ICO’s website:

• Your right of access - You have the right to ask us for copies of your personal information. You can request other information such as details about where we get personal information from and who we share personal information with. There are some exemptions which means you may not receive all the information you ask for. You can read more about this right here.

• Your right to rectification - You have the right to ask us to correct or delete personal information you think is inaccurate or incomplete. You can read more about this right here.

• Your right to erasure - You have the right to ask us to delete your personal information. You can read more about this right here.

• Your right to restriction of processing - You have the right to ask us to limit how we can use your personal information. You can read more about this right here.

• Your right to object to processing - You have the right to object to the processing of your personal data. You can read more about this right here.

• Your right to data portability - You have the right to ask that we transfer the personal information you gave us to another organisation, or to you. You can read more about this right here.

• Your right to withdraw consent – When we use consent as our lawful basis you have the right to withdraw your consent at any time. You can read more about this right here.

 

If you make a request, we must respond to you without undue delay and in any event within one month. We may extend this period by up to two months for complex or numerous requests, in which case we will inform you of the extension and the reasons for it.

​

Website Cookies and Analytics

 

Our website uses cookies to improve your browsing experience and to gather information about how the site is used. Cookies are small text files stored on your device that help us understand visitor behaviour and site performance. We use analytics tools to collect non-personally identifiable information about page visits, user journeys, and traffic sources. Analytics cookies are non-essential, which means we must obtain your consent before they are activated on your device. We also use essential cookies (for example, to remember items in your shopping basket or to enable secure login functionality). Essential cookies do not require consent as they are necessary for the website to function properly. By continuing to use our website, you consent to the use of non-essential cookies. You can withdraw consent or manage your cookie preferences at any time by adjusting your browser settings or by clicking the cookie banner on our website. If you disable non-essential cookies, some features of the website may not work as intended, but core functionality will remain available.

 

Automated Decision-Making

 

We do not carry out automated decision-making or profiling that produces legal or similarly significant effects.

 

How to Exercise Rights: 

 

Members can exercise these rights by contacting Crib Notes Choir at:

• Email: cribnoteschoir@gmail.com 

 

How to complain

If you have any concerns about our use of your personal data, you can make a complaint to us using the contact details at the bottom of this privacy notice.

​

If you remain unhappy with how we’ve used your data after raising a complaint with us, you can also complain to the ICO.

​

The ICO’s address:           

Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Helpline number: 0303 123 1113

Website: https://www.ico.org.uk/make-a-complaint

 

Review and Monitoring

 

This policy will be reviewed annually to ensure compliance with GDPR and any other relevant legislation. Any updates will be communicated to all choir members.

​

Last updated: 01/04/26
Version: 2

 

Contact Information

 

For any queries regarding this policy or data protection matters, please contact Louise Salmon (Eekelaar) at cribnoteschoir@gmail.com