The Hymn Society of Great Britain and Ireland: Data Policy

Accountable Officer:
The Hymn Society of Great Britain and Ireland's Accountable Officer is Martin Leckebusch. He can be contacted through the Accountable Officer's contact form on the Contact Us page.

1.0 The Hymn Society of Great Britain and Ireland (HSGBI)

1.1 Registered charity no. 248225

1.2 Contact details:

1.2.1 Online, through the Contacts page on the website

1.2.2 Postally, via the Secretary, whose contact details are on the main paper publications produced by HSGBI

1.3 Web site: https://hymnsocietygbi.org.uk/

1.4 Employees: None

1.5 Leadership and governance structure:

1.5.1 Officers, elected by the membership: Executive President, Executive Vice President, Secretary, Treasurer, Bulletin Editor, Publicity & Communications Officer. The Officers are also Trustees of the Society[1].

1.5.2 Other elected members of Executive Committee

1.5.3 Other office holders appointed as required, for specific tasks (e.g. Website Coordinator, Conference Bookings Secretary, Gift-Aid Administrator, Pastoral Link Person) or to serve on sub-committees, some of which are ad-hoc (Publications Committee, Reserves Policy Working Party)

1.6 Supervisory Authority:

1.6.1 For data processing, the lead supervisory authority for HSGBI is the UK’s regulator, the Information Commissioner. Contact details for the Information Commissioner’s Office (ICO) can be found online.

1.6.2 ICO Registration: HSGBI has not registered with the ICO, following guidelines on the ICO website.


Footnotes
1. In the case of Executive Vice President, Bulletin Editor and Publicity & Communications Officer, subject to forthcoming changes to the Society’s constitution

2.0 Membership

2.1 Membership is open to individuals aged 18 and over, whether resident in the UK or not, on payment of the required subscription.

2.2 Institutional membership is open to academic institutions such as libraries, on payment of the required subscription.

2.3 Third parties: HSGBI has reciprocal membership agreements with equivalent (“partner”) societies in other parts of the world, allowing HSGBI members to choose, optionally, membership of one or more of these. At the time of writing these are as follows, but other societies may be added at the discretion of the Executive Committee:

2.3.1 HSUSC – The Hymn Society in the United States and Canada

2.3.2 IAH – Internationale Arbeitsgemeinschaft für Hymnologie (International Fellowship for Research in Hymnology, a European hymn society)

3.0 What data we process

3.1 The personal data processed by HSGBI is predominantly related to members and recent former members.

3.1.1 Some personal data is also processed by HSGBI in conjunction with third party relationships, usually reciprocal arrangements (e.g. as per item 2.3) or commercial arrangements (as per Section 4.6).

3.2 Collection of personal data:

3.2.1 Unless otherwise stated, personal data is collected from the individual concerned.

3.2.2 Where HSGBI membership is obtained through the reciprocal arrangements with HSUSC and / or IAH, details will be collected from that / those organisations rather than directly from the member, at the start of the period of joint membership.

3.2.3 Personal data may be collected from other sources when it has manifestly been made public by the individual concerned (for example, alongside the publication of an academic article or a creative work, whether online or in print).

3.3 An analysis of personal data collected and processed by HSGBI is as follows:

Basic membership details

Data typeData itemsWhen collectedHow usedLegal basis for useRetentionUpdatesThird parties
Basic member detailsName
Contact postal address[2]
Email address[3]
Start of membershipMailings to members (including brief details of new members – name / town or county)Performance of contractDuration of membership plus up to 2 yearsWhen advised by members; annual reminders as per payment of membership duesPrinters who distribute mailings
Partner societies (for joint membership)
TitleTitle (Mr, Mrs, Miss, Ms, Revd[4], Dr etc)Start of membershipCourtesy in mailings to membersPersonal data made public by data subjectDuration of membership plus up to 2 yearsAs abovePrinters who distribute mailings
Partner societies (for joint member-ship)
Further member contact detailsTelephone number(s)
Email address
Start of membership
optionally provided
Additional member communicationsSubject consentDuration of membership plus up to 2 yearsAs abovePartner societies (for joint membership)
FinancialBank sort code and account numberStart of membership
optionally provided
Establish standing order for membership payments[5]Subject consentOnly until standing order is establishedNoneHSGBI’s Bank See note[6]
PastoralMiscellaneous newsFrom general member contacts (data subject or other members)To trigger pastoral contact
To circulate appropriate news and prayer requests to members
Subject consentDuration of relevant pastoral dealings
Deleted with other details on termination of membership
Ad-hocNone

Membership list

Data typeData itemsWhen collectedHow usedLegal basis for useRetentionUpdatesThird parties
Contact details to be made available to other membersName
Contact postal address
Telephone number(s)
Email address
Start of membership
optionally provided
Inclusion in Directory of MembersSubject consentDuration of membership plus up to 2 yearsWhen advised by membersNone

Office holders' details

Data typeData itemsWhen collectedHow usedLegal basis for useRetentionUpdatesThird parties
Further member contact detailsTelephone number(s)
Email address
When taking positions of responsibilityAdditional contact between office-holdersLegitimate interests of the Controller[7]Duration of holding office plus up to 2 yearsAnnuallyNone
PhotographsIndividual photographsWhen taking positions of responsibilityInclusion on web-site, to help identify office holders to the wider membership Legitimate interests of the Controller[8]Data items used to enable smoother running of HSGBIAd-hocNone
HSGBI offices heldPast and present positions held in HSGBIWhen taking positions of responsibilityInclusion on website
Society records
Legitimate interests of the Controller[9]Permanent Ad-hocNone
Candidate biographyBrief biographical detailsWhen standing for election to officeTo introduce candidates to voting members Personal data made public by data subjectUp to 1 yearNot requiredNone

Conference / event bookings

Data typeData itemsWhen collectedHow usedLegal basis for useRetentionUpdatesThird parties
Attendee contact details[10] [11]Name
Postal address
Telephone number(s)
Email address
Event bookingsTo meet attendee requirements at conferencesPerformance of contract1 year after event, plus limited historical archiveNot requiredConference venue hosts
Medical data[12]Special medical, dietary or mobility considerationsEvent bookingsTo meet attendee requirements at conferencesPerformance of contract1 year after eventNot requiredConference venue hosts[13]
PhotographicIndividual or group photographsAd-hoc, typically at conferences or other eventsInclusion in HSGBI publications including online and social mediaSubject consent (included in conference bookings)PermanentNot requiredNone

Financial

Data typeData itemsWhen collectedHow usedLegal basis for useRetentionUpdatesThird parties
Financial detailsBank account detailsWhen required for operational reasons (eg payment of expenses) Payment of expenses[14]Subject consentFor office holders, duration of holding office plus up to 2 years.
For other members, up to 1 year
When advised by memberHSGBI’s bank
Gift AidGift Aid declarationWhen Gift Aid declaration madeClaim Gift Aid for HSGBISubject consentUp to 7 years, as per Gift Aid processIf declaration nullified by memberHMRC

Publications (printed, online or oral)

Data typeData itemsWhen collectedHow usedLegal basis for useRetentionUpdatesThird parties
Author or speaker biographyBrief biographical details including photograph taken at Conference or eventWhen submissions accepted for publication or when booked to speak at Conference or eventProvision of context with published material
Background details on Conference or event materials
Personal data made public by data subjectPermanentNot required; updates may be made where appropriatePrinters who produce and distributed printed materials
Professional and academicExternal positions held, academic publications, awards, contributions to relevant literature or debateAd-hoc Inclusion in HSGBI publications including onlinePersonal data made public by data subjectPermanentNot required; updates may be made where appropriatePrinters who produce and distributed printed materials

Metadata

Data typeData itemsWhen collectedHow usedLegal basis for useRetentionUpdatesThird parties
Consent detailsSubject consent as listed elsewhere in this tableInitial gathering, May 2018
Start of membership or other triggers as listed in this table
Management of other personal dataSubject consentDuration of membership plus up to 2 yearsSubject requestNone
Subject Access Request detailsDate of SAR
Response to SAR
Ad hocManagement of SARs and responsesSubject consentDuration of membership plus up to 2 yearsNot requiredNone

Other / miscellaneous data

Data typeData itemsWhen collectedHow usedLegal basis for useRetentionUpdatesThird parties
VariousE.g. denominational affiliation (special category personal data – religious belief)Ad-hoc optional surveysAnalysis of membership spread and trends
Enabling wider communication via members
Legitimate interests of the Controller[15]As deemed appropriate but not more than 2 years from collection nor more than 1 year from completion of analysisNot requiredNone

Electronic data

Data typeData itemsWhen collectedHow usedLegal basis for useRetentionUpdatesThird parties
Contact details: online purchasersName
Contact postal address[16]
Email address
When online purchase(s) (including membership subscriptions) madeTo supply items purchased, either electronically or postallyPerformance of contractMembership: duration plus up to 2 years
Other purchases: up to 1 year from most recent purchase
Membership: when advised by members; annual reminders as per payment of membership dues. Other: if advised by purchaserPayPal[17]
Payment-relatedTransaction id
Product id
When the website records or takes paymentsRecords payment method and purchase madePerformance of contract[18]Up to 1 year from date of most recent purchaseNot requiredNone
IP addressIP address[19]At website logonTo clear member lockouts from the websiteLegitimate interests of the Controller[20]Superseded by subsequent logon
Removed if membership ends
Superseded by subsequent logonNone

Third parties[21] (non-members)[22]

Data typeData itemsWhen collectedHow usedLegal basis for useRetentionUpdatesThird parties
Contact details: commercial organisationsName
Contact postal address
Telephone number(s)
Email address
When establishing or renewing contractual relationshipManaging relationship with third partiesLegitimate interests of the Controller[23]Duration of commercial relationship plus up to 2 yearsAd-hoc, when advised by third partyNone
Contact details: online purchasersName
Contact postal address[24]
Email address
When online purchase(s) madeTo supply items purchased, either electronically or postallyPerformance of contractUp to 1 year from date of most recent purchaseIf advised by purchaserNone

Historic records[25]

Data typeData itemsWhen collectedHow usedLegal basis for useRetentionUpdatesThird parties
Contact detailsNames of former members
Title
Abbreviated address[26]
Start of membershipHistoric archiveLegitimate interests of the ControllerPermanentNoneNone

3.4 No personal data is gathered for children under the age of 16 except:

3.4.1 Children may attend Conferences or other events with a parent or guardian who is a member of the Society; in which case the minimum information required will be collected at registration, shared with event venue hosts as per their requirements, and deleted following the event.

3.4.2 Care will be taken not to include children in any photographs taken at such events.

3.5 Electronic personal data collected via the web site comprises:

3.5.1 Transaction ID: a unique number automatically generated by the membership and payments software; correlates to either Bank Transfer or PayPal payments made for membership subscriptions. Personal bank and PayPal payment data are not stored within the site.

3.5.2 Product ID: refers to the membership level we 'sell' (e.g. 1 year UK membership single, 5 year membership couple) or to the electronic or printed papers sold on the website.

3.5.3 IP Address: collected whenever a member logs into the website, and automatically updated should they log in from another IP address, with only the latest IP address kept on record. This is to facilitate the unlocking of the latest IP address should the member be locked out of the site. IP address use reminders are triggered when the site is accessed from a device which has not accessed the site in the previous month.

3.5.4 Cookies are used on the website for regular functions such as SSL and Google Analytics. Cookie use reminders are triggered when the site is accessed from a device which has not accessed the site in the previous month.


Footnotes

2. PO Boxes are acceptable, here and elsewhere in the table

3. Required if managing membership online. Postal management of membership is available as an alternative.

4. Special category personal data (religious belief) applicable for this and some other titles; but counted as made public by data subject so “subject consent” for use is not required

5. If member elects to pay by this means; alternatives are available

6. No financial details are passed to third party societies for joint membership

7. Data items used to enable smoother running of HSGBI, e.g. by enabling easier contact between office holders

8. Data items used to enable smoother running of HSGBI

9. Data items used to enable fuller record-keeping of the history of HSGBI

10. Partners of HSGBI members are welcome to attend conferences and other events, subject to providing the relevant booking details as for members. The same applies to carers required by members attending events.

11. Children do not normally attend Conferences or other events, but see Section 3.4.

12. Special category personal data (health)

13. It is assumed that conference venue organisations will have their own data handling policies and procedures in line with GDPR and other legal requirements, since conferences are held within the UK or Republic of Ireland. HSGBI will confirm this before entering contracts with such organisations.

14. Payment may also be made by cheque, in which case these details are not required.

15. Functioning of HSGBI organisation

16. Required only for membership or purchase of physical documents. Not required for electronic download purchases.

17. If PayPal is used, the purchaser’s email address is passed to PayPal to enable completion of the transaction. If membership payments are by bank transfer or standing order, the new member completes this transaction with their bank and no financial details are collected by HSGBI.

18. Data required to handle financial transactions (subscription payments or purchases) electronically

19. Only the most recently-used IP address is kept; see Section 3.5.

20. i.e., provision of website service to members

21. See Section 4.6.

22. For non-members attending Conferences and other events, see Conference / event bookings, above.

23. Functioning of HSGBI organisation

24. Required only for purchase of physical documents. Not required for electronic download purchases.

25. Historic records are aligned to the Society’s aim of furthering study and research in hymnody.

26. Usually town or county; not full address

4.0 How we process data

4.1 Data controllers and data processors – accountabilities and responsibilities

4.1.1 HSGBI is the Data Controller for personal data gathered by the society.

4.1.2 The Officers have accountability for compliance with GDPR and will agree on one of their number as nominated to have primary accountability (the Accountable Officer), whose name will be published on the website along with the Data Policy.

4.1.3 Limited subsets of data will be made available to individual office holders in accordance with the requirements of their office (e.g. the Conference Bookings Secretary will require data supplied for bookings). For these purposes, such office holders will constitute Data Processors and will be responsible for data handling and data protection of the subsets of data made available to them.

4.1.4 Office holders will not be permitted to hold personal data until they have been made aware of this policy, the associated procedures and their responsibilities in handling personal data on behalf of HSGBI, including:

  • Following instructions from the Accountable Officer for data handling
  • Maintaining confidence on the content of personal data
  • Keeping personal data secure
  • Assisting the Accountable Officer when individuals exercise their rights to access, rectify, erase or object to processing of data
  • Assisting the Accountable Officer as required with privacy impact assessments, security and data breach obligations
  • Notifying the Accountable Officer of any personal data breach
  • Being able to demonstrate compliance with their data processing and submitting to any required audits
  • Informing the Accountable Officer if aware that their actions may breach the law
  • Ensuring that any backups of data from their computers in which HSGBI data items are included (whether manual or automatic backups) are stored in accordance with the GDPR
  • Ensuring the deletion of any of the Society’s data from a device on which the office holder no longer intends to process that data (for example, a laptop being replaced)
  • Undergoing periodic “refresher training” in their responsibilities as Data Processors

4.1.5 The Officers will ensure that Data Processors are made aware of their responsibilities and provided with appropriate “refresher training” for their roles, as appropriate.

4.1.6 Any office holder who holds and processes data on behalf of the Society will, on leaving their position or ceasing to be a member of the Society, ensure that any personal data they have held on the Society’s behalf is deleted and that they confirm this to the Accountable Officer.

4.1.7 The Website Coordinator is responsible to the Officers for data handling and data protection on the website and associated backups. The Website Coordinator liaises with the Officers as required, and may attend the Executive Committee by invitation.

4.1.8 The Website Coordinator is responsible for ensuring that “best practice” is followed for all aspects of security on the HSGBI website and for confirming this at least annually, and also on request, to the Officers.

4.1.9 The Officers will ensure that the required resources are made available to the Website Coordinator to allow “best practice” security on the HSGBI website.

4.1.10 Third parties with whom the Society holds reciprocal or commercial relationships will also constitute Data Processors as appropriate for the data they hold on the Society’s behalf, as detailed elsewhere in this Data Policy.

4.1.11 Data Processing Officer: No DPO has been appointed.

4.2 Organisation of personal data

4.2.1 The following table summarises (by legal basis) the personal data held by HSGBI:

Legal basis for useData typeData items
Performance of contractBasic member or purchaser detailsName
Contact postal address
Email address[27]
Conference attendee contact detailsName
Postal address
Telephone number(s)
Email address
Medical data pertinent to conference bookings[28]Special medical requirements
Special dietary requirements
Special mobility considerations
Subject consentFurther member contact detailsTelephone number(s)
Email address
FinancialBank sort code and account number
Gift Aid declaration (if made)
Contact details to be made available to other members via the Directory of MembersName
Contact postal address
Telephone number(s)
Email address
MetadataSubject consent, SARs, responses to SARs
Photographic Individual or group photographs taken at conferences or other events
PastoralMiscellaneous news
Records of pastoral contacts (e.g. correspondence sent and / or received)
Personal data made public by data subjectTitleTitle (Mr, Mrs, Miss, Ms, Revd[29], Dr etc)
Author or speaker biography accompanying published materialBrief biographical details
Biography of candidate for electionBrief biographical details
Professional and academicExternal positions held, academic publications, awards, contributions to relevant literature or debate
Legitimate interests of the ControllerFurther member contact details[30]Telephone number(s)
Email address
PhotographsIndividual photographs of office holders
HSGBI offices heldPresent positions held in HSGBI
VariousAs required for ad-hoc surveys etc, e.g. denominational affiliation (special category personal data - religious belief)
Historic records[31]Titles, names and abbreviated address (town / county) of former members
Past offices held
Photographs taken at Conferences or other events

4.2.2 The following table lists the key repositories in which HSGBI holds personal data (excluding ad-hoc items such as voluntary surveys). A tick ✓ indicates that the document contains this item; a bold tick indicates that this document is the master entry for the data item.

Data itemNameTitleAddressTelephone numberEmailPastoral news and contactBank accountGift Aid declarationIndividual photogaphsGroup photographsOffices held - currentOffices held - historicMedical itemsCandidate biographyAuthor / speaker biographyProfessional & academicMetadataDocument ownerHolders of other copies
Document
Full membership listSecretaryOther Officers
Pastoral Link Person
Mailing listMailing List AdministratorSecretary
Printers[32]
Directory of MembersSecretaryTreasurer
Individual members with EEA addresses[33]
Pastoral Link Person’s notesPastoral Link PersonNone
List of members with joint membership[34]SecretaryTreasurer
Relevant “partner” societies
Subscription payments: non-electronicTreasurer[35]HSGBI’s bank
Record of electronic paymentWebsite coordinatorSecretary
Treasurer
Gift Aid processingTreasurerHMRC
Officer holdersSecretaryOfficer holders
Election papersSecretaryIndividual members (eligible to vote)
Website (and social media)Website coordinatorNone
Conference and event bookingsConference bookings secretarySecretary
Treasurer
Conference venues (as required)
Conference joining details[36]Conference bookings secretarySecretary
Conference attendees
Historic records[37][38]SecretaryMembers or other authentic researchers, generally on request
Published papers: BulletinBulletin EditorMembers (present and / or past) and other purchasers of relevant publication
Published papers: Occasional PapersConvenor of Publications Committee Members (present and / or past) and other purchasers of relevant publication
Subject consent and SARsSecretaryAccountable Officer

4.3 Amendments to data items

4.3.1 The document owner for each document is responsible for maintaining the contents of that document, for recording who has copies of that document, and for notifying other document holders of any changes which are needed.

4.3.2 When changes to a data item are required, the owner of the document containing the master entry for that data item shall inform the owners of other documents containing the data item.

4.3.3 Where the legal basis for processing a data item is “subject consent”, the consent shall be recorded with the master entry for that data item. This consent need not be replicated in other documents containing the same data item.

4.3.4 Requests for changes to data items (including additions, deletions, corrections, withdrawal of consent and restrictions) shall be notified either in writing to the Secretary or through the website to the Website Coordinator. Whichever of these office holders is notified shall notify the other and the owner of the document containing the master entry of each affected data item.

4.3.5 Where data items have been designated as “permanent” (usually in published documents or for historical records, as in section 4.11 below) amendments and deletions will not normally be made.

4.3.6 Printed and widely distributed copies of documents (e.g., the Directory of Members or the Bulletin) will usually be designated “permanent”, and amendments and deletions to these copies will not normally be made. Apologies and corrections will be issued in subsequent versions as appropriate.

4.4 Storage and backup of personal data

4.4.1 Some data held by HSGBI is on computers owned by the Society and in the possession of office holders. Other subsets of data may be held on personal computers by office holders on behalf of the Society.

4.4.2 Where paper copies of data are retained, either as a transitional arrangement (e.g. paper membership forms still being processed) or as local backup copies, the office holder keeping these copies will be responsible for ensuring that they are kept securely, updated where appropriate and deleted when applicable, in accordance with the principles of the GDPR.

4.4.3 “Public cloud” storage will not be used for personal data held by HSGBI, except for data associated with HSGBI publications and already made public by the data subject, unless HSGBI have ascertained that the provision of such storage is GDPR-compliant.

4.4.4 Backup of data from HSGBI-owned computers will not use storage owned by third parties (“cloud” services) unless those parties are compliant with the GDPR.

4.4.5 Backups of the website are handled by the Website Coordinator as data processor. Website backups are retained, according to type, for up to 12 months. Commercial off-premise backup services (“cloud” services) will not be used without confirmation that the service provider complies with GDPR requirements. A local external hard drive is also used. Both backup locations are encrypted with restricted access to the secure keys.

4.4.6 Office holders who use their personal computers to hold HSGBI personal data must not allow this data to be backed up to storage owned by third parties (“cloud” services) unless they have satisfied themselves that those parties are compliant with the GDPR. If there is any doubt, the matter should be referred to the Accountable Officer who will advise the office holder.

4.5 Data protection

4.5.1 The data protection measures in place on the website, with particular reference to personal data collected or held on the website, include a current WAF (Web Application Firewall) that continually monitors the site for unwanted hacking and brute force attempts to access the website, backed up by security software that further secures the data on the site. Both components are kept up to date.

4.5.2 All data processors as identified above are responsible for ensuring that the data they hold is appropriately secured, with “best practice” followed for both computer security (including the use of suitably “strong” passwords, currency of anti-virus software, currency of firewalls, etc) and physical security (including the use of locked storage for printed materials, etc).

4.6 List of third parties: The third parties with whom HSGBI exchange data are:

4.6.1 Commercial printers, engaged to produce and distribute membership-wide mailings, for the sole purpose of addressing such mailings.

4.6.2 Commercial financial organisations including: banking institutions where the Society holds accounts; external examiners or auditors of the Society’s accounts; and insurance companies from whom the Society receives cover.

4.6.3 Equivalent societies with whom reciprocal arrangements exist for optional joint membership. No financial transactions are involved between the societies for these purposes. HSGBI will seek confirmation from such organisations that they are compliant with the GDPR (subject to its applicability) or with equivalent local legislation.

4.6.4 Commercial conference venues, for the sole purpose of enabling appropriate provision (including special provision relating to medical, dietary or mobility requirements) for those attending HSGBI conferences and other occasional events. These venues will be in either the UK or the Republic of Ireland and will usually be educational establishments, conference centres or hotels.

4.6.5 Individuals who are not HSGBI members but who purchase HSGBI publications through the website.

4.7 Interaction with commercial third parties:

4.7.1 HSGBI will seek confirmation from third parties within the EEA that they are compliant with the GDPR, as part of the initial or ongoing relationship with that third party.

4.7.2 HSGBI will seek details from third parties outwith the EEA of any equivalent regulatory regimes to which they are subject, as part of the initial or ongoing relationship with that third party.

4.7.3 In cases of joint membership arrangements with third parties, HSGBI will notify the third party within one month of becoming aware of any updates to personal data which need to be made, including corrections, additional data, deletion of data, restrictions or withdrawal of consent.

4.7.4 Similarly, when notified by a third party of changes to personal data arising as part of a joint membership arrangement, HSGBI will make the relevant changes and notify the third party within one month of receipt of the request.

4.7.5 Where membership of HSGBI is arranged through such a reciprocal arrangement, the new member will be made aware of their rights under the GDPR within one month of membership commencing.

4.8 Directory of Members

4.8.1 The Directory of Members includes contact details of all members who have agreed to be included in the Directory by means of Consent forms.

4.8.2 The Directory of Members is provided on request to members who have supplied postal addresses within the EEA.

4.8.3 Overseas data handling: the Directory of Members is provided to members who have supplied postal addresses in other countries at the discretion of the Officers and subject to the Officers being satisfied that arrangements in those countries satisfy the legal requirements placed on them by GDPR and other appropriate legislation.

4.8.4 The Directory of Members is supplied to members for members’ own use only, and in connection with HSGBI only.

4.9 Pastoral news: Subject to member consent (usually obtained at the start of membership), the Pastoral Link Person will respond to news of a member’s well-being to establish pastoral contact on behalf of HSGBI.

4.10 Retention periods: The retention periods and schedules for deletion of personal data have been based on the following principles:

4.10.1 Termination of membership usually occurs as a result of resignation of the member; death of the member; or lapse of membership through failure to pay membership fees. Removal of former members from membership lists (including the Directory of Members) is set at “up to two years beyond the end of membership” to simplify restoration of those whose membership lapses through non-payment. Where it is clear that membership has been terminated, data will be removed sooner, with an annual review of the currency of membership details.

4.10.2 Where an individual exercise their right to have their data deleted, this will be done within the statutory period. In these cases, if the member insists on the removal from HSGBI records no only of data optionally provided and / or gathered by consent but also of their name and contact address, this would effectively mean the termination of membership, and clarification that this is what is desired will be sought.

4.10.3 Data relating to office holders will be retained for up to two years after the term of office expires because in a number of cases an elected officer is eligible to be re-elected following a period of one year from the end of their term of service.

4.10.4 Financial details for office holders (where required, e.g. for paying expenses incurred on HSGBI business) will be retained as for other data (section 4.10.3 above) in the case of office holders who have opted to receive payment by cheque. Where an office holder has opted to receive electronic payments, the required details will be held by HSGBI’s bank (subject to the bank’s security controls) and accessed only when payments need to be made. Retention will be as per section 4.10.3 above.

4.10.5 Data required for conference bookings (including appropriate medical data) will be retained for one year after the relevant event, allowing some comparison with bookings for subsequent events.

4.10.6 Financial details of members other than office holders are gathered only to set up standing orders and are deleted once the standing order is established. Where membership is paid online, no financial details are gathered by HSGBI.

4.10.7 Gift Aid declarations are held as required for Gift Aid processing and are destroyed when no longer required.

4.10.8 When ad-hoc data is sought for specific purposes (e.g. membership surveys) and is voluntarily provided, an appropriate timeframe for processing and analysis will be determined by those arranging the data collection; this will be not more than one year from completion of any analysis and not more than two years from the initiation of data collection. After this period, this personal data will be deleted.

4.11 Historic records: The historic records kept by HSGBI form an archive in keeping with the Society’s aims of fostering study in hymnody; the following records are therefore retained permanently, and made available on request to members or to those conducting bona fide research into hymnody:

4.11.1 Names and titles of former members

4.11.2 Names, titles and abbreviated address (typically town or county) and photographs of attendees at past Conferences

4.11.3 Offices held within the Society, with dates

4.11.4 Formal minutes of Officers’ Meetings, Executive Committee Meetings, Annual General Meetings and similar gatherings

4.11.5 Previously published material, e.g. issues of the Society’s Bulletin containing authors’ biographical details

4.11.6 In addition, the Secretary’s Newsletter welcomes new members by name, title and abbreviated address (typically town or county).


Footnotes

27. Required if managing membership online. Postal management of membership is available as an alternative.

28. Special category personal data (health)

29. Special category personal data (religious belief) applicable for this and some other titles; but counted as made public by data subject so “subject consent” for use is not required

30. Applicable to office holders

31. See section 4.11

32. Mailing labels are supplied to the printers on an operational basis, per mailing, for immediate use but not for long-term retention.

33. Directory of Members supplied on request

34. One per organisation with whom reciprocal arrangements exist

35. Only until standing orders are established, then deleted

36. Partial data (e.g. town or county name) not full contact details

37. See section 4.11.

38. Partial data (e.g. town or county name) not full contact details

39. This data is occasionally issued to members for general historical interest and to allow for corrections of records where necessary

5.0 Policies and procedures

5.1 Data Policy: this document. The data policy and associated procedures were prepared in readiness for the introduction of the GDPR (General Data Protection Regulation) in 2018.

5.2 Access to information

5.2.1 The contents of the website are accessible via all devices that can access the internet (e.g. computer, tablet, smart phone, smart TV) and all information relevant to personal data (including Consent Notices, Privacy Notices and Subject Access Request notices) will be accessible from all of these.

5.2.2 Printed copies: all information relevant to personal data (including Consent Notices, Privacy Notices and Subject Access Request notices) will also be accessible in printed form, from the Accountable Officer.

5.3 Record keeping

5.3.1 All versions of this Data Policy and associated policies and procedures, including Consent Notices, Privacy Notices and Subject Access Request documentation, are numbered and include a record of their date of issue. A full historic set of such documentation will be maintained by the Accountable Officer.

5.3.2 All data items held on a legal basis of “subject consent” will be retained by the holder of the “master copy” of the relevant data item, with a record of the date when this consent was obtained. These records will be held for as long as the relevant data item is held for that person.

5.3.3 If an individual withdraws consent, a record of the withdrawal of consent including the date of the request will be retained for as long as any personal data is held for that individual, but with a minimum of two years from the date of the request. If this period extends beyond the membership of the individual, the individual will continue to be identified using the data gathered on the basis of “performance of contract” (i.e. name and contact address).

5.3.4 The historic record of data policies and procedures, together with the dated individual data items, will together form an audit trail of “subject consent” as given to HSGBI.

5.4 Subject Access Requests (SAR): in accordance with the GDPR, an individual has the right to raise a SAR to obtain a copy of their personal data as held by an organisation, provided without charge and within one month. For HSGBI:

5.4.1 The preferred methods for a SAR to be raised are either through the “contact us” section of our website or by writing to our Secretary.

5.4.2 Either the Website Coordinator or the Secretary shall, on receipt of a SAR, request the required information from all document owners, as per Section 4.2 of this document.

5.4.3 The response will be in either electronic or printed form (where possible, as requested on the SAR).

5.4.4 The response to the SAR will also draw attention to HSGBI’s Privacy Notices.

5.5 Data breach investigation and reporting: the GDPR defines a personal data breach as “breach of security leading to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.” Where a breach results in a risk to the rights and freedoms of individuals with the likelihood of significant detrimental effects (including loss of confidentiality or significant economic disadvantage), the breach needs to be notified to the supervisory authority, with initial reporting within 72 hours of the data breach becoming apparent. Where there is a high risk of these outcomes, the individual(s) affected must also be notified directly. With this in mind:

5.5.1 Any data processor within HSGBI who becomes aware of a data breach must notify the Accountable Officer (ensuring receipt of notification is confirmed) within 18 hours of becoming aware of the breach, including providing basic details of the nature of the breach and the data which has been or may have been affected.

5.5.2 A third party data processor must follow the appropriate legislation governing their own data handling in making HSGBI aware of any such data breach. If the primary point of contact within HSGBI is not the Accountable Officer then that contact person must follow the procedure in Section 5.5.1 above.

5.5.3 The Accountable Officer must ensure that all other Officers are made aware of these details within a further 18 hours.

5.5.4 Where necessary, a discussion between the available Officers and the relevant data processor (or in the case of a breach at a third party, the HSGBI contact person and an appropriate representative of the third party) must be held within a further 18 hours. This discussion must allow the collation of known details of the data breach and lead to a decision of whether this data breach needs to be notified to the supervisory authority, following the guidelines in the GDPR.

5.5.5 If the Officers determine that the breach is notifiable, the Accountable Officer must gather the necessary data and report the data breach to the supervisory authority within a further 18 hours, thus meeting the 72 hour deadline.

5.5.6 If further details need to be provided to the supervisory authority, this must be done in a prompt manner, as required by the authority.

5.5.7 If the Officers determine that affected individuals need to be notified, this must be done in a prompt manner (i.e., where possible by email in preference to postal notification).

5.5.8 The Officers shall produce a full report of the data breach when all relevant details have been ascertained, whether the breach proved notifiable or not. All such reports will be held by the Accountable Officer.

5.5.9 Following any significant data breach, the Officers shall initiate a review of the HSGBI data policy and procedures, making any necessary amendments as a result of lessons learned.

5.5.10 The HSGBI website shall be configured so that any data breach detected by the relevant security software is notified to the Website Coordinator as soon as possible.

5.5.11 If a data breach affects the website, the Officers and Website Coordinator shall decide within 24 hours of detection of the breach whether it is prudent to take down the website until any necessary remedial action (e.g. patching or firewall upgrades) can be completed.

5.6 Data Protection Impact Assessments: the nature and scope of personal data handling by HSGBI makes the use of formal DPIA’s unlikely to prove necessary. However, this will be reviewed as necessary, along with the data policy and other associated procedures.

5.7 Reviews of the data policy and associated procedures, to be conducted by the Officers and other persons as deemed necessary and appropriate by them, will be initiated:

5.7.1 Where necessitated by changes in relevant legislation

5.7.2 Where necessitated by changes in the scope, purpose or sphere of operation of HSGBI

5.7.3 After any significant data breaches by or affecting HSGBI

5.7.4 At least every three years if not previously initiated by one of the above reasons

5.7.5 In the light of any inaccuracies or discrepancies notified to the Officers or the Website Coordinator

5.8 Initial Implementation: ahead of the legal GDPR implementation (25 May 2018):

5.8.1 The Officers have agreed the content of the Data Policy (this document), Privacy Notices (based on section 6.0 of this document), Subject Access Request forms and a preliminary Consent Notice to be included in the April 2018 mailing to members (based on sections 7.0 and 8.0 of this document);

5.8.2 The Officers have appointed one of their number as the Accountable Officer for data handling;

5.8.3 The Officers will ensure the above documents and the name of the Accountable Officer are posted on the website.

6.0 Privacy Notices

6.1 Privacy notices will contain the following:

6.1.1 How do HSGBI handle personal data? Our processing of personal data is in line with the requirements of the GDPR which is part of UK and EU law.

6.1.2 How does GDPR say personal data should be handled? The principles of the GDPR assert:

  • that processing of personal data must be fair, lawful, transparent and secure;
  • that data will be used only in line with the purposes for which it was first collected;
  • that data will be kept up to date, with any necessary corrections made as quickly as possible;
  • that individuals will be identifiable within that data only while there is a legitimate reason to keep their data.

6.1.3 What rights does an individual have and how are they reflected in HSGBI’s processes? You have the following legal rights:

  • The “right to be informed” about how we process your data. This Privacy Notice provides that information. Further details can be found in our Data Policy, available on our website or on request from the Secretary.
  • The “right of access” to the data we hold, and to know how we are using it. You can raise a Subject Access Request if this Privacy Notice does not answer your questions.
  • The “right to rectification”: if the data we hold is incorrect, you can ask us to change it. Where we have shared that data with other organisations (for example, through our joint membership arrangements) we will ask for the relevant changes to be made there as well. Sometimes it may not be possible to correct the error in full – for example, if a mistake was printed in a mailing to all our members we may ask you to agree to an apology and a correction with the next mailing.
  • The “right to erasure”: if you feel we no longer need to hold some or all of your personal data you can ask us to delete it. This also covers data which we have gathered with your specific “consent” (usually given using a tick-box on either our website or a paper form); if for some reason you change your mind, you can ask us to stop holding and using that data. However, please note that sometimes this may make it impossible for you to remain a member of HSGBI (e.g., if you ask us to delete your address, we cannot send you our mailings). We may also choose to keep some details for HSGBI’s historical records (for example, to keep a list of the names of those who attended past conferences).
  • The “right to restrict processing”: if you think the data we hold is inaccurate or that we are processing it unlawfully, you can ask us to stop using your data until we have resolved this issue. We will note the restriction on our data and pass your request to any third parties as necessary.
  • The “right to data portability”: this is a new right, applicable to certain kinds of automated processing. Our only automated processing is the use of a mailing list to members. We do not provide automated data links from our IT systems to those of other organisations.
  • The “right to object” to us using your personal data for profiling, direct marketing and some types of scientific and historical research and statistics in a way which may affect you. HSGBI does not engage in any of this type of processing.
  • “Rights related to automated decision making and profiling”: as above, this is not something done by HSGBI.

6.1.4 What data does HSGBI collect, and how do we handle it? Full details of the data we collect and use, why legally we can process this data, and how long we keep it are found in sections 3.3 and 4.2 of our Data Policy, available from our website. We also only pass your data to other organisations when you ask us to (such as joint membership arrangements) or when we need to (such as mailing lists used by the printers who issue our mailings or special requirements at Conferences).

6.1.5 How can I raise any questions, concerns or requests (including Subject Access Requests) or ask for corrections to my data? You can either use the “contact us” section of our website or write to our Secretary.

6.1.6 What if I am not satisfied with the way you handle my personal data? GDPR-related data handling in the UK is overseen by the Information Commissioner’s Office, a government department, and you can complain to them if you feel it necessary.

7.0 Consent

7.1 Subject consent, where required by the GDPR, will be obtained at various points of data collection, whether by paper-based systems or online through the website.

7.2 At each point of data collection the following will also be highlighted: the individual’s rights under the GDPR; the location of the Privacy Notice, which includes those rights.

7.3 Consent provided at the start of membership: the following will apply, with tick-boxes on forms or web pages as appropriate:

7.3.1 The following relates to items of your personal data which you make available to HSGBI and your granting of consent to HSGBI to hold and to process that data.

7.3.2 To maintain your membership of HSGBI, we need your name and contact postal address (which may be a PO Box). If you take up membership through the website, we also need your email address. These details will be held for the duration of your membership and an administrative period of up to two years afterwards.

7.3.3 You may provide us with the following, with your agreement to store and use them: one or more telephone numbers; an email address (if not already provided). These details will be held for the duration of your membership and an administrative period of up to two years afterwards.

7.3.4 If you pay your membership subscription by standing order you may provide with your bank account details, with your agreement to store and use them. These details will be held only until the standing order is set up. If you manage your membership subscription online, we will not collect this information at all.

7.3.5 A Directory of Members is available on request to individual members; this is not normally provided to members with addresses outside the EU, nor to institutional members (e.g. libraries). Your contact details will be included in this list only with your consent.

7.3.6 You may also choose joint membership with other societies (which will be named, with an indication if they are based overseas); if you choose this option, the personal details you have provided will be shared with those societies.

7.3.7 If you wish to withdraw any consent you previously granted as above, you may do so by contacting the Secretary, either in writing or via the “contact” section of the website.

7.3.8 A consent box will be included on the “contact” section of the website.

7.4 Consent provided when booking conferences or other events: the following will apply, with tick-boxes on forms or web pages as appropriate:

7.4.1 The following relates to items of your personal data which you make available to HSGBI and your granting of consent to HSGBI to hold and to process that data.

7.4.2 Where necessary, some or all of your booking details will be passed to the event organiser or venue (who will be named at the point of collection) whose handling of personal data is governed by the GDPR.

7.4.3 HSGBI will also keep your booking details for up to one year after the event; a historic record of event attendees (usually, name and town of residence) will be kept as a permanent record.

7.4.4 Photographs of either individuals or groups may be taken at the event, and used on our website or in other publications of a permanent nature. Please indicate that you are happy to be included in any such photographs. If you do not consent to this, every effort will be made to ensure that you are able to absent yourself when photographs are taken.

7.4.5 If you wish to withdraw any consent you previously granted as above, you may do so by contacting the Secretary, either in writing or via the “contact” section of the website. Please note, however, that this may mean it is no longer possible for HSGBI to process your event booking or specific requirements within that booking.

7.5 Office holders:

7.5.1 For the smooth operation of the Society, elected office holders are expected to make available (including in directories available to members) their telephone numbers and email addresses; to allow their individual photograph to be on the website; and to make financial details available when required to receive payments such as reimbursement of expenses incurred on the Society’s behalf.

7.5.2 The above data will normally be retained during the period of office and for up to two years afterwards; if, on ceasing to hold office, a member wishes to have these details removed earlier, they may contact the Secretary, either in writing or via the “contact” section of the website.

7.6 Renewal of consent and revalidation of data

7.6.1 Membership subscriptions are usually due annually, and along with subscription reminders all members will be reminded of the need to check their personal data and advise HSGBI of any changes. Members will also be reminded of the option to withdraw consent for inclusion in the Directory of Members.

7.6.2 Records of consent will be maintained along with other data collected at that point of data collection. The historic record of Consent Notices, together with the dated individual consents, will together form an audit trail of “subject consent” as given to HSGBI.

8.0 Consent Notices

8.1 Content of Preliminary Consent Notice – based on the following:

8.1.1 You may already have heard that Data Protection laws are due to change in May 2018 when the EU General Data Protection Regulation (GDPR) becomes part of the legal basis for handling personal data. As a result, the Hymn Society requires your active consent to keep and process some of the details we hold about our membership.

8.1.2 The data for which we now need your consent comprises the following items:

The types of dataWhy we need and how we use this data
Further member contact details: telephone number(s), email address
  • To provide additional communications to members
Gift Aid
  • Gift Aid declarations (if applicable) for recouping Gift Aid for the Society
Pastoral information
  • To maintain pastoral support and contact – our Pastoral Link Person sends suitable greetings and good wishes to members known to be in need of such encouragement

  • To circulate appropriate news and prayer requests among Society members
Contact details to be made available to other members: name, contact postal address, telephone number(s), email address
  • To maintain the Directory of Members, available on request to individual members in the UK and EU

  • (Note: if you choose not to agree to this data use, you will still receive mailings but your details will be excluded from the Directory of Members.)
Photographic images taken during events
  • Individual or group photographs from Events may be included in HSGBI publications, both printed and online (including social media)
Office holders only: Financial details
  • To reimburse expenses incurred on Society business

8.1.3 What we need you to do now: in order for the Society to continue to keep and use your personal data as above, we need you to provide consent by 16 May 2018. (If you do not respond with this consent, we will no longer be able to hold or use the relevant data.) You can provide consent:

  • By using the form below and sending this to the Secretary
  • By using the online form on our website
  • Consent form details:

I agree to the following use of data by the Hymn Society:

  1. My telephone number(s) and email address(es), for contacting me on Society business and to offer appropriate pastoral support
  2. Inclusion of my contact details in the Directory of Members, as made available on request to individual members of the Society within the UK and the wider EU and for their personal use only
  3. Gift Aid declaration details, if applicable
  4. Office holders only: Financial details I have provided to the Society, for reimbursement of expenses incurred on Society business

8.1.4 You may change your decision on consent at any time by contacting the Secretary by post or through the contact page on the website. This applies either to withdrawing consent previously provided, or by providing consent previously withdrawn or withheld.

8.1.5 Other member-related data which we hold does not require specific consent, and is as follows:

The types of dataWhy we need and how we use this dataLegal basis for us to hold and use this data
Basic member details: name, contact postal address; also (if you manage your membership online) email address
  • To maintain your membership (e.g. to send you mailings).

  • To prepare and send mailings including Bulletins and other notifications – includes working with third parties (our printers)

  • To manage reciprocal membership of HSUSC and / or IAH
“Performance of contract”
(Without this data, the Hymn Society cannot maintain your membership of the Society or meet other requirements, e.g. for Conference bookings)
Electronic data from our website: transaction id, product id
  • To keep records of online payments and purchases you make through our website
Conference booking details: additional contact details (telephone number(s), email address); medical data (e.g. dietary or mobility considerations)
  • Contact details gathered with Conference bookings: used to enable last-minute contact if necessary.

  • Medical details gathered with Conference bookings: used to enable attendee requirements to be met.

  • Appropriate details will be shared with Conference venues.

  • Individual or group photographs from Events may be included in HSGBI publications, both printed and online (including social media)

  • Note: medical details are legally counted as “special category personal data (health)”
For office holders: further contact details: telephone number(s); email address; also, individual photographs
  • To allow swifter contact between office holders

  • To maintain a historic record of who held office in the Society

  • To publish office holder photographs on our website
“Legitimate interests of the Controller”
(To enable the smooth running of the Society and / or to maintain historical records aligned to our aims)
Ad-hoc information (e.g. denominational affiliation) arising from optional surveys
  • To help the functioning of the Society by enabling analysis of membership spread and trends and wider communication via members

  • Note: data in this category is provided optionally by members

  • Note: denominational details are legally counted as “special category personal data (religious belief)”
  • >/ul>
Electronic data: last-used IP address
  • To clear member lock-outs from the website, enabling the provision of website service to Society members
Historic records
  • Titles, names and abbreviated addresses (town / county) of former members
Title (Mr, Mrs, Miss, Ms, Revd, Dr etc)
  • Courtesy in mailings to members
“Personal data made public by the data subject”
(Details you have placed in the public domain)
Brief biographical details of members standing for election to office
  • To introduce candidates to members eligible to vote
Brief biographical details including professional and academic details, awards, and contributions to relevant literature or debate
  • To provide context with published material in HSGBI publications including online

  • To provide introductions to speakers at Conferences or other events

8.1.6 You can find further details of the Hymn Society’s handling of personal data in the Data Policy and Privacy Notices which can be found on our website.