EMI Archive Trust data protection policy

  1. Introduction

This Data Protection Policy is an internal document which sets out the principles that EMI Archive Trust (“we”, “our”, “us”, “the Trust”) must comply with when using Personal Data, and the practical steps that we take to apply those principles. 

This policy applies to everyone who works for or on behalf of the Trust, including our trustees, staff and any volunteers we may work with from time to time (“Trustee Personnel”). 

Failing to comply with our data protection obligations could have serious consequences, including claims against the Trust by Data Subjects, fines imposed by the Information Commissioner, and damage to our reputation.

In this policy some commonly used data protection phrases are capitalised. Those phrases are defined in the Glossary at the end of this policy.

  1. Personal Data

‘Personal Data’ is any information relating to a living individual who can be directly or indirectly identified. An individual could be identified by reference to a name, identification number, location data, or an online identifier, or one or more factors specific to that individual’s physical, mental, economic, or social identity.

Information will be Personal Data if the individual can be identified directly, or if the individual could be indirectly identified by combining the information with other information.

The meaning of Personal Data is broad, and it is important to remember that simply deleting an individual’s name from a set of data will not necessarily stop the data from being Personal Data. Even without the name, the data may still contain enough information to single-out the individual.

The following types of Personal Data are known as ‘special category data’: information about an individual’s race, ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health information, sex life or sexual orientation. We do not normally process those types of data, but if we do in future there are additional data protection requirements we must comply with.

  1. Sources of our data protection obligations

Our data protection obligations are set out in the UK General Data Protection Regulation (‘UK GDPR’), the Data Protection Act 2018 (‘DPA’), and the Privacy and Electronic Communications Regulations 2003 (‘PECR’). The Information Commissioner publishes guidance which we should also take into account.

  1. Personal Data protection principles

We must adhere to the following principles set out in the UK GDPR which require Personal Data to be:

  1. processed lawfully, fairly and in a transparent manner (Lawfulness, Fairness and Transparency); 
  2. collected only for specified, explicit and legitimate purposes (Purpose Limitation);
  3. adequate, relevant and limited to what is necessary in relation to the purposes for which it is Processed (Data Minimisation); 
  4. accurate and where necessary kept up to date (Accuracy);
  5. not kept in a form which permits identification of Data Subjects for longer than is necessary for the purposes for which the data is Processed (Storage Limitation);
  6. processed in a manner that ensures its security using appropriate technical and organisational measures to protect against unauthorised or unlawful Processing and against accidental loss, destruction or damage (Security, Integrity and Confidentiality);
  7. not transferred to another country without appropriate safeguards being in place (Transfer Limitation); and
  8. made available to Data Subjects and allow Data Subjects to exercise certain rights in relation to their Personal Data (Data Subject’s Rights and Requests).

We are responsible for and must be able to demonstrate compliance with the data protection principles listed above (Accountability).

  1. Lawfulness, fairness, transparency

Personal data must be Processed lawfully, fairly and in a transparent manner in relation to the Data Subject.

Our Processing of the Personal Data will only be lawful if it is based on one of the conditions set out in Article 6 of the UK GDPR. This is known as having a ‘lawful basis’ for the Processing.

The conditions which will usually apply to our Processing are:

  1. the Data Subject has given his or her Consent;
  2. the Processing is necessary for the performance of a contract with the Data Subject;
  3. the Processing is necessary to meet our legal compliance obligations; or
  4. the Processing is necessary to pursue our legitimate interests where those interests are not overridden by the interests or fundamental rights and freedoms of Data Subjects. The purposes for which we process Personal Data for legitimate interests need to be set out in applicable Privacy Notices.

Our Privacy Notice sets out the lawful basis that we rely on for each of the ways we currently use Personal Data. 

Whenever we start using Personal Data for a new purpose we must consider whether there is a lawful basis for using the Personal Data for the new purpose, and we must update our Privacy Notice to reflect that.

  1. Consent

A Data Subject consents to Processing of their Personal Data if they indicate agreement clearly either by a statement or positive action to the Processing. Consent requires affirmative action so silence, pre-ticked boxes or inactivity are unlikely to be sufficient. If Consent is given in a document which deals with other matters, then the Consent must be kept separate from those other matters. 

Data Subjects must be easily able to withdraw Consent to Processing at any time and withdrawal must be promptly honoured. Where we intend to Process Personal Data for a different and incompatible purpose which was not disclosed when the Data Subject first consented, we will consider whether Consent needs to be refreshed. 

  1. Transparency (notifying Data Subjects)

The UK GDPR requires Controllers to provide detailed, specific information to Data Subjects depending on whether the information was collected directly from Data Subjects or from elsewhere. The information must be provided through appropriate Privacy Notices which must be concise, transparent, intelligible, easily accessible, and in clear and plain language so that a Data Subject can easily understand them.

If we collect Personal Data directly from an individual then we must provide our Privacy Notice at the time we collect the data. If we receive Personal Data from another source then we must provide our Privacy Notice to the individual within a month, or when we first communicate with the individual, or when we first share the data with a third party (whichever is soonest).

We can provide a copy of the Privacy Notice either by giving the individual a copy or by providing an easy way to access it, for example a prominent link to the Privacy Notice on our website.

We will display our Privacy Notice on our website separately from the Universal Music Group website privacy notice.

  1. Purpose limitation 

Personal Data must be collected only for specified, explicit and legitimate purposes. It must not be further Processed in any manner incompatible with those purposes. 

If we hold personal data and decide to use it for a new purpose we must consider whether the new purpose is compatible with the purpose for which we originally obtained it. When deciding whether the new purpose is compatible we should consider whether there is an obvious connection between the new purpose and the original one, and whether the Data Subjects would expect us to use the data for the new purpose.

  1. Data minimisation

Personal Data must be adequate, relevant and limited to what is necessary in relation to the purposes for which it is Processed. Before we start collecting new data we must consider whether we really need the data to achieve our objectives. If we do not need the data we should not collect it.

  1. Accuracy

Personal Data must be accurate and, where necessary, kept up to date. It must be corrected or deleted without delay when inaccurate.

We ensure that the Personal Data we use and hold is accurate, complete, kept up to date and relevant to the purpose for which we collected it. We take all reasonable steps to destroy or amend inaccurate or out-of-date Personal Data.

  1. Storage limitation

Personal Data must not be kept in an identifiable form for longer than is necessary for the purposes for which the data is processed.

We take all reasonable steps to destroy or erase from our systems all Personal Data that we no longer require. This includes requiring third parties to delete that data which they hold on our behalf, where applicable. 

  1. Security integrity and confidentiality

Personal Data must be secured by appropriate technical and organisational measures against unauthorised or unlawful Processing, and against accidental loss, destruction or damage.

We will assess our information risk to help us determine what measures are appropriate. In doing so we will consider factors such as:

  1. how much Personal Data we hold and the way we use it (for example, processing operations which involve the use of innovative technology, data matching, or tracking an individual’s behaviour (whether online or otherwise) are likely to result in high risk);
  2. how valuable, sensitive or confidential the Personal Data is;
  3. the nature and extent of the damage or distress that may be caused if the data was compromised (i.e. discrimination, identity theft or fraud, financial loss, reputational damage etc.); and
  4. the nature and extent of our premises and computer systems. 

We will develop, implement and maintain safeguards appropriate to our size, scope and available resources, the amount of Personal Data that we own and identified risks. 

We maintain data security by protecting the confidentiality, integrity and availability of the Personal Data, defined as follows:

  1. Confidentiality means that only people who have a need to know and are authorised to use the Personal Data can access it;
  2. Integrity means that Personal Data is accurate and suitable for the purpose for which it is processed; and
  3. Availability means that authorised users are able to access the Personal Data when they need it for authorised purposes. 

Everyone who works for and on behalf of the Trust must take appropriate steps to keep the Trust’s data secure. 

The computers and other devices which we use to process Personal Data should be protected by:

  1. strong passwords, which are not shared between different users;
  2. up-to-date anti-virus software;
  3. ensuring that operating systems and other software are kept up-to-date;
  4. safe physical storage to protect them from theft.

The Trust’s IT systems are provided by Universal Music Group as part of its support for the Trust. Wherever possible, trustees should use the Trust’s own IT systems to process Personal Data so that the data is protected by the security measures built into those systems. Where trustees need to use their personal computers and/or devices to process Personal Data for the Trust, those computers and/or devices should be protected by the measures set out above. Trustees should delete Trust data from their personal computers and devices when they no-longer need to access the data.

  1. Reporting a Personal Data Breach

The UK GDPR requires the Trust to notify Personal Data Breaches to the Information Commissioner and, in certain instances, the Data Subject. If you suspect that a Personal Data Breach has happened you should report it as soon as possible to the EMI Archive Trust’s Chair. If a breach occurs it is essential that we take swift action to investigate and resolve the situation, in order to minimise the risks to individual Data Subjects and to the Trust.

A Personal Data Breach must be reported to the Information Commissioner unless the breach is unlikely to result in a risk to the individuals whose Personal Data is involved. When assessing the risk we must consider all the circumstances, including the sensitivity of the data involved and the potential consequences for the individuals involved. Potential consequences could include distress or embarrassment for the individual, as well as risks such as identity theft if data falls into the wrong hands. If in doubt about the requirements to notify the Information Commissioner we will use the self-assessment tool on the Information Commissioner’s website and/or seek legal advice.

If a Personal Data Breach has to be reported to the Information Commissioner then we must report it without undue delay and, where possible, within 72 hours of becoming aware of the breach.

A Personal Data Breach must be reported to the individuals whose data is involved if it is likely to result in a high risk to those individuals. In that situation we are required to notify the individuals without undue delay. 

  1. Transfer limitation 

The UK GDPR restricts data transfers to countries outside the UK to ensure that the level of data protection afforded to individuals by the UK GDPR is not undermined. 

We may only transfer Personal Data outside the UK if one of the following conditions applies:

  1. the UK has issued regulations confirming that the country to which we transfer the Personal Data ensures an adequate level of protection for the Data Subject’s rights and freedoms; 
  2. appropriate safeguards are in place such as standard contractual clauses approved for use in the UK;
  3. the Data Subject has provided Explicit Consent to the proposed transfer after being informed of any potential risks; or
  4. the transfer is necessary for one of the other reasons set out in the UK GDPR including the performance of a contract between us and the Data Subject, to establish, exercise or defend legal claims and, in some limited cases, for our legitimate interest.
  5. Data Subject’s rights and requests

Data Subjects have rights when it comes to how we handle their Personal Data. These include rights to:

  1. withdraw Consent to Processing at any time;
  2. receive certain information about our Processing activities;
  3. request access to their Personal Data that we hold;
  4. prevent our use of their Personal Data for direct marketing purposes; 
  5. ask us to erase Personal Data if it is no longer necessary in relation to the purposes for which it was collected or Processed or to rectify inaccurate data or to complete incomplete data; 
  6. restrict Processing in specific circumstances;
  7. challenge Processing which has been justified on the basis of our legitimate interests or in the public interest;
  8. request a copy of an agreement under which Personal Data is transferred outside of the UK; 
  9. be notified of a Personal Data Breach which is likely to result in high risk to their rights and freedoms; and
  10. make a complaint to the Information Commissioner.

Any trustee or member of staff who receives a request of this kind from a Data Subject should pass the request to the Chair of the EMI Archive Trust, who will co-ordinate the response. The usual time limit for the Trust to respond to the request is one month from the date of the request, so it is important that we recognise such requests when we receive them and act on them promptly.

There are no formal requirements that Data Subjects must follow when asking to exercise these rights. In particular, it is not necessary for them to refer us to the relevant legislation. 

If the identity of the person making a Data Subject request is unclear then we should ask that person for proof of identity before providing any Personal Data to them.

  1. Record keeping

The UK GDPR requires us to keep full and accurate records of all our data Processing activities. 

We must keep and maintain accurate records reflecting our Processing including records of Data Subjects’ Consents and procedures for obtaining Consents.

These records include, at a minimum, the name and contact details of the Controller, clear descriptions of the Personal Data types, Data Subject types, Processing activities, Processing purposes, third-party recipients of the Personal Data, Personal Data storage locations, Personal Data transfers, the Personal Data’s retention period and a description of the security measures in place. 

The Trust has decided to use the template record of processing published by the Information Commissioner. Our record of processing is maintained by Joanna Hughes.

  1. Training and audit

We are required to ensure all Trust Personnel have undergone adequate training to enable them to comply with data privacy laws. We must also regularly test our systems and processes to assess compliance. 

  1. Data Protection Impact Assessment

The Trust must conduct a data protection impact assessment (‘DPIA’) when implementing major system or business change programs involving the Processing of Personal Data including:

  1. use of new technologies (programs, systems or processes), or changing technologies (programs, systems or processes); and
  2. large-scale, systematic monitoring of a publicly accessible area.

A DPIA must include:

  1. a description of the Processing, its purposes and the Controller’s legitimate interests if appropriate;
  2. an assessment of the necessity and proportionality of the Processing in relation to its purpose;
  3. an assessment of the risk to individuals; and
  4. the risk mitigation measures in place and demonstration of compliance.

Data protection impact assessments are required under the GDPR where there is a high risk to individual’s rights and freedoms. The Trust has concluded that its current processing is not likely to create any such risks. Therefore it has determined that no DPIAs will be carried out at this stage, but this will be reassessed at each periodic review of this policy and whenever there is a change in the nature of the Trust’s data processing.

  1. Direct marketing

The Trust is subject to the rules in PECR regarding direct marketing. Any material we publish with the aim of promoting our work to people outside the Trust will count as ‘marketing’ under those rules, even if we are not soliciting donations. When we send that kind of material to individuals we are undertaking ‘direct marketing’. 

The Trust must have opt-in Consent from the recipient in order to send unsolicited direct marketing by electronic mail, for example by email or text message, or by pre-recorded telephone messages. Marketing is unsolicited unless the recipient has specifically asked to receive it. We must have opt-in Consent before sending the electronic mail; using electronic mail to ask people for their Consent to send further electronic mail is a breach of the rules.

Whenever we send direct marketing material by electronic mail we must give the recipient an easy way to opt-out, and we must respect those choices.

The main form of direct marketing we currently undertake is sending out our email newsletter. The newsletter recipients have all opted-in to receiving it, and every email includes a link which the recipient can use to opt-out.

Different rules apply to direct marketing via post or ‘live’ telephone calls. We do not currently do any marketing via those methods. If we plan to start marketing by those methods in future we will take legal advice to understand those rules. 

  1. Sharing Personal Data 

Generally we are not allowed to share Personal Data with third parties unless certain safeguards and contractual arrangements have been put in place. 

We only share the Personal Data we hold with third parties if:

  1. they have a need to know the information for the purposes of providing the contracted services (e.g. Universal Music Group providing IT services for the Trust); 
  2. sharing the Personal Data complies with the Privacy Notice provided to the Data Subject and, if required, the Data Subject’s Consent has been obtained;
  3. the third party has agreed to comply with the required data security standards, policies and procedures and put adequate security measures in place; and
  4. the transfer complies with any applicable cross-border transfer restrictions. 

Before starting any regular or larger-scale data sharing arrangement (e.g. with a new supplier or collaborator) we should put in place a written agreement that sets out each party’s obligations regarding the arrangement.

  1. Changes to this Data Protection Policy 

We keep this Data Protection Policy under regular review. This version was last updated on 1 June 2023. GLOSSARY

Consent: agreement which must be freely given, specific, informed and be an unambiguous indication of the Data Subject’s wishes by which they, by a statement or by a clear positive action, signify agreement to the Processing of Personal Data relating to them.

Controller: the person or organisation that determines when, why and how to process Personal Data. It is responsible for establishing practices and policies in line with the UK GDPR. The Trust is the Controller of all Personal Data relating to Trust Personnel and Personal Data used in our charitable activities and in furtherance of our charitable purpose.

Data Subject: a living, identified or identifiable individual about whom we hold Personal Data. Data Subjects may be nationals or residents of any country and may have legal rights regarding their Personal Data.

Explicit Consent: consent which requires a very clear and specific statement (that is, not just action).

UK GDPR: the retained EU law version of the General Data Protection Regulation ((EU) 2016/679). Personal Data is subject to the legal safeguards specified in the UK GDPR.

Personal Data: any information identifying a Data Subject or information relating to a Data Subject that we can identify (directly or indirectly) from that data alone or in combination with other identifiers we possess or can reasonably access. 

Personal Data Breach: any act or omission that compromises the security, confidentiality, integrity or availability of Personal Data or the physical, technical, administrative or organisational safeguards that we or our third-party service providers put in place to protect it. The loss, or unauthorised access, disclosure or acquisition, of Personal Data is a Personal Data Breach.

Privacy Notices or Privacy Policies: separate notices setting out information that may be provided to Data Subjects when the Trust collects information about them. These notices may take the form of general privacy statements applicable to a specific group of individuals (for example, employee privacy notices or the website privacy policy) or they may be stand-alone, one-time privacy statements covering Processing related to a specific purpose.

Processing or Process: any activity that involves the use of Personal Data. It includes obtaining, recording or holding the data, or carrying out any operation or set of operations on the data including organising, amending, retrieving, using, disclosing, erasing or destroying it. Processing also includes transmitting or transferring Personal Data to third parties.