Oxford Bach Choir Data Protection Policy


The Oxford Bach Choir Trustees are committed to protecting the personal information the Choir holds and being transparent about that information.

In order to operate, the Oxford Bach Choir needs to gather, store and use certain forms of information about individuals.

These can include members, employees, contractors, suppliers, volunteers, audiences and potential audiences, business contacts and other people the Choir has a relationship with or regularly needs to contact.

This policy explains how this data is collected, stored and used in order to meet Oxford Bach Choir’s data protection standards and comply with the law.

Importance of this policy

This policy ensures that Oxford Bach Choir

  • protects the rights of its members, volunteers, supporters, employees
  • complies with data protection law and follows good practice
  • protects the Choir from the risks of a data breach.

Who we are

The Oxford Bach Choir is a registered charity No: 233688, and is run by an elected committee of Trustees, all of whom are members of the Choir. The Trustees are assisted, and informally advised, by a Council, which is also composed of elected members of the Choir.

Who and what this policy applies to

This policy applies to all those handling data on behalf of Oxford Bach Choir, eg:

  • Trustees
  • Council and committee members
  • Volunteers
  • Members
  • Contractors/3rd-party suppliers
  • Employees

It applies to all data that Oxford Bach Choir holds relating to individuals, including:

  • Names
  • Email addresses
  • Postal addresses
  • Phone numbers
  • Any other personal information held (e.g. financial)

Roles and responsibilities

Everyone who has access to data in the course of carrying out Choir business has a responsibility to ensure that they adhere to this policy.

Data controller

The Oxford Bach Choir is the Data Controller for the purposes of the Data Protection Act 1998 and other relevant data protection law, and is responsible for determining what data is collected and retained and how it is used. The Data Protection Officer is the General Secretary of the Choir. Any questions relating to the collection or use of data should be directed to our General Secretary by email:

Data protection principles

1.     We fairly and lawfully process personal data

The Oxford Bach Choir will only collect data where lawful and where it is necessary for the legitimate purposes of the Choir.

  • A member’s name and contact details will be collected when they first join the Choir and will be used to contact the member regarding Choir membership administration and activities. Other data may also subsequently be collected in relation to their membership, including their ‘subs’ payment history and photographs.
  • Members shall be asked on joining the Choir for their permission for use of their image in any photographs taken of the choir which may be used on the choir’s website and other promotional materials.
  • Members will be emailed a weekly bulletin during term time to include information about rehearsals, the concert, promotion of the concert, and details of external events that are thought to be of interest. Other communications by email may also be necessary from time to time.
  • The name and contact details of volunteers, committee members, employees and contractors will be collected when they take up a position and will be used to contact them regarding group administration related to their role.

Further information, including personal financial information and criminal records information may also be collected in specific circumstances where lawful and necessary (in order to process payment to the person or in order to carry out a DBS check).

  • An individual’s name and contact details will be collected when they make a booking for an event. This will be used to contact them about their booking and to allow them entry to the event.

If the individual is not a member of the Oxford Bach Choir, a Friend or Benefactor, their contact details will be deleted immediately after the event for which they have booked.

  • An individual’s name, contact details and other details may be collected at any time (including when booking tickets or at an event), with their consent, in order for Oxford Bach Choir to communicate with them about group activities, and/or for Direct Marketing. See ‘Direct Marketing’ below.

2.     We only collect and use personal data for specified and lawful purposes

When collecting data the Oxford Bach Choir will always explain to the subject why the data is required and what it will be used for, e.g.

“Please enter your email address in the form below. We need this so that we can send you email updates for group administration including about rehearsal and concert schedules, subs payments and other business.”

We will never use data for any purpose other than that stated or can be reasonably considered to be related to it. For example, we will never pass on personal data to third parties without the explicit consent of the subject. We will never sell personal data to a third party.

3.     We ensure any data collected is relevant and not excessive

The Oxford Bach Choir will not collect or store more data that the minimum information required for its intended purpose.

4.     We ensure data is accurate and up-to-date

The Oxford Bach Choir will ask members, volunteers and staff to check and update their data on an annual basis.

Any individual will be able to update their data at any point by contacting the General Secretary.

5.     We ensure data is not kept longer than necessary

Oxford Bach Choir will keep data on individuals for no longer than 12 months after the Choir’s involvement with the individual has stopped, unless there is a legal requirement to keep records. The data will be deleted in a secure way.

6.     We process data in accordance with individuals’ rights

The following requests can be made in writing to the General Secretary:

  • Members, volunteers and supporters can request to see any data about them held by the Choir. Proof of identity may have to be provided. Any such request will be actioned within fourteen days of the request being made.
  • Members and supporters can request that any inaccurate data held on them is updated. Any such request will be actioned within fourteen days of the request being made.
  • Supporters, Friends and Benefactors can request to stop receiving any marketing communications at any time. Any such request will be actioned within fourteen days of the request being made.
  • Members, supporters, Friends and Benefactors can object to any storage or use of their data that might cause them substantial distress or damage or any automated decisions made based on their data. Any such objection will be considered by the Trustees, and a decision communicated within thirty days of the request being made.

7.     We keep personal data secure

Oxford Bach Choir will ensure that data held by us is kept secure.

  • Electronically-held data will be held within a password-protected and secure environment.
  • Passwords for electronic data files will be re-set each time an individual with data access leaves their role/position.
  • Physically-held data (e.g. membership forms or email sign-up sheets) will be stored in a locked cupboard/filing cabinet.
  • Access to data will only be given to relevant Trustees/committee members/contractors where it is clearly necessary for the running of the Choir. The Data Controller will decide in what situations this is applicable and will keep a master list of who has access to data.

8.     Transfer to countries outside the EEA

The Oxford Bach Choir will not transfer data to countries outside the European Economic Area (EEA).

Member-to-member contact

We only share members’ data with other members with the subject’s prior consent.

As a membership organisation, the Oxford Bach Choir encourages communication between members.

To facilitate this:

  • members can request the personal contact data of other members in writing via the Data controller or Membership Secretary. These details will be given, as long as they are for the purposes of contacting the subject (e.g. an email address, but not financial or health data) and the subject consents to their data being shared with other members in this way.

Direct Marketing

The Oxford Bach Choir will collect data from consenting supporters for marketing purposes. This includes contacting them to promote concerts, updating them about group news, fundraising and other choir activities.

On occasions when data is collected for this purpose, the following will be provided:

  • A clear and specific explanation of what the data will be used for (e.g. ‘Tick this box if you would like Oxford Bach Choir to send you email updates with details about our forthcoming events, fundraising activities and opportunities to get involved’)
  • A method for users to show their active consent to receive these communications (e.g. a ‘tick box’)

Data collected from supporters will only ever be used in the way described and consented to (e.g. we will not use email data in order to market third party events or products unless this has been explicitly consented to).

Every marketing communication will contain a method through which a recipient can withdraw their consent (e.g. an ‘unsubscribe’ link in an email). Opt-out requests such as this will be processed within 28 days.

The Oxford Bach Choir uses a third-party provider, MailChimp, to deliver its newsletter to those who register for it on the choir’s website. We gather statistics around email opening and clicks using industry standard technologies to help us monitor and improve our e-newsletter. For more information, please see MailChimp’s privacy notice.

Cookies on the Oxford Bach Choir website

A cookie is a small text file that is downloaded onto ‘terminal equipment’ (e.g. a computer or smartphone) when the user accesses a website. It allows the website to recognise that user’s device and store some information about the user’s preferences or past actions.

The Oxford Bach Choir may use cookies on the website in order to monitor and record users’ activity. This allows us to improve users’ experience of our website by, for example, allowing for a ‘logged in’ state, and by giving us useful insight into how users as a whole are engaging with the website.

We may implement a pop-up box on that will activate each new time a user visits the website. This will allow them to click to consent (or not) to continuing with cookies enabled, or to ignore the message and continue browsing (i.e. give their implied consent).

We will also include a link to our Privacy Policy which outlines which specific cookies are used and how cookies can be disabled in the most common browsers.

Third Party Sites

Our Privacy Policy only applies to the choir’s websites. Our websites may contain links to other sites which are outside our control and not covered by this Policy. Please be aware that we are not responsible for the privacy practices of these other sites. We encourage our visitors to be aware of this when they leave our website, and to read the privacy policy of such websites linked to when visiting them.

Changes to our Policy notice

We may need to update and to change this Policy at any time and, where appropriate and possible, these changes will be notified to members and supporters by e-mail.

How to contact us

For questions, comments, requests or complaints regarding this Privacy Policy or about how we collect store or use your personal data please contact us at

Approved by Trustees of the Choir May 2018.