- Context and Overview
- Data Protection Regulations
- People, Risks, and Responsibilities
- Data Subject's Rights
- Disclosure of Data to Third Parties
- Marketing Policy
- Breach Policy
- Contact Details
(a) Key Details
Policy prepared by: Data Protection Supervisor
Approved by CEO o.b.o Board on: May 25th, 2018
Policy became operational on: May 25th, 2018
Next review date: May 2019
Faber Music Ltd ("Faber Music", "we", "us") needs to gather and use certain information about individuals or "data subjects". These can include customers, suppliers, business contacts, employees and other people the organisation has a relationship with or may need to contact. We are committed to protecting the privacy of our data subjects. We take our responsibilities regarding the security and legitimate use of personal information very seriously and are compliant with the Data Protection Act (“DPA”) 1998, General Data Protection Regulation (“GDPR”) (EU) 2016 and Privacy and Electronic Communications Regulations 2003 (“PECR”).
The purpose of this data protection policy is to inform you of how Faber Music:
- complies with data protection regulations and follows good practice;
- protects the rights of staff, clients, customers and partners;
- is transparent about how it stores and processes individuals’ data; and
- protects itself from the risks of a data breach; and
- takes appropriate action in the case of a data breach.
It is not our policy to employ a dedicated Data Protection Officer as, at present, the scale of personal data processed by Faber Music is not significant enough to meet this requirement. However, we have nominated a Data Protection Supervisor. If you have any concerns, questions or comments about this Privacy Notice, or the website, you can contact the data protection supervisor by following the instructions set out in section 9 below.
(a) Key Requirements
The DPA, GDPR and PECR describe how organisations – including Faber Music – must collect, process and store personal information. These rules apply regardless of whether data is stored electronically, on paper or on other materials. To comply with the law, personal information must:
- be processed fairly, lawfully and in a transparent manner;
- be obtained only for specific, explicit and legitimate purposes;
- be adequate, relevant and limited to what is necessary for the purpose(s) for which it is processed;
- be accurate and kept up to date;
- not be held for any longer than necessary for the purposes for which it is processed;
- be processed in accordance with the rights of data subjects;
- be processed utilising the appropriate level of security and protection against unlawful use;
- not be disclosed to third parties without first receiving approval from the data subject; and
- not be transferred outside the European Economic Area (EEA), unless that country or territory also ensures a comparable level of protection.
(b) Legal Grounds for Processing
Processing shall be lawful only if and to the extent that at least one of the following applies:
- the data subject has given active and explicit consent to the processing for specific purposes;
- processing is necessary for the performance of a contract;
- processing is necessary for compliance with a legal obligation to which the controller is subject;
- processing is necessary in order to protect the vital interests of the data subject or another individual;
- processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; and
- processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject.
(a) Policy Scope
This policy applies to:
- the head office and all other branches of Faber Music;
- all employees of Faber Music; and
- all contractors, suppliers and other people working on behalf of Faber Music.
It applies to all personal data that the company holds relating to identifiable individuals, including:
- location details including postal addresses;
- email and IP addresses;
- telephone numbers;
- identification numbers;
- banking details; and
- details regarding health and/or social and cultural identity.
(b) Data Protection Risks
This policy helps to protect Faber Music and our data subjects from some very real data security risks, including:
- breaches of confidentiality, such as our data subjects' information being given out inappropriately;
- failing to offer choice – for example, all individuals should be free to choose how Faber Music uses data relating to them.
- reputational damage – for instance, the company and/or its data subjects could suffer if hackers successfully gained access to sensitive data.
The Board of Directors is ultimately responsible for ensuring that Faber Music meets its legal obligations.
The Data Protection Supervisor is responsible for:
- performing regular risk assessments to determine that all procedures and policies relating to personal information are compliant with the most recent data protection regulations;
- maintaining a set of documentation relating to data protection activities to demonstrate transparency and quickly identify and rectify the cause of any breach which might occur;
- keeping the Board updated about data protection responsibilities, risks and issues;
- communicating a breach to the relevant data subject(s), controller(s) and supervisory authority;
- arranging data protection training, advice and support for employees,;
- dealing with ‘subject access requests’ (see section 5(b) below);
- checking and approving any contracts or agreements with third parties that may handle the company’s sensitive data.
The IT Manager is responsible for:
- ensuring all existing and future systems, services and equipment used for storing data meet acceptable security standards;
- performing regular checks to ensure security hardware and software is functioning properly;
- evaluating any third-party services the company uses to store or process data.
The Head of Marketing and Communications is responsible for:
- ensuring that approved data protection statements are attached to communications such as emails and letters;
- working with staff to ensure marketing initiatives adhere to data protection principles.
(d) General Staff Guidelines
These guidelines have been created in order to help our employees to act in compliance with the data protection regulations. They must be read, understood and consulted should a query relating to data protection arise.
- The only people able to access and process personal information covered by this policy should be those who need it to fulfil the responsibilities of their role. Measures must be taken to ensure that the sharing of personal data does not extend beyond colleagues who do not need it to perform their roles.
- Personal data should not be shared informally - always be aware of the environment in which sensitive conversations take place and take appropriate steps to ensure they are not overheard by unauthorised personnel.
- Personal data should not be shared informally - always be aware of the environment in which sensitive conversations take place and take appropriate steps to ensure they are not overheard by unauthorised personnel.
- Personal data should not be disclosed to unauthorised people, either within the company or externally.
- Staff are not permitted to use personal data for any purpose not connected to their job.
- Staff should not record any information about an individual that they would not want the data subject to see. This includes information written on applicants’ documents (e.g. CV) at an interview – the data subject has the right to request to see this information.
- Personal data held on an individual may only be disclosed to that individual or to another party with the individual’s explicit consent.
- In particular, strong passwords must be used, regularly updated and never be disclosed.
- Personal data should not be disclosed to unauthorised people within the company or externally.
- Data should be regularly reviewed and updated if it is found to be out of date. If no longer required, it should be deleted and disposed of and this should be documented appropriately.
- Employees should request help from their line manager or the Data Protection Supervisor if they are unsure about any aspect of data protection.
(a) Data Storage
These rules describe how and where data should be safely stored. Questions about storing data safely can be directed to the IT manager or Data Protection Supervisor.
When data is stored on paper:
- personal information should be kept in a secure place where unauthorised people cannot see it;
- when not required, the paper or files should be kept in a locked drawer or filing cabinet;
- employees should make sure paper and printouts are not left where unauthorised people could see them, like on a printer;
- data printouts should be shredded and disposed of securely when no longer required.
When data is stored electronically, it must be protected from unauthorised access, accidental deletion and malicious hacking attempts, as follows:
- personal information should be protected by strong passwords that are changed regularly and never disclosed;
- data should be held in as few places as necessary. Staff should not create any unnecessary additional data sets;
- if data is stored on removable media (e.g. CD or DVD), these should be kept locked away securely when not being used;
- data should only be stored on designated company drives and servers, and should only be uploaded to approved cloud computing services;
- servers containing personal data should be sited in a secure location, away from general office space;
- data should be backed up frequently. Those backups should be tested regularly, in line with the company’s standard backup procedures;
- where data is saved directly to mobile devices (such as laptops, tablets or smartphones) which might be removed from company premises, extra security measures must be applied to ensure the data is protected in the event that the device is lost or stolen;
- all servers and computers containing data should be protected by approved security software and a firewall; and
- personal information obtained via company websites should be passed via a secure, SSL-protected electronic feed into Faber Music’s central systems.
(b) Data Retention
The DPA and GDPR state that personal data must not be held for any longer than necessary for the purposes for which they are processed. To this extent:
- all personal data should be regularly reviewed and securely disposed of if no longer required and such deletion should be adequately documented;
- personal data relating to commercial business for a minimum of six years, plus the current HMRC tax year, in order to adhere to mandatory accounting regulations;
- it is necessary to keep data which enables us to comply with the terms of an active contract.
(c) Data Use
Personal data is of no value to Faber Music unless the business can make use of it. However, it is when this data is accessed and used that it can be at the greatest risk of loss, corruption or theft.
- When working with personal data, employees should ensure the screens of their computers are always locked when left unattended.
- Personal data should not be shared informally. In particular, it should never be sent by email, as this form of communication is not secure.
- Wherever possible, data must be password protected before being transferred electronically. The IT manager can explain how to send data to authorised external contacts.
- Personal data should never be transferred outside of the European Economic Area without first: i) ensuring an appropriate level of security is in place and ii) informing the data subject(s) in question.
- Employees should not save copies of personal data to their own hardware devices. Always access and update the central, secured copy of any data.
(d) Data Accuracy
It is the responsibility of all employees who work with data to take reasonable steps to ensure it is kept as accurate and up to date as possible.
- Data should be updated as inaccuracies are discovered. For instance, if a customer can no longer be reached on their stored telephone number, it should be removed from the database.
- Staff should take every opportunity to ensure data is updated. For instance, by confirming a customer’s details when they call.
- Faber Music will make it easy for data subjects to update the information we hold about them.
It is important that everyone who works for or with Faber Music understands the rights belonging to data subjects, and can act upon them quickly and professionally if and when they are exercised. These include:
(a) The Right to Receive Information, Including:
- the name and contact details of the organisation processing the data;
- the purpose and legal basis for processing the data;
- details of any recipients of the data;
- details about whether data is transferred outside the European Union and the safeguards in place to protect it;
- the period for which data will be stored;
- if the data was supplied by a third party, details of the original source;
- details of any automated decision-making or profiling* related to the processing of data;
- details of whether data will be used for any purpose other than the purpose for which is was originally collected.
The company has various Privacy Notices, which set out how data relating to different categories of data subject are used (for example, staff or online customers). These are available on request, and are published on each of the company’s websites.
*‘Profiling’ means any form of automated processing of personal data where it is used to evaluate certain personal aspects relating to the individual, in particular to analyse preferences, interests, behaviour, or location.
(b) The Right to Access: If a data subject would like to receive a copy of the personal data in our possession, we can arrange for an electronic copy to be sent securely to them. Subject access requests from individuals should be made by email, addressed to the data protection supervisor at firstname.lastname@example.org. Our response time may vary depending on the extent of the information they require, and we may need to verify their identity before sending anything out. One copy can be organised free of charge but we may need to charge for additional copies.
(c) The Right to Rectify Data: If a data subject needs to amend or update the personal data in our possession, we will arrange for this to be done promptly. Our response time will depend on the extent of the information required, and we may need to verify their identity before amending our records.
(d) The Right to Erase Data: If a data subject wishes us to completely erase the personal data in our possession, we will arrange for this to be done promptly. Our response time may vary depending on the extent of the information to be deleted. We may need to verify their identity before deleting a record. We must make the subject aware of any reason why we are legally obliged to retain the information.
(e) The Right to Restrict Processing: If a data subject has reason to believe that their personal data is inaccurate, unlawful, or no longer required, they can request that we restrict the processing and we will investigate the possibilities without delay. Our response time may vary depending on the extent of restrictions required, and we may need to verify their identity before making any restrictions.
(f) The Right to Withdraw Consent: If a data subject gave consent for their personal information to be processed by us, this consent can be withdrawn at any time. We must make them aware of any reason why we are legally obliged to retain the information.
(g) The Right to Data Portability: Data subjects have a right to forward a copy of the personal data in our possession to another party, or to request that we do so on their behalf, so long as we currently store it in an electronic format. Our response time may vary depending on the extent of data that required, and we may need to verify their identity before taking action.
(h) The Right to Object to Automated Individual Decision-Making or Profiling: From time to time we may process personal data for direct marketing purposes. Data subjects have a right to object to their data being included in a decision based on automated processing (eg. preference profiling) and if they object we should comply and remove the personal data from the relevant marketing list with immediate effect.
(i) The Right to Lodge a Complaint with the Information Commissioner's Office ("ICO"): If a data subject is concerned that their personal data is being collected, stored, processed or shared illegally, they can report that misuse to the ICO at https://ico.org.uk/concerns/ or call (UK +44)(0)3031231113.
We work with a number of third party service providers who process personal data to allow us to run our business and to fulfil contractual obligations on behalf of our staff, clients, B2B and B2C customers and website visitors. These may include, but are not limited to:
- HR Platforms
- Payroll Providers
- Pensions Providers
- Email Marketing Platforms
- CRM Platforms
- IT Service Providers
- Telephone Providers
- Email Service Providers
- Secure Online Payment Providers
- Accounting Platforms
- Fulfilment Platforms
- Ecommerce Order Fulfilment Partners
- Third Party Publisher Clients of Faber Music Distribution
- The Inland Revenue
- The Child Support Agency
- The Benefits Agency
- The Department of Employment and Pensions
- The Financial Services Authority
In certain circumstances, the Data Protection Act and GDPR allow personal data to be disclosed to law enforcement agencies without the consent of the data subject. Under these circumstances, Faber Music will disclose requested data. However, the data protection supervisor will ensure the request is legitimate, seeking assistance from the Board and from the company’s legal advisers where necessary.
We work closely with these third party processors to ensure their services fully comply with the DPA, GDPR and PECR and keep a copy of their Privacy Policies on file should you wish to access one.
Faber Music will not respond to requests for personal information on individuals from other third parties without the written consent of the individual concerned. This applies to requests from banks, building societies, prospective employers, etc. We may transfer information about you to other group companies for purposes connected with your employment or the management of the company’s business.
We never transfer your personal information outside of the EEA or to an international organisation without first informing you that we need to do so, and for what purpose, and will always ensure appropriate safeguards are in place to protect it.
We want to tell people who are interested in Faber Music about what we do. We have various forms of marketing communications and are dedicated to ensuring that wherever we are using personal data we are always compliant with the DPA, GDPR and PECR.
'Marketing' means the promotion by Faber and its group of companies of news, information, products and services related to the business, our composers and their music;
'Email Marketing' means the electronic delivery of correspondence via email and e-newsletters straight to your Inbox; and
'Direct Mail Marketing' means the posting of physical newsletters, magazines, catalogues, etc. to a postal address via a third party mail delivery service.
Personal Information and Marketing
In order to ensure that your personal information is processed fairly and lawfully, we will endeavour to:
- provide data subjects with a privacy notice or ensure it is easily accessible;
- obtain your consent wherever necessary;
- make ‘opting in’ instructions specific and transparent, and include a form of positive action (e.g. a checkbox, or subscribe button) so that consent is given knowingly and freely;
- offer a clear and genuine choice regarding whether or not your details may be used for marketing purposes;
- wherever possible, record when and how we got consent, and exactly what it covers, and maintain our records to ensure your personal data is accurate and up to date;
- delete any irrelevant or excessive personal information in our records;
- ask for consent before passing details to third parties for marketing, and name those third parties;
- only collect personal data for specified purposes;
- only use the information for the purposes that you have consented to;
- make certain that the news, information, products and services we are marketing are the same or similar to those that the individuals originally consented to receive marketing for;
- specify methods of communication (e.g. by email, text, phone, recorded call, post);
- provide opportunities for you to manage the way in which we communicate with you – eg. links to unsubscribe from direct marketing activities and instructions on how to access, rectify, erase or restrict your personal information;
- have procedures for dealing with inaccuracies and complaints;
- respond to your requests positively and promptly, and confirm that we have done so in writing;
- not use bought-in marketing lists unless we have proof of opt-in consent;
- include our company name, address and telephone number in the content of our correspondence;
- keep a record of anyone who opts out in order to ensure they are no longer included in communications.
Step 1 – The member of staff who first learns of a possible breach will notify their line manager without delay, who, in turn, will notify the Data Protection Supervisor;
Step 2 – The Data Protection Supervisor will liaise with the relevant internal staff to: i) pinpoint the breach location, ii) determine the extent to which personal information may or may not have been affected and iii) assess the level of risk to the data subject(s) as a result of the breach.
Step 3 – Immediate action will be taken to regain full security.
Step 4 – If we determine there is a high risk to the rights and freedoms of the data subject(s) in question, we will make contact with them without undue delay to alert them to the breach and advise them as to how to mitigate any further risk.
Step 5 – The Data Protection Supervisor will notify the ICO of a serious breach within 72 hours of becoming aware of it.
Step 6 – We shall document all breaches, even those which do not need to be reported.