Data Protection Policy

1. Introduction and Scope

This policy sets out how Music Patron (“MP”, “we”, “our”, “us”) protects and manages personal data in accordance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and relevant best practice guidance. The policy applies to all personal data processed by MP staff, volunteers, contractors, and third-party suppliers. It covers data relating to patrons, composers, employees, contractors, suppliers, and members of the public who interact with Music Patron.

2. Definitions

  • Personal Data: Information relating to an identified or identifiable individual.
  • Special Category Data: Sensitive data requiring additional protection (e.g., health, ethnicity, sexual orientation).
  • Processing: Any operation performed on personal data, including collection, storage, use, and deletion.

3. Our Commitment

Music Patron is committed to:

  • Processing personal data fairly, lawfully, and transparently.
  • Ensuring that only necessary personal data is collected and retained.
  • Protecting the privacy and rights of individuals.
  • Maintaining clear procedures for data breaches and data subject rights.

4. Roles and Responsibilities

Data Protection Lead:

The CEO is responsible for day-to-day data protection, supported by designated staff as appropriate. Questions can be directed to: [email protected].

Access Restrictions:

Only the CEO,  Platform and Community Manager, and designated fundraising, digital marketing and  technology service providers have regular access to personal data. Trustees and Steering Committee members may access data by exception only, if and when required for their governance role.

All staff and volunteers must comply with this policy and undertake training as needed.

5. Data Collected

Music Patron collects and processes the following types of personal data:

  • Contact details (name, email, address, phone)
  • Biographical data (for composers, patrons)
  • Financial and donation information (processed via third-party payment providers; we do not store payment card details)
  • Equality and diversity information (on a voluntary basis, for monitoring and compliance)
  • Communication and engagement data (emails, message history, meeting transcripts and summaries)
  • Employment and application data (for employees, composers, contractors)

We do not routinely collect special category data except for optional equal opportunity monitoring.

6. Purposes and Lawful Bases for Processing

Personal data is processed for the following purposes:

  • Fulfilling contracts and processing donations;
  • Supporting composers and patrons;
  • Communicating project updates and newsletters;
  • Legal compliance (e.g., charity governance, funding requirements);
  • Equal opportunities and diversity monitoring;
  • Internal administration and security.

Legal bases used:

  • Consent (e.g., marketing communications, optional EDI questions)
  • Contractual necessity (donor/member relationships, employment)
  • Legal obligation (e.g., employment, charity law)
  • Legitimate interests (platform operation, reporting, and improvement)

7. Third-Party Data Processors and International Transfers

We use trusted third-party service providers for data processing. Most personal data is stored in the UK/EU, but global provider use may involve international transfers. We require all providers to adhere to GDPR-equivalent safeguards, including Standard Contractual Clauses and encryption.

International Transfers: Adequacy of protections for personal data stored outside the UK/EU by cloud providers regularly reviewed.

Payment card details are not stored by Music Patron; these are securely handled by our payment processors under their PCI-DSS compliance.

8. Data Security and Storage

  • Personal data is stored securely using encrypted cloud systems with restricted access.
  • Access is limited to staff and providers as stated above.
  • Password management and regular security reviews are mandated.
  • Relevant training is provided to staff and relevant volunteers.

9. Data Retention

Data is kept only as long as necessary for the purposes for which it was collected.

Standard periods:

  • Most personal data will be retained for a maximum of five years from last active engagement
  • Financial and Gift Aid records: seven years as per HMRC compliance
  • Employee recruitment data: 12 months unless otherwise agreed
  • Trustee records: seven years following end of trusteeship as per Charity Commission requirements

Extended retention for relationship management: 

  • Personal data for industry contacts, supporters, advisors, and potential partners may be retained beyond five years where there is an ongoing or reasonably anticipated relationship that serves our charitable objectives (e.g., developing partnerships, securing funding, sector collaboration). 
  • This extended retention is based on legitimate interests and is subject to annual review. 
  • Individuals retain the right to object or request deletion at any time.

Exception: Data may be retained longer where legal, contractual, or regulatory requirements apply, or where necessary for legal claims.

Procedures are regularly reviewed and documented.

10. Data Subject Rights

Individuals have the right to:

  • Access their personal data;
  • Request correction or deletion of their data;
  • Object to or restrict processing;
  • Data portability (where legally applicable);
  • Withdraw consent, where this is the basis of processing.

Requests should be sent to: [email protected].
A formal process is being developed; for now, all requests will be managed promptly via email.

11. Data Breach Management

Procedures and a breach notification policy is in development to address personal data breaches.
In the event of a breach, we will promptly assess and, if required, report it to the Information Commissioner’s Office (ICO) and affected individuals within 72 hours, in line with legal requirements.

12. Complaints and Queries

To exercise your rights, raise a concern, or make a complaint about how we handle your data, please contact [email protected].
If you are not satisfied with our response, you may contact the ICO directly (www.ico.org.uk).

13. Review and Updates

This policy is reviewed at least annually or upon significant change in law or practice.

Scroll to Top