Drake Music Privacy Notice

DRAKE MUSIC PRIVACY NOTICE

The Purpose of this privacy notice is to explain how Drake Music (“DM”), processes personal data to fulfil its data protection responsibilities. The scope of this notice covers DM’s clients, service users and workforce, including consultants and contractors. Separate event notices will be issued when required as an addendum to this privacy notice.

The Roles of DM in data protection is a data controller for the purposes of operating its business. This is because DM makes decisions about why personal data is collected, and how it is processed. It is the responsibility of the DM privacy manager (PM) to ensure that all personal data is processed in accordance with UK’s data protection legislation. The PM can be contacted by email using info@drakemusic.org.

The personal data processed by DM will be basic contact information for the purposes of responding to general enquiries and administering, preparing contracts, making payments when necessary, collecting the contact details of our service users. In some instances, it will be necessary to request special category data, mostly about health, for diversity data collection purposes and to ensure we offer appropriate facilities to our service users. If DM is not given all the requested information, it may result in an incomplete service being provided.

DM’s duty of confidentiality means that DM will treat personal data with due respect and in confidence. DM expects the same duty of confidentiality of all third parties with whom it shares personal data. It will only be disclosed when lawful circumstances allow. When it is necessary to engage third parties to process personal data, for which DM is the data controller, a data processing agreement (or equivalent) between both parties will be put in place.

DM will process your personal data in the UK, which it is backed up locally and with a cloud service provider based in the UK. Email is processed using a reputable web-based provider. Email and mobile phone contacts are stored on office IT equipment and mobile phones. DM uses appropriate technical and organisational measures to ensure personal data is kept secure.

DM will routinely process your personal data against a lawful basis as described below:

Using consent, given prior to any processing

  • To fulfil our contractual obligations, including contract preparation, when required
  • When processing is necessary for the purposes of our stated legitimate interests
  • To comply with our legal obligations
  • When processing against a pre-defined purpose for which your consent has been sought and recorded beforehand; please note that consent can be withdrawn at any time by asking the PM

In all cases the processing of personal data shall be done in accordance with the principles of data protection as set out in UK’s  data protection legislation.

DM will share your personal data, only when it is necessary, with some or all of the following third parties:

  • The Inland Revenue (HMRC)
  • Accountants appointed by DM
  • An external IT support company for which there is a data processing agreement in place
  • With the explicit consent of participants in our programmes, we may also share personal data with organisations we are partnering with in order to deliver those programmes
  • Eventbrite
  • Mailchimp

DM will retain different types of personal data for varying periods depending on content. A summary of the critical categories is shown below:

  • Routine correspondence for casual enquiries in hard copy or in emails will be stored for 2 years after the last interaction with DM
  • Contact related data will be retained throughout the life of the contract plus another 5 years following the conclusion of that contract the information is to be used and for how long
  • Financial records and invoices, which may include personal data, will be retained for 6 years following the end of the current tax year of processing people can exercise their data protection
  • Event specific special category data, obtained by explicit consent, will be destroyed or deleted within one month of the end of that event
  • Contact data is stored indefinitely unless a valid request to erasure is received from the interested data subject

By exception, documentation that includes personal data may be retained by DM beyond the schedule, but only for a specific purpose and only when DM has a legitimate interest or a legal obligation to do so.

At the end of the retention period, DM will either return, destroy or delete your personal data and any associated emails or relevant documentation. If it is technically impractical to delete electronic copies of personal data, DM will put it beyond operational use. It should be noted that DM allows up to 3 months after the end of the schedule to complete the action.

DM maintains a website for publicity purposes and as a source of information for anyone who is taking an interest in the services offered. The websites use cookies to enhance user experience and to collect analytical data of the web browsers used to view the website. User consent is sought before non-essential cookies are run. No attempt is made to identify the individuals, via technical means or otherwise, that visit the website, unless there is a legal requirement to do so.

The UK General Data Protection Regulation (GDPR) defines the rights although these do not apply in all situations. For convenience, these rights are shown below:

  • Right to be informed as to how personal data is being processed – this is done through this notice or specific to recipients versions when needed
  • Right to access personal data held by DM which is done by submitting a ‘Subject Access Request’ (SAR) to the privacy manager
  • Right to rectification of personal data if DM has collected it incorrectly or it needs to be updated
  • Right to erasure of personal data for which DM no longer has a legitimate purpose to process
  • Right to restrict processing under certain circumstances, during which time personal data will be put out of operational use until the related matter is resolved
  • Right to data portability of personal data in a machine-readable version, but this only applies to data provided with consent or under contract
  • Right to object to processing personal data for which DM does not have a legal or contractual obligation
  • Rights related to automated decision making and profiling, however DM does not use these techniques in its decision making

 Further details on data subject rights can be found on the Information Commissioner’s Office (ICO) website: https://ico.org.uk.

Raising concerns, exercising rights, or making queries about our processing of personal data can be done by contacting the privacy manager. Please be aware that DM will need to verify a requesters/enquirer’s identity before responding fully. For that reason, you may be asked for proof of identification that, in context, will enable DM to confirm your identity. Alternatively, you may contact the ICO directly, using the details provided above.

v1.1

June 2024