top of page

Lullaby Lucy Privacy Policy



In this document the Data Controller is the Director of Lullaby Lucy, and will be referred to as such throughout the document.  The Director is accountable to the Board of Directors/Trustees.


All core staff, freelance staff, and volunteers are required to undertake training relevant to their role at Lullaby Lucy, in handling data in accordance with this policy, the Data Protection Act 1998 and the General Data Protection Regulation 2016.  The training will be delivered by the Data Controller.


All core staff, freelance staff, and volunteers undertake to uphold the good name of Lullaby Lucy, including its relations with the public, its members and suppliers.


All core staff, freelance staff, and volunteers will uphold in the strictest of confidence all information of a personal and professional nature, which is not already in the public domain, that is learned about others in the Organisation including participants, their families and carers, and other members of staff.  Such information will only be shared with others inside the Organisation if required to do so as part of their duties, and in ways that will safeguard its sensitive nature.  Such information will not be shared with anyone outside the Organisation.


All data is held securely.


Lullaby Lucy will only collect and process personal data if the organisation has a valid lawful basis in order to do so.  Reasons for collecting and processing personal data are detailed in clause 4 of this document.


All core staff, freelance staff, and volunteers will adhere to the principles of the Data Protection Act 1998 and the General Data Protection Regulation 2016 and will be required to adhere to this Data Protection Policy and remain under these obligations at all times including after they have left the Organisation.


Definitions (reference: Information Commissioner’s Office)


Personal data:  Data which relate to a living individual who can be identified from those data, or from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller.  This includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual.


Data subject: A living individual who is the subject of personal data.  The Data Protection Act 1998 and the General Data Protection Regulation 2016 does not count as a data subject an individual who has died or who cannot be identified or distinguished from others.


Data Controller: The person or organisation who determines the purposes for which and the manner in which any personal data are, or are to be processed. 


Data Processor: a natural or legal person, public authority, agency or any other body, which processes personal data on behalf of the controller.  Details of CoDa Dance Company’s Data Processors can be found later in Clause 5 of this document.


Types of Data collected and how it processed


The chart below sets out the basics of who Lullaby Lucy Company’s Data Subjects are, what types of information are collected about them, how the data is processed, and under which of the six legal basis for processing under GDPR the data is processed.


Some individuals may fall under more than one data subject category.


The chart states the length of time that this data is kept for, in accordance with best practice.  After this length of time, data is deleted securely from Lullaby Lucy’s computer systems, and paper copies of information are shredded.


Data is reviewed on a yearly basis, to ensure that it is kept fair and accurate and upholding the purpose for which it is kept and processed




Data Subject

Type of data collected

How is the data processed and held

Length of time data is kept

The legal basis under which data is kept








Phone Number

Emergency Contact Name

Emergency Contact Phone Number


Film Footage

Equalities data

Needs data


Forms are created in hard copy, information is transferred to excel document which is kept in Google Shared Drive

Participant Data is kept for 35 years, being suppressed after 7 years

Hard copy forms are kept until the end of the project

Data monitoring is kept for 7 years for financial records


Performance of a Contract (personal information)


Consent (images)


Staff, Freelance Staff, Volunteers, Work Experience (Paid and Unpaid)





Email address

Phone Number

UTR (unique Tax reference number)

NI number

Bank details

DBS check details

Criminal Declarations



Equalities data

Needs data



Files are kept in locked folder, backup information is on shared Google drive, with limited staff access

Data is held for duration of employment or contract, plus 5 years following termination of contract


Performance of a Contract


Consent (images)




Email Address

Post Code

Equalities data

Needs data



/google analytics / mailchimp


7 Years

Legitimate Interest (newsletter)


Consent (website)



Consent (photographs and film)



Partner organisations

Contact Name

Organisation Name


Email Address

Bank Account Details

Forms are created in hard copy or on google forms and information is transferred to excel document which is kept in Google Shared Drive

Duration of the contract plus 7 years following termination of the contract

Performance of a Contract




Enquiring about our organisation and its work

Name, email, message

Newsletters/google analytics / mailchimp



Legitimate interests

Subscribing to email updates about our work

Name, email

Newsletters/google analytics / mailchimp




Making a donation

Name, email, address, payment information

Newsletters/google analytics / mailchimp / google shared drive



Legitimate interests

Signing up as a member

Name, email, address, payment information,

Newsletters/google analytics / mailchimp / google shared drive




Website functionality

Website activity collected through cookies

 google analytics


Legitimate interests




Reasons for collecting and storing data


Lullaby Lucy sets out below the reasons for collecting, processing, and keeping data.  Data will be kept for no longer than specified in clause 3 of this document. 


To provide data subjects with services requested.


To ensure Health & Safety regulations are upheld when a data subject is accessing services.


To provide data subjects with information about events and activities that they have asked to receive.


To report to funding bodies that have provided funding for Lullaby Lucy projects and require equalities data and information about projects as part of Lullaby Lucy’s agreement with them.


To share and promote the work of Lullaby Lucy, in accordance with the permission given by the data subject.


To process any donation(s) Lullaby Lucy  may receive from data subjects.


To ask data subjects to help Lullaby Lucy to raise money or donate to the charity, (always in accordance with data use choice specified by the Data Subject).


To invite data subjects to take part in surveys or research.


Where it is required or authorised by law.


For internal record keeping, such as management of feedback and complaints.


For HR purposes, such as payroll and processing grievance procedures.


For the purposes of financial transactions.


To analyse and improve the services that Lullaby Lucy  offers.


The use of IP addresses to block disruptive use and record website traffic.





Action plan in the event of a personal data breach


A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes breaches that are the result of both accidental and deliberate causes.


Lullaby Lucy  recognises that a data breach can include: access by an unauthorised third party; delivered or accidental action (or inaction) by a data controller or data processor; sending personal data to an incorrect recipient; computer devices containing personal data being lost or stolen, alteration of personal data without permission; loss of availability of personal data.


Should there be a personal data breach, then the primary objective is to minimise the adverse consequences to the individual(s) identified and Lullaby Lucy as the legal entity liable under law for information security. 


If a personal data breach occurs, the Data Controller and Co-Directors at Lullaby Lucy must be notified immediately.


The level of risk of the personal data breach to the data subjects will be assessed. 


If there is a low risk to the data subjects, then the Data Controller will notify the ICO, giving details of the data breach in accordance with their requirements, within 72 hours of the breach occurring.  The breach will also be logged within Lullaby Lucy’s records.


If there is a high risk to the data subjects, i.e. the breach involves sensitive data, then the data subjects affected will be notified immediately.  The Data Controller will then notify the ICO, giving details of the data breach in accordance with their requirements. The breach will also be logged within Lullaby Lucy’s records


When reporting a breach to the ICO, the Data Controller will provide:

a description of the nature of the personal data breach including, where possible:


the categories and approximate number of individuals concerned;

the categories and approximate number of personal data records concerned;

the name and contact details of the Data Controller;

a description of the likely consequences of the personal data breach;

a description of the measures taken, or proposed to be taken, to deal with the personal data breach, including, where appropriate, the measures taken to mitigate any possible adverse effects.


Data Subject Access Requests


The Data Controller will respond to data subject access requests made by Data Subjects requesting access for their own data.  The request must be made in writing, via hardcopy or email. 


If a third party is making a request on the behalf of a data subject, the Data Controller will take steps to ensure that the data subject has given their permission to the third party to act on their behalf.


The Data Controller will formally acknowledge data subject access requests immediately, and will provide the information requested within one month of receipt of the request.


The Data Controller will provide the information in response to a data subject access request in a format accessible to the data subject, but in most cases in electronic format. 


Lullaby Lucy will not charge fees for data subject access requests, unless the request is for further copies of the same information that has already been requested.  In this case, there will be a reasonable fee charged based on the administration cost of providing the information.


If the request is manifestly unfounded or excessive, Lullaby Lucy  reserves the right to refuse to respond.  In this case, the Data Controller will explain to the data subject within one month of the date of the request, the reasons for not responding and inform them of their right to complain to the ICO and to seek a judicial remedy.


If the Data Controller does respond to a request that is manifestly unfounded or excessive, a reasonable fee may also be charged by Lullaby Lucy, based on the administration cost of providing the information. 




Information Commissioner’s Office

Privacy & Electronic Communications Regulation 2003

Data Protection Act 1998

bottom of page