- Areas of work
- The personal data that we process and store
- How we collect, process, protect and dispose of data
- Third Parties
- Roles and responsibilities
- Subject Access Request Forms
- The Right to be Forgotten
- Updates and further information
Artsadmin is committed to best practice in the handling of personal and sensitive data and careful compliance with requirements of GDPR (General Data Protection Regulations), which comes into force on 25 May 2018.
We take your privacy seriously and will only use your personal information to administer your transactions with us (online and offline) and to provide information about the events, resources and services you have requested. All data is collected and is currently processed in accordance with the Data Protection Act (1998) and GDPR.
Our priority is to avoid causing harm to individuals by:
- Keeping all information securely, and only in the right hands (i.e. on a strictly “need-to-know” basis;
- Holding accurate information only as long as we need it.
We aim to be open and transparent in the way we use personal data to give individuals as much choice as possible, within reason, over what data is held and how it is used.
Here is how we define the terms we use around data protection:
- Data – information held on computer in digital form or similarly held on other electronic device(s) such as mobile phones, tablets etc, and/or is otherwise held manually, as hard-copy (including by not limited to, photographs, video material, hand written notes, etc.)
- Data Controller – the organisation, i.e. Artsadmin, responsible for how and why personal data are used, or are to be processed
- Data Processor – any person (other than an employee of the data controller) who processes the data on behalf of the data controller
- Data Protection – legal control over access to and use of data stored in computers. It is about protecting people from the consequences of their data being misused, mishandled or mismanaged
- Data Subject – an individual about whom personal data is held
- Personal Data – information about a living individual who is identifiable from the data held on them by a Data Controller
- Subject Access – the right of an individual to have a copy of the information a data controller holds about them.
- Processing – any use of personal data, including obtaining, storing, using, disclosing or destroying it. This includes organisation, adaptation or alteration of the information or data; retrieval, consultation or use of the information or data; disclosure of the information or data by transmission, dissemination or otherwise making available; alignment, combination, blocking, erasure or destruction of the information or data.
Areas of work
This data protection policy covers all Artsadmin’s activities, particularly relating to HR, marketing, fundraising and networking activities. We define these activities as:
- HR – the recruitment and management of information about applicants, casual staff and employees.
- Marketing – activities that seek to match one of our products or services with a customer or client, at the right price, in the right place, at the right time.
- B2B marketing – Business to Business marketing is the online and offline activities that help us to identify people and organisations that will book our artists’ work, hire our spaces, etc.
- Networking – making and developing relationships with key professionals in order to further the reach of Artsadmin’s activity. This may include face-to-face (conferences, events, seminars, etc), telephone, email and other methods.
- B2C Marketing – Business to consumer marketing is the online and offline activities that attract customers and audiences to attend events, performances and exhibitions, and purchase food/drink – including but not limited to: social media, website, video, brochures, email newsletters, listings, posters, fliers and word of mouth.
- Fundraising – the process of gathering voluntary contributions of money or other resources, by requesting donations from individuals, businesses, crowdfunding charitable foundations, or governmental agencies.
This data protection policy is primarily concerned with our audiences, such as ticket buyers, visitors to Toynbee Studios and workshop attendees, which we call our B2C relationships. Here is how we define our B2B and B2C relationships:
Professionals: promoters, presenters, partners, staff
Artists: produced artists, supported artists, mentored artists, performers at Toynbee Studios
Hirers: clients and tenants who use our spaces at Toynbee Studios
Suppliers: the third party companies and people we buy services from, e.g. production managers, printers, cleaners, consultants
These communications include but are not limited to:
- Print: Portfolio, What’s On (Touring), annual report
- Digital: touring email, targeted promoter emails, project pages on website
- In person: professional networking, conferences and events.
Audiences: public audiences that buy tickets or attend free events (and their guests)
Customers: café customers
Visitors: attending meetings, rehearsals; visitors/participants to events held by hirers; social media followers and email list subscribers; Wi-Fi users
These communications include but are not limited to:
- Print: What’s On brochure (Toynbee Studios), event flyers
- Digital: Toynbee Studios events email, event pages on website, Wi-Fi login
- In person: Front of House, box office, customer service (café and studios)
The personal data that we process and store
This is the kind of personal data we may store about an individual, such as employees, ticket buyers, applicants and artists we work with:
- Name, address, email and phone contact details
- Communication contact preferences
- Details of any disability
- National Insurance Number
- Tax Code
- Employment references
- Employment history
- Employment contract
- Personal ID (Passport)
- Pay rate
- Absence details - annual leave, sickness, maternity/paternity leave, compassionate leave, lateness
- Details of accidents and incidents at work
- Education and qualifications
- Disciplinary action
- Termination of employment
How we collect, process, protect and dispose of data
How we collect data
- We collect data via email, CVs and our online application portal for recruitment or applications to open schemes for bursaries, commissions, awards, grants and other opportunities for artists.
- We collect data for online marketing, if you have opted in, through email newsletter subscription via Mailchimp form on our website, our online ticket booking system, ticket booking transactions over the phone or sign-up sheets at box office, or via or personal request. A link to our privacy statement will be visible at data collection point (for example when you opt in to receive a newsletter or buy a ticket for one of our events) and include opt-ins for receiving future communications from Artsadmin and/or a third party (artist, company).
- We collect data for artists and organisations we work with via our CRM (Customer Relationship Database).
- We collect data on social media. Depending on your settings or the privacy policies for social media and messaging services like Facebook, Instagram, YouTube, Soundcloud or Twitter, you may give us permission to access information from those accounts or services.
- We collect data for fundraising if an individual has opted in when they sign up to our newsletter via our website, when donating via CAF or Spektrix, face-to-face or by personal request. JustTextGiving collect mobile phone numbers if an individual has opted in.
- We collect data for our education work. The data of individuals under 18 years old will only be kept after signed consent from parent, legal carer or guardian. Employees working one to one with individuals under 18 year olds or vulnerable adults require a DBS. When working in partnership with an institution such as a school, we work in line with the institution’s individual DBS policy in addition to our own policy of not allowing staff without DBS to work one to one with children or vulnerable adults at any time. When working in criminal justice settings such as prisons or youth offending institutes we are strictly forbidden to collect any personal data as this would be a security and confidentiality breach.
- We collect employees’ data via email, post, paper employment forms such as contracts, passport, emergency contact form and payroll information.
- We may encrypt sensitive data (documents and mobile devices) to ensure it safely stored or shared.
A cookie is a small data file that is downloaded on to ‘terminal equipment’ (like a computer or smartphone or other device) when you access a website. It allows the website to recognise that user’s device and store some information about the user’s preferences or past actions.
You can change your browser settings to remove, block or withdraw your consent for cookies at any time. But in some cases this may impact on your ability to use our website. Browsers recognise different types of cookies and allow you to treat them differentially, as desired. There are two main types of cookies, first and third party: First Party Cookies are those set by the website you are viewing. Third party cookies are set by other sites; for example if a video has been embedded from YouTube, YouTube may set a cookie of its own.
Cookies can also last for different durations. Session cookies last until you leave the site, others may last for days or months so the site can recognise you and your preferences on subsequent visits.
We use a number of different cookies on the Artsadmin website (www.artsadmin.co.uk), these are:
- necessary cookies that are essential in helping users to move around the website and use its features such as events bookings;
- performance cookies, that collect information about how users use the site, such as which pages are the most visited. These cookies collect anonymous information only and we only use any information to improve the site.
- Spektrix (for buying tickets or merchandise online)
The cookies we add to the website are: (Google analytics): _ga, _gid (Website session): PHPSESSID
How we process and protect personal data
- We store personal data on recruitment or applications to open schemes for bursaries, commissions, awards, grants and other opportunities for artists on our secure application portal.
- We store and process personal data for B2C audiences and fundraising, such as email addresses, postal addresses, phone numbers and interaction history, on Mailchimp, our CRM database, our box office system, and our online donation software.
- We store our employee’s emergency contacts, pension and health cash plan securely on our servers, and process payroll information for HMRC.
- Any personal data relating to finance is held in our accounting software, protected digital files on our server and secure paper filing.
- We analyse data and share anonymised data with third parties and trusted partners for reporting purposes, for example our reporting to Arts Council England and other funders.
- Staff and freelancers who use their own devices for work purposes and connect to our server are informed of our Data Projection Policy. We assess the security of these devices, use encryption where necessary, and we give staff training on how to ensure they are secure.
- Our IT software and systems are regularly monitored and updated to ensure maximum virus protection and security. Staff are trained to identify suspicious emails or attachments, particularly from any hitherto unknown or otherwise untrusted sources, and to notify our DPO and staff responsible for IT about any potential risks.
How we dispose of data
We will keep your information only for as long as is reasonably necessary for the purposes set out in this privacy notice and to fulfil our legal obligations. We will not keep more information than we need. The retention period will vary according to the purpose, for example:
- We delete all unsuccessful applications for jobs for 6 months after the application deadline.
- We delete all unsuccessful applications for artists’ grants and support, such as Artsadmin’s Artist Bursary Award and Unlimited, within 18 months after the application deadline.
- We ensure that any individual artist we advise has given us consent to store their data on our CRM database.
- We delete unsolicited CVs sent to us by email or by post.
- Inactive or bounced email addresses are removed from Mailchimp through automated data cleansing.
- Every email we send to individuals via Mailchimp includes details on how to change your communications preferences or unsubscribe from future communications. You can unsubscribe or adjust your settings to opt in to the communications they want to receive.
- We keep minimal contacts on freelancers with whom we have a business relationship with as long as is reasonably necessary.
- We keep employee records and payroll information in line with our statutory and legal obligations.
Staff are trained in best practices of securely disposing of printed personal or sensitive data. We shred or safely dispose of printed materials. Content is erased from USBs, CDs, hard-drives and other forms of electronic data storage media, and the storage device is physically destroyed.
Personal data breaches
A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. A breach could be accidental and deliberate.
- We have data breach detection, investigation and internal reporting procedures in place to ensure any breaches of personal data are dealt with and resolved as quickly as possible.
- Artsadmin will report to the ICO about certain types of personal data breaches within 72 hours of becoming aware of the breach, where feasible. A summative report will in due course also be sent to The Charity Commissioners for their information once any investigation has been conducted.
- If the breach is likely to result in a high risk of adversely affecting individuals’ rights and freedoms, we will also inform those individuals without undue delay.
- We keep a record of any personal data breaches.
- We have cyber security insurance to protect us if a breach should occur.
Collaboration is one of Artsadmin’s core values. We collaborate with artists and organisations on a regular basis and we will only share your data when you have given consent or opted in.
Artsadmin’s policy is to check that all our third party suppliers who have access to personal data operate in line with GDPR. We have agreements and contracts in places with artists, partners and service providers to ensure that data is secure. Artsadmin is not responsible for the privacy notices and practices of third parties.
Artsadmin may include information about events and projects by third parties (such as organisations we collaborate with, have toured work to or have presented work by) in our marketing promotion via email newsletters and on social media.
Roles and responsibilities
Artsadmin’s Board of Trustees recognises its overall legal responsibility for data compliance. Day-to-day responsibility for Data Protection is delegated to a nominated Data Protection Officer, currently Mwiza Mkandawire. The main responsibilities of the Data Protection Officer are:
- Ensuring that Data Protection training takes place for all staff as part of their induction and that all existing staff receive training;
- Briefing the Board on Data Protection responsibilities as required;
- Reviewing Data Protection and related policies and processes annually unless otherwise stated;
- Advising staff on Data Protection issues;
- Keep Artsadmin’s notification with the Information Commissioners Office up to date;
- Handling any Subject Access requests;
- Approving unusual or controversial disclosures of Personal Data;
- Working with the Head of Marketing and Development to ensure that our Data Protection policies and processes are visible on our website and communicated to our audiences;
- Approving contracts with Data Processors.
All managers of departments/teams and functional areas have the following responsibilities:
- Assisting the Data Protection Officer in identifying aspects of their area of work that have Data Protection implications so that guidance can be provided as necessary;
- Ensuring that their operational procedures take full account of Data Protection requirements;
- Including Data Protection and confidentiality in staff induction and training (for temporary staff and volunteers as well as permanent staff).
All staff are responsible for understanding and complying with the procedures that Artsadmin has adopted in order to ensure Data Protection compliance. This is also the case for freelancers contracted to work for Artsadmin on a project or longer-term basis, with access to data and information stored on our servers.
Subject Access Request Forms
Subject access request refers to the right that individuals have to see a copy of the information an organisation holds about them. You can read more about Subject Access on the Information Commissioner's Office’s (ICO) website.
If you want to know the information that Artsadmin holds about you, you can find out more about how to do that on the ICO website.
Please submit to firstname.lastname@example.org with the email subject line “Subject Access Request”. In line with GDPR:
- Artsadmin will respond within 40 days of the date on which the request is received.
- We can refuse or charge for requests that are manifestly unfounded or excessive.
- If we refuse a request, we will explain to the individual why, without undue delay and at the latest, within one month, and that they have the right to complain to the supervisory authority and to a judicial remedy.
- We will charge up to £10 to administer Subject Access Request Forms to cover any overheads such as staff time, printing and postage.
- We will need to verify your identity before the request will be considered and acted upon. We require level 2 identity proofing for any subject access requests – such as a passport and driving license as well as an utility bill.
For more information on right of access, please refer to the ICO website.
The Right to be Forgotten
Individuals have the right for their personal data to be erased; it is also known as ‘the right to be forgotten’. Individuals can make a request for erasure verbally or in writing. Artsadmin will have one month to respond to a request.
We will implement The Right To Be Forgotten if the data subject requests it and will provide evidence of deletion where possible. For more information on the right to be forgotten, please refer to the ICO website.
Updates to this policy and further information
This policy was last updated on 16 May 2018. We review our policy annually and any updates are posted on this page. We may inform you about any changes that are relevant to you.
Artsadmin has the following related policies and documents, which you can request to see:
- PCI Compliance Security Awareness Programme
- Tech Security and Usage Policy
- Digital Policy
You can find further information on data protection regulations and laws here: