CONTACT & CONTROL
For the purposes of this policy, the Artistic Director will act as the Data Controller, Information Asset Owner (IAO) and Senior Information Risk Owner (SIRO). The contact details for the Artistic Director are: email@example.com / 07973 252751 or by writing to Together! 2012 CIC, 90A Tudor Road, London E6 1DR. Together! 2012 CIC is not required to have a Data Protection Officer; requests for access to data should be made via the Artistic Director.
All Directors and Project Workers are responsible for ensuring that the Data Protection Policy is embedded in their own work and that other Team members adhere to this, in consultation with the Artistic Director.
DATA HELD BY TOGETHER! 2012 CIC
Together! 2012 CIC holds the following data assets:
- Mailchimp mailing list (cloud storage & handwritten forms on file)
- NEWDAN mailing list (hard drive)
- Disabled Filmmakers mailing list (hard drive)
- Support workers mailing list (hard drive)
- Regular participants text list (phone and cloud)
- Twitter subscribers to @ukdpctogether and @disabilityfilm (cloud storage)
- Contact and payment details for workers and suppliers
- Photos, films and videos (hard drives and website)
- Documentation of past events (hard drives, filing cabinet and website)
- Participants’ feedback forms (filing cabinet)
- Notes (hard drive and filing cabinet)
- Internal and external meeting minutes and papers (hard drive and filing cabinet)
- Email correspondence (cloud storage and hard drive)
- Postal correspondence (filing cabinet and hard drive)
- Art work by participants (in art store and on walls)
We use this data to develop, market and promote our organisation and its services and activities and make it more effective; raise funds; process payments; and document our history. We also use this data to protect the welfare of our participants e.g. by holding an emergency contact number.
We hold data on the following categories of individuals:
- Together! 2012 CIC Team members including Directors, Project Workers and Volunteers [contact details, payment details, access requirements, employment records, equality monitoring forms]
- Support workers including Sign Language Interpreters and Palantypists [contact details, payment details, employment records]
- Regular participants in our year-round Clubs creative workshop programme for Disabled people [contact details, access requirements, equality monitoring forms]
- Audience members (anonymised)
- Disabled artists [contact details, payment details, access requirements, records relating to exhibitions, performances and employment]
We also hold data on funders, commissioners and other arts and Disabled People’s organisations.
We only share data that has been both anonymised and is required by funders and other public bodies.
We process data in the following situations:
- Adding and deleting email addresses from our Mailchimp and other email lists in response to requests
- Corresponding with individuals and organisations
- Creating and developing policies and practices
- Creating and filing records of our events and activities, including placing records on our website, Facebook page and YouTube channel
- Entering participants with their consent for qualifications and awards including related correspondence
- Providing required information for potential and actual funders
- Promoting the creative output of participants through exhibitions, publications and online.
ACCESS TO DATA
Access to data held in clouds, hard drives and on file is restricted to Directors, Directors’ assistants and Project Workers on a need-to-know basis. The Artistic Director must be consulted first if there is any doubt about the right of a Team member to access data.
All forms of data collection must be risk-assessed on an ongoing basis for possible breaches.
New forms of data collection and any request to share data must be preceded by a Privacy Impact Assessment (PIA). This should be carried out by the Artistic Director or in consultation with the Artistic Director. The General Data Protection Regulation (GDPR) should also be checked for specific regulations relating to new forms of data collection and use.
The Together! 2012 CIC Community Advisory Board must be consulted about new forms of data collection when data subjects are locally based Disabled people, so that all privacy risks are appropriately considered. This might include but is not restricted to discussing the issue at meetings, or circulating draft forms to members.
When collecting data using photography, video and other forms of documentation, at least one of the following actions must be implemented to ensure consent and respect for privacy:
- At the beginning of the event, ask verbally if anyone is uncomfortable being photographed, and arrange to exclude them or remove them in editing. If removed in editing, the original file must be deleted.
- If the event involves people moving around a lot, offer them a red sticker for their clothing at the entry point to make it easier for photographers and filmmakers to avoid individuals.
- Place a sign (usually kept with the Together! 2012 CIC Information crate) in a prominent position to alert people to the presence of photographers and to tell them what to do if they do not want to be included in the documentation.
In addition, photographers and filmmakers should be briefed to avoid a) unnecessary footage of audience members; b) unnecessary close-ups of audience members.
For data collection using feedback forms, Team members must ensure that participants and audience members clearly understand this is an optional activity and they do not need to take part. Under-18s will only be asked to complete forms in the presence and with the permission of their parent or guardian.
Personal data will only be collected where relevant and will be limited to what is necessary e.g. to ensure that we have contact and emergency contact details for participants; to meet funders’ requirements; to provide information to qualifications authorities; or to assist with advocacy and support.
When the data that is being collected will be shared with funders or other relevant third parties, and/or if it contains personal information about ethnicity, religion, health status etc, this must be made clear to the data subjects and consent obtained. This may include offering the subject a Privacy Notice to read and sign. Another appropriate means of communication must be used if this does not meet the subject’s access requirements, or there is any doubt about consent being fully informed.
Team members must not use personal email addresses to send or receive communications on behalf of Together! 2012 CIC. Anyone who needs to communicate on behalf of Together! 2012 CIC, including volunteers, will be provided with an official email address. Team members must ensure that their email password is secure and is not shared.
Community Advisory Board (CAB) members and Non-Executive Directors must treat all communications from Together! 2012 CIC as confidential. Data provided should be deleted from hard drives, and printed materials returned, if a CAB member or Non-Executive Director resigns. All CAB members and Non-Executive Directors must read and adhere to the Data Protection Policy, including reformatting all drives which have contained data from Together! 2012 CIC before disposing of them.
Team members must check that cloud providers, printers or other data processors are GDPR compliant before contracting them. This includes confirming where the data is held geographically – clouds and servers in the European Economic Area (EEA) will be GDPR compliant, but countries considered to be unsafe under the GDPR include the United States.
USE OF DATA
All data provided to funders and similar bodies will be anonymised. However, the nature of our participants means that they may still be identified from the data. Funders also ask for information that is protected under Article 9 of the GDPR, such as data relating to cultural background and health status. This means that anonymised information should still only be provided to third parties on a need-to-know basis, and with a guarantee that the data will be destroyed as soon as possible.
Together! 2012 Gallery customers, and potential clients of the Together! 2012 Consultancy who have initiated contact, are assumed for the purposes of this policy to have consented to have their data processed. However, this data cannot be used for other purposes unless they have explicitly agreed to this too e.g. to promote the artistic programme. Contact and sales forms should be designed with this in mind.
Team members must not use profiling other than using third party analyses e.g. use The Audience Agency profiles of local audiences’ cultural interests; Google Analytics to learn more about website visitors.
If a Team member needs to make first contact with an individual in the legitimate interests of the organization, and the individual is not representing an organization* themselves, then communication must be in writing not electronic. If an address is unknown, look for an organizational alternative e.g. contact an artist’s agent if you don’t have a postal address for the artist. However, individuals who advertise their contact details online are deemed to have consented to first contact.
* Sole traders and unregistered partnerships are not included in the definition of ‘organization’ for the purpose of this policy.
TRANSPARENCY & ERRORS
All data subjects* have the right to see the data that we hold on them and to correct it if they feel it is inaccurate. Requests should be made to the Artistic Director on firstname.lastname@example.org / 07973 252751, or by writing to Together! 2012 CIC, 90A Tudor Road, London E6 1DR.
*If the data subject is under the age of 18, we will take assess the age and maturity of the young person in terms of their ability to make an informed request, taking account of the Gillick vs West Norfolk case. The online age of consent for service provision is 13.
Data must normally be supplied to the data subject for free within 30 days in an electronic format, or in any alternative format requested by the subject for accessibility reasons. Subjects must provide appropriate ID, e.g. a passport or driving licence, or if this is not possible, two from the following: a travel pass, household bill, bank statement or bank card or similar. However, if the subject is already known to Together! 2012 CIC, requests for ID should be waived. The need to confirm ID must never be used as a reason to delay responding to a request.
Since data relating to regular participants and Team members appears in a variety of different settings, it is important to find out whether the subject has a particular aim in mind, so that the data search can be appropriately focused. However, no pressure should be placed on the data subject to agree to this, rather than attempting to trace all relevant data. NB: if the effort is disproportionate to the request, we are able to charge the data subject, but this should only be as a last resort.
If the request is made by a third party on behalf of a vulnerable adult, every effort must be made to ensure that the individual has consented and that the person making the request has the right to do so. The Mental Capacity Act makes it clear that capacity must be judged on a case-by-case basis, so if, for example, a participant does not want their data released to a third party who claims to be acting for them, such as a relative, a detailed assessment must be made about their capacity first. In this case, the Chair of the Community Advisory Board (CAB) and the Chair of Together! 2012 CIC will form a committee with the Artistic Director.
When data subjects identify that the data we hold on them is incorrect, this should be corrected as soon as possible: ideally within 7 days; and always within 30 days. The use of any data that is disputed must be suspended, and access restricted until the matter is resolved.
All data relating to Together! 2012 CIC must be deleted from personal phones and computers as soon as possible after use, and always before leaving the organization. The organization’s own computers and phones should be used by Team members wherever possible in preference to personal equipment.
All hard drives including USB sticks which have been used for Together! 2012 CIC business must be reformatted before being disposed of, including for recycling.
Human resources and tax records should normally be deleted after 6 years. However, if a team member is still in post, the benefits and disadvantages of deletion should be discussed with them first, and the records retained if they consent.
If there are any disciplinary issues recorded, then whether or not a Team member has left, the Artistic Director must also consider whether the records may have historical importance before deleting them e.g. if the issue is likely to become ‘live’ again in the future or may affect future references.
Information collected for advocacy purposes should not normally be kept for more than 6 years, but should not be destroyed if it may relate to future advocacy requests.
Mailing lists should be refreshed periodically as resources allow e.g. by asking recipients to opt back in; by deleting subscribers who have not opened their emails for a significant period of time; or by deleting buyers or sellers from the Together! 2012 Gallery data if they have not been active for a significant period of time. There must be no means by which people returning to these lists can be identified as being past data subjects.
Data subjects also have the right to have their data deleted. If this impacts on the organization, for example because historical records will be affected, then we will discuss whether the data falls into the exempt category. However, all efforts must still be made to comply with the data subject’s wishes, for example by masking faces in group photographs on the website. Requests should be made to the Artistic Director on email@example.com / 07973 252751 or by writing to Together! 2012 CIC, 90A Tudor Road, London E6 1DR.
No data should be deleted unless the relevant Team member has checked that it is legal to do so. Some data must be retained by law.
DIRECT MARKETING COMMUNICATIONS
No direct marketing materials can be sent out to organisations or individuals who have not consented first. This includes communications by email, postal materials, Twitter DMs and texts. ‘Cold calling’ by phone to promote our activities is also forbidden. Consent would involve filling in a relevant print or online form; checking a specific box on a relevant print or online form; or making a specific request in person or by phone, text or email to receive marketing materials.
DATA POLICY BREACHES
Misuse of data by Team members, including unauthorized access to data, will be treated as a disciplinary offence, and also reported to the police if the misuse is potentially criminal.
All breaches of this policy, however minor they may appear to be, must be reported by Team members within 72 hours to the Artistic Director. The Artistic Director will investigate, take what action they can to manage and mitigate the breach, and decide if a report is required by the Information Commissioner’s Office (ICO). Breaches include but are not limited to: losses or thefts of phones, laptops and files; failure of passworded security; and sending letters or emails to the wrong people.
If the Artistic Director is unavailable, the Chair should be consulted. If there is any doubt about whether a report is required, it should be sent directly to the ICO within 72 hours. ICO reports must include full details including action that has been taken to mitigate the breach. https://ico.org.uk/global/contact-us/
All breaches will be reported to the Board by the Artistic Director at the earliest opportunity, with a full report of the actions taken.
If there is any risk to their rights and freedoms, the subject of the data breach must also be informed without delay. (This will be unnecessary if the data is encrypted.) They must be provided with details of the incident; the action that is being taken to mitigate the breach; and the contact details of the Artistic Director.
If contacting data subjects affected by a breach would create a ‘disproportionate’ effort, e.g. the breach is minor but affects a number of subjects, then notification can be made via our website instead. This announcement would normally be placed on our Twitter stream @ukdpctogether, which is then embedded on our News page.
We will normally use the latest templates available on the Information Commissioner’s Office website when creating forms relating to this policy. However, data subjects are able to make a request without using an official form, and the issuing of forms should never be used as a reason to delay responding.
MONITORING AND REVIEW
Appropriate training will be provided for new workers, and refresher training provided periodically.
The Data Protection Policy will be monitored on an ongoing basis and reviewed annually by the directors to ensure that it remains fit for purpose, and will be updated as necessary. Last reviewed March 2018.