Data Protection and Privacy Policy

Data Protection Policy Created on: Tuesday 21 July 2020 – reviewed yearly Next date to be reviewed on: Wednesday 21 July 2021

Patricia Verity Suarez is a Movement Director and Artist based in Teesside.

Developing a better understanding of my customers, collaborators, partners and supporters through their personal data allows me to make better decisions about the work I make, fundraise more efficiently and, ultimately, helps me to reach my audience.

Patricia Verity Suarez is committed to ensuring the data processed remains safe and secure. 

This policy has been written in line with legislative change, including both the Data Protection Act (1998) and the EU’s General Data Protection Regulation (GDPR). 

Patricia Verity Suarez (the data controller) needs to collect, store and use (data processing) information (personal data) about individuals (data subjects) in order to effectively deliver our organisational aims, commitments and legal obligations. Some of this data might be sensitive data for example about an individual’s ethnicity or religion (special category data) to provide information to funding bodies for statistical purposes. This data is always provided to third parties as quantified data (i.e. cumulative numerical data only with no identifying information relating to any data subject).

I may also need to pass on data to other organisations for specific purposes (data processors). In the rare instance a data processor that is not Patricia Verity Suarez is used, such as a third party, the data subject will either be asked for consent pre to supplying the data or be notified and have the right to object to processing. 

This may include information on audiences, participants, staff or other organisations with whom I work.

Patricia Verity Suarez has determined the lawful reasons with which it processes personal data:

  • Legal obligation – GDPR Article 6(1)(c)

  • Legitimate interest – GDPR Article 6(1)(f)

  • Contract - GDPR Article 6(1)(b)

This policy sets out how I will do this in a way which ensures I comply with current data protection legislation and protects the rights and privacy of the individual. Disclose who has access to the data and how long I retain information for. Explain Data Subject’s rights with Patricia Verity Suarez data including access, rectification and erasure.

Distribution:

  • To be displayed on the Patricia Verity Suarez website

  • This policy will be sent directly to members of the public on request

  • Confirmation of receipt of information - Signed statement from recipient to be held on file

Organisational Responsibilities

Under the General Data Protection Regulation (GDPR) 2018 I have a legal responsibility to ensure that data is processed lawfully, fairly and in a transparent manner in relation to individuals. I must ensure that personal data I hold is:

  • Collected for specific, clear and legitimate purposes and only used in the ways which were specified when the data was originally collected.

  • Relevant and limited only to the data that I need.

  • Accurate as far as is reasonable and kept up to date where required.

  • Only kept for as long as is necessary and securely destroyed afterwards 

  • Processed securely

And that as an organisation I can demonstrate compliance with these principles.

Staff Responsibilities and Training

Patricia Verity Suarez is the lead member of staff for Data Protection, but all staff have a responsibility to ensure that the processes laid out in this policy are observed. All staff should read this policy carefully and raise any questions with the Data Protection lead to ensure they are clear on their responsibilities. 

To ensure an effective whole-organisation approach to data protection I will:

  • Provide a data protection briefing on induction and detailed training on any aspects relevant to a particular role for staff and trustees, for example within box office or marketing

  • Provide briefings to volunteers collecting or handling data, for example mailing list sign ups or evaluation forms

  • Undertake staff training every two years

  • Keep up to date on legislation through the Data Protection lead and provide briefings when there are significant updates or changes to legislation

Recording and Reviewing Data Processing and Compliance

I have carried out a data audit which will be reviewed annually. This details: 

  • What personal data I process

  • Why I process it

  • How I have communicated this information to the data subject

  • Whether this is special category data

  • Confirmation that this is the minimum data required to complete the task

  • How the data is kept securely

  • How long the data is held for

  • How the data is checked for accuracy and kept up to date

  • Any actions required

Regarding reasons for processing, GDPR sets out 6 reasons why data may be processed. These are: 

  • Consent (when a data subject gives consent)

  • Contract (in order to be able to deliver or enter in to a contract)

  • Legal obligation (where the law requires it)

  • Vital interests (to protect someone’s life)

  • Public task (to perform a task in the public interest or for official functions)

  • Legitimate interests (necessary for your legitimate interests unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests)

Where consent is given the data audit will also record for that particular type of data: 

  • How consent is given and where this is recorded

  • How people can as easily withdraw their consent, for example by unsubscribing

After each review, individual staff members will then be briefed as to their responsibilities and the actions needed relating to different data.

In addition to the above, where I are collecting sensitive data, I must also meet one or more additional criteria to have a reason to process the data. Those that are relevant to my work include:

  • The individual whom the sensitive personal data is about has given explicit consent to the processing. 

  • The processing is necessary so that you can comply with employment law. 

  • The processing is necessary for monitoring equality of opportunity, and is carried out with appropriate safeguards for the rights of individuals. 

I will also carry out an audit of third party processors which details: 

  • the type of data shared

  • the reason for sharing it

  • how data is transferred securely

  • how we know the processor complies with data protection law 

  • That the processor does not transfer data outside of the European Economic Area (EEA) and if so that their data protection is at least equal to that of companies inside the EEA (e.g. IOS Certificate or US Security Shield) and how data subjects are informed of this

  • any actions needed 

GDPR compliance should be demonstrated through contracts with third party processors, for example specifying how data will be kept securely included in terms and conditions for mailing list software used or specific data protection clauses included in contracts with external payroll companies. 

What Information Do I Collect? 

You give me your information when via my website Contact Us page; or by communicating with me. I may also keep your details when you sign up to receive emails from me. 

The information I hold about you may include:

  • Your name

  • Postal address

  • Telephone number 

  • Email address

  • Billing information

  • Donation history

  • Your preferences for how I communicate with you about our activities 

  • Information that is available publicly

  • CV or artist biography

  • Medical information 

I keep a record of the emails I send you, and I may track whether you receive or open them so I can make sure I am sending you the most relevant information

Actions and Compliance 

The data audit details actions specific to individual types of data processing. The following actions for compliance underpin this but should not be seen as exhaustive. Staff should take responsibility for ensuring a data audit is carried out, with the support of the lead, when new forms of data are collected and new technologies are implemented. 

How Do I Use Your Data? 

Your data is used to select and inform you of relevant events or activities I think may be of interest to you, as well as opportunities to support my work. I use your data to:

  • Respond to information you have asked for

  • Keep a record of your relationship with us

  • Ensure we know how you prefer to be contacted

  • Occasionally undertake customer research to help me understand how I can improve my services or information

  • Tell you about changes in my services or new services, events offers, and opportunities to support me that I think you’ll find of interest

  • Process call out application submissions for my events based on project criteria 

Staff

It is my legal obligation to collect the personal data of staff (Contracted Freelancer) personal data in relation to their employment. This is due to Legal Obligation GDPR Article 6(1)(c) and/or Contract - Article 6(1)(b)

Should I be unable to process staff’s data, I would be contravening UK Employment law.

Staff Personal Data

  • Full name

  • Contact details

  • NI number

  • UTR number

  • Bank details (Bank details are deleted after the action concerning them is complete)

Marketing

  • Ensure privacy policies are up to date and compliant

  • Ensure mailing list sign up statements follow requirements for unambiguous, specific and, where possible, granular options e.g. choosing what they receive information on and by what methods- phone, email etc.

  • Ensuring an audit is carried out for any third party processors used e.g. mailing software

  • Ensuring the legal basis for direct marketing, either by legitimate interest or consent, is clearly established, recorded and appropriate actions taken

  • Ensuring consent can be clearly given by an affirmative action and as easily withdrawn     

 Participation

  • Ensure young people’s data is only processed with their guardian’s consent

  • Ensure young people’s data is only shared on a need to know basis e.g. medical information with workshop tutors

  • Ensure all freelancers, tutors and volunteers are briefed regarding their data protection responsibilities regardless of how short their contract is

  • Ensure young people’s data is kept securely during practical sessions e.g. permission forms during a workshop Box Office

  • Ensure terms and conditions for box office use reflect current data protection legislation and are available to the customer 

  • Ensure mailing list sign up options include clear, compliant information being given to the customer regardless of ticketing method e.g. online, by ‘phone or in person. 

  • Ensure third party ticketing systems are audited and compliant

  • Ensure data sharing agreements with third parties e.g. project partners, are effectively implemented with information being shared with customers at point of collection and an audit carried out 

Operations 

  • Ensure website privacy policy and cookie policy is clear and compliant and online providers have been audited

  • Ensure audits, staff training and briefings are carried out

  • Ensure IT policies are in place and compliant and staff are briefed 

  • Ensure IT software and hardware is audited and offers sufficiently robust security

  • Ensure procedures are in place for responding to data breaches, subject access requests, data portability and requests for the right to be forgotten and to support staff in responding to such requests 

  • Ensure data is updated as soon as inaccuracies are discovered e.g. if you receive an email bounce back 

  • Ensure unnecessary duplicates of data are not created e.g. multiple versions of a mailing list 

  • Ensure copies of personal data are not made on to personal computers 

  • Use strong passwords and password protect files and lock screens for computers that contain personal data 

Storing Data Securely 

The data audit will include an audit of how each type of data is secured. General practice should include: 

  • Use of locked filing cabinets or similar where data is stored on paper, memory sticks or other physical items

  • Shredding of paper data that is no longer required 

  • Computer log in passwords that are strong, not shared and changed regularly

  • Restrictions on access levels and use of passwords where data is stored on a cloud based system or network

  • Only using third party processors, which includes cloud based systems, where this has been audited and agreed 

  • Not saving data to personal computers, mobile ‘phones or similar devices. Where data held is special category data, this should be noted in the data audit and security measures interrogated to ensure they are sufficient. 

The website (www.patriciaveritysuarez.co.uk) 

This website and its owners take a proactive approach to user privacy and ensure the necessary steps are taken to protect the privacy of its users throughout their visiting experience. This website complies with all UK national laws and requirements for user privacy. 

Cookies 

The website www.patriciaveritysuarez.co.uk is hosted by Squarespace who collect cookies to run the site effectively and provide the best experience for visitors. The cookies also collect information on my behalf about how visitors interact with my site. 

Information about the cookies Squarespace use can be found here: https://support.squarespace.com/hc/en-us/articles/360001264507 

Personal information 

Whilst using our website, software applications or services, you may be required to provide personal information (name, address, email, account details, etc.). The information is used to administer website, applications, client databases and marketing material. I will ensure that all personal information supplied is held securely in accordance with the General Data Protection Regulation (EU) 2016/679, as adopted into law of the United Kingdom in the Data Protection Act 2018. Further, by providing telephone, fax and email details, you consent to Patricia Verity Suarez contacting you using that method. You have the right at any time to request a copy of the personal information I hold on you. Should you wish to receive a copy of this, or would like to be removed from our database, please contact me at patriciaveritysuarez@googlemail.com 

How do we collect information? 

Patricia Verity Suarez collects information in two possible ways: 

a. When you directly give it to me (“Directly Provided Data”) 

When you sign up for the site, purchase our products or communicate with us, you may choose to voluntarily give us certain information – for example, by filling in text boxes or completing registration forms. All this information requires a direct action by you at that time in order for me to receive it. 

b. When you give me permission to obtain from other accounts (“User Authorised Data”) 

Depending on your settings or the privacy policies for other online services, you may give me permission to obtain information from your account with those other services. For example, this can be via social media or by choosing to send your location data when accessing the  website from your smartphone. 

How long do I keep your data for? 

Patricia Verity Suarez will not retain your personal information longer than necessary. I will hold onto the information you provide as needed to be able to provide the Services to you, or for as long as is necessary to provide support-related reporting and trend analysis only. 

If legally required or if it is reasonably necessary to meet regulatory requirements, resolve disputes, or prevent fraud and abuse, I may also retain some of your information for a limited period of time as required, even after you have closed your account or it is no longer needed to provide the Services to you. 

Registration forms 

Patricia Verity Suarez will not sell or rent your personally identifiable information, gathered as a result of filling out the site registration form, to anyone. 

Choosing how I use your data 

I understand that you trust me with your personal information and I am committed to ensuring you can manage the privacy and security of your personal information yourself. 

With respect to the information relating to you that ends up in my possession, and recognising that it is your choice to provide me with your personally identifiable information, I commit to giving you the ability to do all of the following: 

  • You can verify the details you have submitted to Patricia Verity Suarez by contacting our Data Protection team by emailing patriciaveritysuarez@googlemail.com. My security procedures mean that I may request proof of identity before revealing information, including your e-mail address and possibly your address.

  • You can also contact me by the same method to change, correct, or delete your personal information controlled by Moving Art Management regarding your profile at any time. Please note though that, if you have shared any information with others through social media channels, that information may remain visible, even if your account is deleted.

  • You are also free to request the removal of your details from Patricia Verity Suarez’s database at any time by emailing movingartmanagement@gmail.com. However, I may retain archived copies of your information as required by law or for legitimate business purposes (including to help address fraud and spam).

  • You can always feel free to update me on your details at any point by emailing patriciaveritysuarez@googlemail.com.

  • You can unsubscribe from receiving marketing emails from me by replying with the subject line or main body text OPT OUT. Once you do this, you will no longer receive any emails from us. Please allow up to 7 days for this request to be activated.

  • You can request a readable copy of the personal data I hold on you at any time. To do this, please contact us by emailing patriciaveritysuarez@googlemail.com. Please note, I am constantly reviewing how I process and protect data. Therefore, changes to my policy may occur at any time. I will endeavour to publicise any changes.

Third parties 

There are certain circumstances under which I may disclose your personal information to third parties. These are as follows: 

To my own service providers, partner venues or artistic collaborators who process data on my behalf and on my instructions, for example creating guest lists, or crediting images or programme notes. In these cases I require that these third parties comply strictly with our instructions and with data protection laws, for example around security of personal data. 

MailChimp:

Patricia Verity Suarez uses a USA based company ‘MailChimp’ to provide newsletters and marketing via email. This is an optional process, which people consent to during the donation process. Data Subjects can opt-out and erase/rectify their record stored with MailChimp at any time.

Patricia Verity Suarez is satisfied that their GDPR regulations are thorough, and the information stored in MailChimp (email addresses) is secure. We have a processor contract in place, and copies are available upon request. 

Breaches 

In the event of a security breach, the Data Protection lead must be informed immediately. Depending on the circumstances of the breach action will include:

  • completing an incident report

  • taking action to address the cause of the breach 

  • taking action to minimise the damage that may be caused by this data not being kept securely

  • possible disciplinary action 

If the breach is likely to result in a risk to people’s rights and freedoms, for example discrimination, damage to reputation or financial loss, it is mandatory to report a personal data breach to the ICO within 72 hours. The Data Protection lead will make this report. If a member of staff realises that they have been processing data in a way not compatible with the data audit or with the way in which it was originally collected they must also inform the Data Protection lead as soon as possible so a plan of action can be agreed. 

Complaints:

Complaints in regard to the handling of any personal data can be made directly to Patricia Verity Suarez’s DPO: Patricia Verity.

Email: patriciaveritysuarez@googlemail.com

Telephone: +44 7800862897

Address: 180 Enfield Chase, Guisborough TS14 7LQ

If you feel that your complaint was not handled in the correct manner, or still have concerns, you may escalate the complaint by contacting the Independent Commissioner’s Office (ICO). 

ICO Telephone Number: 0303 123 1113

e-mail: mail@ico.gsi.gov.uk

Website: http://www.informationcommissioner.gov.uk