Arts and Gardens complies at all times with the requirements of the General Data Protection Regulation (GDPR) (EU) 2016/679.

This privacy policy covers the Arts and Gardens website at www.artsandgardens.org. Websites linked to and from this site are not covered by this policy.

Arts and Gardens as the data collector, may collect personal information from visitors to this site. This information is used only to respond to enquiries and to monitor site usage. Email addresses received as part of an enquiry are only retained as long as the enquiry remains open.

By submitting your data you consent to the use of that information as set out above.

Where personal data is requested through forms, such data is only used for the purpose stated on the form and will not be given or sold to any third parties.

The Personal Information you supply when you join one of our email lists will be held and used by Arts and Gardens to keep you up-to-date with our events and projects.

Each email we send you gives the opportunity to unsubscribe at any time, or you can ask us to do this by emailing us at info@nullartsandgardens.org

If you would like to amend the information you have provided or think that our records are incorrect, please email us at info@nullartsandgardens.org to update us.

Cookies and logging of IP addresses are used to enable Arts and Gardens to monitor site traffic and repeat visitor statistics. These statistics will not include information that can be used to identify any individual. Such information is anonymous and held on a temporary basis.

We use Google Analytics on the site that uses cookies to collect this sort of information. For more information on Google’s privacy policy, or to opt out of being tracked by Google Analytics on all sites please visit: https://tools.google.com/dlpage/gaoptout

We use a number of third party service providers on this site, some of which may set cookies on your computer when you use the facility.

For each providers’ privacy policies please see the below links:

Facebook: facebook.com/help

Twitter:  twitter.com/privacy

Vimeo: vimeo.com/privacy

The below sets out more detailed information about Arts and Gardens’ data management.

Arts and Gardens’ Data Management Policy

1.     Context and overview

Key details:

• Policy prepared by: Arts and Gardens’ management, referring to The Audience Agency guidelines
• Approved by the Board: 14^th May 2018
• Policy became operational on: 25^th May 2018
• Next review date: 25^th April 2019

Introduction:                                                                                             

Arts and Gardens needs to gather and use certain information about individuals.

These can include customers, suppliers, business contacts, employees and other people the organisation has a relationship with or may need to contact.

This policy describes how this personal data must be collected, handled and stored to meet the company’s data protection standards – and to comply with the law.

Why this policy exists:

This data management policy ensures Arts and Gardens:

• Complies with data protection law and follows good practice
• Protects the rights of customers, staff and partners
• Is transparent about how it stores and processes individuals’ data
• Protects itself from the risks of a data breach

Data protection law:

The General Data Protection Regulation (GDPR) applies in the UK and across the EU from May 2018. It requires personal data shall be processed lawfully, fairly and in a transparent manner in relation to individuals;

1. Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research or statistical purposes shall not be considered to be incompatible with the initial purposes;
2. Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
3. Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
4. Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by GDPR in order to safeguard the rights and freedoms of individuals;
5. Processed in a manner that ensures appropriate security of personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
6. The controller shall be responsible for, and be able to demonstrate, compliance with the principles.

2.     Who? People and responsibilities

Everyone at Arts and Gardens contributes to compliance with GDPR. Key decision makers must understand the requirements and accountability of the organisation sufficiently to prioritise and support the implementation of compliance. Key areas of responsibility are assigned, for clarity about who in the organisation is responsible for leading on compliance with the regulations, what training is required by whom, and how policy and procedural information is disseminated within the team. These responsibilities should include (but are not necessarily limited to):

• Keeping senior management and board updated about data protection issues, risks and responsibilities
• Documenting, maintaining and developing the organisation’s data protection policy and related procedures, in line with agreed schedule
• Embedding ongoing privacy measures into corporate policies and day-to-day activities, throughout the organisation and within each business unit that processes personal data. The policies themselves will stand as proof of compliance.
• Dissemination of policy across the organisation, and arranging training and advice for staff
• Dealing with subject access requests, deletion requests and queries from clients, stakeholders and data subjects about data protection related matters
• Checking and approving contracts or agreements with third parties that may handle the company’s sensitive data
• Ensuring all systems, services and equipment used for storing data meet acceptable security standards
• Performing regular checks and scans to ensure security hardware and software is functioning properly
• Evaluating any third party services the company is considering using to store or process data, to ensure their compliance with obligations under the regulations
• Developing privacy notices to reflect lawful basis for fair processing, ensuring that intended uses are clearly articulated, and that data subjects understand how they can give or withdraw consent, or else otherwise exercise their rights in relation to the companies use of their data
• Ensuring that audience development, marketing, fundraising and all other initiatives involving processing personal information and/or contacting individuals abide by the GDPR principles

Data Protection Officer (DPO) – the person responsible for fulfilling the tasks of the DPO in respect of Arts and Gardens is Ruth Oakley, Director.

The minimum tasks of the DPO are:

• To inform and advise the organisation and its employees about their obligations to comply with the GDPR and other data protection laws
• To monitor compliance with the GDPR and other data protection laws, including managing internal data protection activities, advise on data protection impact assessments; train staff and conduct internal audits
• To be the first point of contact for supervisory authorities and for individuals whose data is processed (employees, customers etc)

3.     Scope of personal information to be processed

Personal information processed by Arts and Gardens includes:

• names of individuals
• postal addresses of individuals
• email addresses
• telephone numbers
• online identifiers
• any other information relating to individuals
• This information is collected from Arts and Gardens’ MailChimp subscribers list and from social media platforms of Arts and Gardens’ followers on Twitter, Facebook and Instagram. Additionally, information is gathered in audience and participants’ surveys for Arts and Gardens’ projects.
• Arts and Gardens takes steps to ensure data is accurate, relevant to the purpose, not excessive, up-to-date and not kept for longer than is necessary. This is done through targeted, project-specific data capture through audience and participants’ surveys, where information is only gathered voluntarily and used specifically within the confines of that project e.g. for funding reports and evaluation.
• All contributors of information to Arts and Gardens will be given clear and accurate guidelines as to its use, along with personal preferences which allow people to opt in or out of particularly areas.
• Where sensitive special categories of personal information that Arts and Gardens to processes, enhanced measures are set in place to protect this information, and respect the rights and freedoms of the individuals to whom it relates. This includes locked and secure filing systems for hard copy information, ensuring records are destroyed where they are no longer relevant or in use, or where a project has been completed.  While digital information is kept secure through passwords use and never distributed online through email or transferred by USB key or other media.

4.     Uses and conditions for processing

Outcome/Use	Processing required	Data to be processed	Conditions for processing	Evidence for lawful basis
Newsletter emails	Mail-merge of name address details from MailChimp database	Name and email address details	Consent	Evidence of date consent given, how, permitted use and, permitted comms channels.
Audience and participation surveys	Written or online surveys completed by attendees or participants, used to inform project evaluation and reports.	Name, age, school, address details, personal comments.	Consent	Evidence of date consent given, how, permitted use and, permitted comms channels.
Photos and video documentation	Gathered during project delivery, used for marketing and publicity purposes, and to inform project evaluation and reports.	Photos and video footage	Consent.  Where a participant is under 16 years, parent or guardian consent will be obtained.	Evidence of date consent given, how, permitted use and, permitted comms channels.

5.     Privacy Impact Assessments

Privacy Impact Assessments (PIAs – also known as Data Protection Impact Assessments, DPIAs) form an integral part of taking a privacy by design, best practice approach, and there are certain circumstances under which organisations must conduct PIAs. At present Arts and Gardens does not conduct PIAs and this is subject to annual review, including the next Privacy Policy review on 25^th April 2019.

6.     Data Sharing

Arts and Gardens sometimes shares information gathered through audience and participants’ surveys and documentation, including; quotes, ages, addresses, photos and video footage.  This information sharing is only between Arts and Gardens’ and its direct project partners, where a partnership agreement is in place.  Express permission from individuals must be granted before any information sharing by Arts and Gardens.  The names of third parties, including a clear summary of their intended use for information, such as marketing and communication channels, promotion on website or social media, must be given to the individuals at the outset, after which they are able to choose whether to contribute information or not.

Individuals’ permissions will usually be a written or electronic form setting out the proposed use of information, for signed permission by the individuals, collected by Arts and Gardens, stored securely and destroyed once no longer in use.

7.     Security measures

Arts and Gardens has the following protection measures in place to protect the personal information stored:

• Subscriber lists are kept in log-in restricted accounts.
• Audience and participants’ hard copy surveys are kept filed and locked, and destroyed once a project ends and information is no longer in use.
• Arts and Gardens’ keeps all sensitive files and information under password encryption, with anti-virus software and firewall protection.
• Arts and Gardens’ conducts a policy of zero personal data transferred by email, online, by data key or in any form of transit.
• Hard drive back up is kept secured and locked, with all sensitive information secure password accessible only to Arts and Gardens’ key personnel only.

If a data breach has taken place, Arts and Gardens will ensure this is reported to the ICO within the required timescales, with related data deleted immediately, securely to avoid further risk of breach.

8.     Automated processing

Audience and participants’ surveys may from time to time be used to obtain datasets and profiling for use in project evaluation and reporting.  These surveys are always subject to consent from the individual, with a choice to remain anonymous or withdraw feedback or participation, at any time.

Third-party profiling tools are not presently used by Arts and Gardens.  Only voluntary information is used, given with consent by individuals directly to Arts and Gardens, and it is made clear to individuals how they can withdraw or unsubscribe if they no longer wish for this information to be kept or used.  Through ‘unsubscribe’ in the newsletters, or by contacting info@nullartsandgardens.org to request withdrawal of information.

9.     Subject access requests

All individuals who are the subject of data held by your company are entitled to:

• Ask what information the company holds about them and why
• Ask how to gain access to it
• Be informed how to keep it up to date
• Be informed how the company is meeting its data protection obligations

Individuals may contact info@nullartsandgardens.org for further information about subject access requests and this process.

10.  The right to be forgotten

Where subjects request and have the right to be deleted from our database, Arts and Gardens will do so without hesitation, ensuring all information is deleted across platforms including, but not limited to, contact details, addresses and any personal information held on secure record.  This will be done through Arts and Gardens’ subscriber database and any hard copies of personal information held securely.  Where a subject has been filmed and edited as part of a group for a project, and all participants have agreed to take part, the decision to discontinue the video’s use will be treated separately and subject to review.

11.   Privacy notices

Arts and Gardens aims to ensure that individuals are aware that their data is being processed, and that they understand:

• Who is processing their data
• What data is involved
• The purpose for processing that data
• The outcomes of data processing
• How to exercise their rights.

To these ends the company has a privacy statement, setting out how data relating to these individuals is used by the company.

Arts and Gardens’ updated privacy policy is available at www.artsandgardens.org

12.  Ongoing documentation of measures to ensure compliance

Meeting the obligations of the GDPR to ensure compliance will be an ongoing process. Arts and Gardens details here the ongoing measures implemented to:

1. Maintain documentation/evidence of the privacy measures implemented and records of compliance.
2. Regularly test the privacy measures implemented and maintain records of the testing and outcomes.
3. Use the results of testing, other audits, or metrics to demonstrate both existing and continuous compliance improvement efforts.
4. Keep records showing training of employees on privacy and data protection matters.