The St Hugh’s Foundation for the Arts needs to gather and use certain information about individuals. These can include potential applicants, arts venues, arts organisations, suppliers and other people with which the Foundation has a relationship or who it may need to contact.
This policy describes how this personal data must be collected, handled and stored to meet the Foundation’s data protection standards – and to comply with the law.
The St Hugh’s Foundation for the Arts may change this Data Management Policy from time to time. You should regularly check this policy to ensure that you are happy with any changes.
Why this policy exists
We are committed to ensuring that the privacy of your data is protected and being transparent about the information we hold about you.
This Data Management Policy ensures The St Hugh’s Foundation for the Arts:
- Complies with data protection law and follows good practice
- Protects the rights of applicants, venues, arts organisations, suppliers and so on
- Is transparent about how it collects and uses individuals’ data
- Protects itself from the risks of a data breach.
Data protection law
The General Data Protection Regulation (GDPR) applies in the UK and across the EU from May 2018. It requires personal data shall be:
- Processed lawfully, fairly and in a transparent manner in relation to individuals;
- Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research or statistical purposes shall not be considered to be incompatible with the initial purposes;
- Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
- Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that is inaccurate, having regard to the purposes for which they are processed, is erased or rectified without delay;
- Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by GDPR in order to safeguard the rights and freedoms of individuals;
- Processed in a manner that ensures appropriate security of personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures;
- The controller shall be responsible for, and be able to demonstrate, compliance with the principles.
People and responsibilities
Data Protection Officer (DPO) – the person responsible for fulfilling the tasks of the DPO in respect of The St Hugh’s Foundation for the Arts is Sue Hawes, Administrator for the Foundation. They will:
- Inform and advise individuals working with the Foundation about their obligations to comply with the GDPR and other data protection laws
- Monitor compliance with the GDPR and other data protection laws, managing internal data protection activities
- Be the first point of contact for supervisory authorities and for individuals whose data is collected (applicants, venues, arts organisations, suppliers and so on).
The data we collect
We collect various types of information and in a number of ways:
Information you give us
- Mailing list
When you register for our mailing list via our website, or by opting in when attending one of our networking or workshop events, we will store personal information you give us for this purpose - your name (optional) and email address.
We require this information to keep you updated e.g. about our forthcoming Arts Award deadlines, notification about Award winners and promoting any additional events and opportunities. We will not do so excessively, and you can opt out of these emails at any time, using the unsubscribe information in the emails we send out or by using the contact details at the end of this Policy.
- Website sign-up form
When you contact us via the sign-up form on our website, your contact details are stored temporarily in the website Content Management System (CMS) to provide a back-up of the information sent to our Administrator Sue Hawes. These contact details are then deleted from the CMS on a monthly basis.
We make our website CMS accessible to our designers (Optima) on occasion. We will only do so to enable them to make updates, additions, or to trouble-shoot any issues we may have with the site. Optima do not store any personal data submitted via the website CMS.
- Making an application to the St Hugh’s Foundation for the Arts
Application information is automatically collated and then exported from Typeform by our Administrator as an Excel document. At the first stage of assessment, a password-protected pdf version of that Excel document is circulated to Trustees only.
At the second stage of assessment, short-listed applications are then saved to Dropbox, and shared amongst Trustees using a specific link.
Any sensitive information associated with an application would only be shared amongst Trustees where we had been given permission to do so, and would be shared as part of the password protected pdf, for which only Trustees would know the password.
Full applications are stored for as long as they are being processed, and then the Foundation will only keep successful applications after the application process has been completed (for the purposes of building up an archive about the work of the Foundation and updating the website). All unsuccessful applications are deleted. The Foundation also keeps an anonymized record of data given at the initial application stage in an Excel document for the purposes of future research about the Foundation’s impact and effectiveness. This Excel document is stored on the Administrator’s computer and is password protected. Applicants wishing to request to see what information the Foundation holds on them can do so at any time by emailing firstname.lastname@example.org.
Applicants’ details are only added to our mailing list where we have received explicit consent to store and use them in this way.
- Paying invoices
Information about your interactions with us
We may process data about your use of our website and services ("usage data"). The usage data may include your IP address, geographical location, browser type and version, operating system, referral source, length of visit, page views and website navigation paths, as well as information about the timing, frequency and pattern of your service use. The source of the usage data is our analytics tracking system, Google Analytics. This usage data may be processed for the purposes of analysing the use of the website and services. The legal basis for this processing is consent (see below).
Sensitive personal data
Data Protection law recognises that certain categories of personal information are more sensitive such as health information, race, religious beliefs and political opinions. We do not usually collect this type of information about our applicants/partners unless there is a clear reason for doing so. If storing this information we would only do so for a limited period of time and would not share it with third parties.
There are two bases under which we may process your data:
Legitimate business interests
In certain situations we collect and process your contact details for purposes that are in our legitimate organisational interests. However we only do this if there is no overriding prejudice to you by using your personal information in this way. We describe below the situations where we may use this basis for processing.
With your explicit consent
For any situations where the basis above is not appropriate, we will instead ask for your explicit consent before using your personal information in that specific situation, ensuring that:
- Your consent is freely and unambiguously given for specific purposes
- We can evidence an affirmative action on your part to have indicated consent
- You can reasonably understand who is using your personal information, what information, and for what purposes, and using which communications channels
- You can withdraw consent at any time, and understand the processes in place to enable you to do so.
As described above, we aim to communicate with you about the work that we do in ways that you find relevant, timely and respectful. To do this we use any relevant data that we have stored about you, as well as any preferences you may have told us about.
We use explicit consent as the legal basis for communications by email. We will give you an opportunity to opt out of receiving them from the first email contact we make with you. If you do not opt out, we will provide you with an option to unsubscribe in every email that we subsequently send you, or you can alternatively use the contact details at the end of this policy.
We use our legitimate organisational interest as the legal basis for communications by post and email with third party providers such as press and potential partner venue contacts.
Other processing activities
In addition to marketing communications, we also process personal information in the following ways that are within our legitimate organisational interests:
We may analyse data we hold about you to ensure that the content and timing of communications that we send you are as relevant to you as possible.
We may analyse data we hold about you in order to identify and prevent fraud.
In order to improve our website we may analyse user information, which is done on an anonymous basis, i.e. we do not collect personal information in any way.
In all of the above cases we will always keep your rights and interests at the forefront to ensure they are not overridden by your own interests or fundamental rights and freedoms. You have the right to object to any of this processing at any time. If you wish to do this, please use the contact details at the end of this policy. Please bear in mind that if you object this may affect our ability to carry out tasks above that are for your benefit.
There are certain circumstances under which we may disclose your personal information to third parties. These are as follows:
To our own service providers who may process data on our behalf and on our instructions (for example web designers Optima). In these cases we require that these third parties comply strictly with our instructions and with data protection laws, for example around security of personal data.
Where we are under a duty to disclose your personal information in order to comply with any legal obligation (for example to government bodies and law enforcement agencies).
Our website contains links to third-party websites. Once you leave our website, you should note that we have no control over the content or policies of the third-party website. We would recommend that you exercise caution and look at any privacy statement applicable to the website in question.
Cookies are small text files that are automatically placed onto your device by some websites that you visit. They are widely used to allow a website to function as well as to provide website operators with information on how the site is being used.
Cookies that we use
We use exp_cookies_allow to track and respect your choices, to remember where you have visited on our website and to help and protect you. We use exp_last_activity so every time the page is reloaded the last activity is set to the current date and time. It is used to determine form or login expiry. This is essential for logged in users to record their data and not lose it as it is being input. The expiry time 12 months. exp_last_visit Sets the date and time that the you last visited the site. Affects guests and logged in users. The expiry time is 12 months. exp_tracker Tracks the last 5 pages you viewed and is used primarily for redirection after some actions on the site ie moving back to pages. This affects guests and logged in users. This cookie expires when you leave the site. We also use exp_csrf_token. This cookie protects against Cross Site Request Forgery (CSRF). A CSRF attack forces a logged-on victim’s browser to send a forged HTTP request, including the victim’s session cookie and any other automatically included authentication information, to a vulnerable web application. It expires from your computer after one hour. We us exp_stashid which generates a unique ID that relates to session values that determine the current state of the website and any actions you have performed.
Most browsers allow you to refuse to accept cookies and to delete cookies. The methods for doing so vary from browser to browser, and from version to version. You can however obtain up-to-date information about blocking and deleting cookies via these links:
- https://support.google.com/chrome/answer/95647?hl=en (Chrome);
- https://support.mozilla.org/en-US/kb/enable-and-disable-cookies-website-preferences (Firefox);
- http://www.opera.com/help/tutorials/security/cookies/ (Opera);
- https://support.microsoft.com/en-gb/help/17442/windows-internet-explorer-delete-manage-cookies (Internet Explorer);
- https://support.apple.com/kb/PH21411 (Safari); and
- https://privacy.microsoft.com/en-us/windows-10-microsoft-edge-and-privacy (Edge)
- Blocking all cookies will have a negative impact upon the usability of many websites
- If you block cookies, you will not be able to use all the features on our website.
Maintaining your personal information/any access requests
You are entitled to:
- Ask what information we hold about you and why
- Ask how to gain access to it
- Be informed how to keep it up to date
- Be informed how the Foundation is meeting its data protection obligations.
We store personal information given with your explicit consent indefinitely, until such time that you may notify us that you no longer wish for us to do so.
If there are aspects of your record that are inaccurate or that you would like to remove, please use the contact details at the end of this policy and we will be able to update your details and ensure that any data to be deleted, is deleted securely and without further risk of breach.
Any objections you make to any processing of your data will be stored against your record on our system so that we can comply with your requests.
Security of your personal information
We will put in place appropriate safeguards (both in terms of our procedures and the technology we use) to keep your personal information as secure as possible, including protecting against unauthorised or unlawful processing and against accidental loss, destruction or damage. We will ensure that any third parties we use for processing your personal information do the same.
Some of our safeguards include:
- Installing an SSL certificate on our website so data transfer is encrypted
- Ensuring access to our website CMS is restricted through use of a password.
We will not transfer, process or store your data anywhere that is outside of the European Economic Area.
Your rights to your personal information
You have a right to request a copy of the personal information that we hold about you and to have any inaccuracies in this data corrected. Please use the contact details at the end of this policy if you would like to exercise this right.
Contact details and further information
The St Hugh’s Foundation for the Arts