Data and Privacy Policy

Tangle Data Management Policy

 

1. Context and overview

Key details:

• Policy prepared by: Debo Adebayo

• Approved by senior management: [23/5/2018]

• Policy became operational on: [24/5/2018]

• Next review date: [24/5/2020]

 

Introduction

Tangle needs to gather and use certain information about individuals.

These can include customers, suppliers, business contacts, employees and other people the organisation has a relationship with or may need to contact.

This policy describes how this personal data is collected, handled and stored to meet the company’s data protection standards – and to comply with the law.

 

Why this policy exists

This data management policy ensures Tangle:

• Complies with data protection law and follows good practice

• Protects the rights of customers, staff and partners

• Is transparent about how it stores and processes individuals’ data

• Protects itself from the risks of a data breach

 

Data protection law

The General Data Protection Regulation (GDPR) applies in the UK and across the EU from May 2018. It requires personal data shall be:

1. Processed lawfully, fairly and in a transparent manner in relation to individuals;

2. Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research or statistical purposes shall not be considered to be incompatible with the initial purposes;

3. Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;

4. Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;

5. Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by GDPR in order to safeguard the rights and freedoms of individuals;

6. Processed in a manner that ensures appropriate security of personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

7. The controller shall be responsible for, and be able to demonstrate, compliance with the principles.

 

2. People and responsibilities

Everyone at Tangle contributes to compliance with GDPR. Key decision makers must understand the requirements and accountability of the organisation sufficiently to prioritise and support the implementation of compliance.

• Keeping senior management and board updated about data protection issues, risks and responsibilities

• Documenting, maintaining and developing the organisation’s data protection policy and related procedures, in line with agreed schedule

• Embedding ongoing privacy measures into corporate policies and day-to-day activities, throughout the organisation and within each business unit that processes personal data. The policies themselves will stand as proof of compliance.

• Dissemination of policy across the organisation, and arranging training and advice for staff

• Dealing with subject access requests, deletion requests and queries from clients, stakeholders and data subjects about data protection related matters

• Checking and approving contracts or agreements with third parties that may handle the company’s sensitive data

• Ensuring all systems, services and equipment used for storing data meet acceptable security standards

• Performing regular checks and scans to ensure security hardware and software is functioning properly

• Evaluating any third party services the company is considering using to store or process data, to ensure their compliance with obligations under the regulations

• Developing privacy notices to reflect lawful basis for fair processing, ensuring that intended uses are clearly articulated, and that data subjects understand how they can give or withdraw consent, or else otherwise exercise their rights in relation to the companies use of their data

• Ensuring that audience development, marketing, fundraising and all other initiatives involving processing personal information and/or contacting individuals abide by the GDPR principles.

 

3. Scope of personal information to be processed

The scope of the data we process is:

– Data that you provide to us for subscribing to our website services, email announcements, and/or newsletters including:

  • Names of individuals

  • The postal address of an individual

  • The region an individual or organisation resides

  • Email addresses

  • Telephone numbers

  • Job titles

  • The cultural organization, educational establishment or community organisation an individual belongs to

  • The art form of an artist

– CVs of individuals who have applied for posts at Tangle

– Data about your computer and about your visits to and use of this website via Google Analytics (see below);

– Data that you provide to us for the purpose of working with us;

 

Tangle’s data is collected:

–       From an online form on the Tangle website (primarily)

–       On sign up sheets with a clear opt in that matches the Tangle website online form at events, conferences or workshops managed and held by a Tangle member of staff at all times

–       From individuals who directly request via email, telephone or in person including, for example by giving a Tangle member of staff a business card, to be added to our database

–       From online surveys such as “survey monkey” with a clear “opt in” to our mailing list that matches the Tangle website online form and links to our data policy

–       Occasionally from “Data controller” partner venues who we tour our work to and with whom we have a GDPR compliant data sharing agreement

–       Via Google Analytics:

  • We use Google Analytics to analyse the use of this website. Google Analytics generates statistical and other information about website use by means of cookies*, which are stored on users’ computers. The information generated relating to our website is used to create reports about the use of the website. Google will store this data. Google’s privacy policy is available here.

* Cookies – Most browsers allow you to reject all cookies, whilst some browsers allow you to reject just third party cookies. Blocking all cookies will, though, have a negative impact upon the usability of many websites.

–       Via Mail Chimp

  • We use MailChimp to collect and maintain data collected from this website. MailChimp generates and stores information and other materials about you when you sign up with us. The information generated relating to what you provide to us. MailChimp will store this data. MailChimp’s privacy policy is available here.

 

Tangle’s data is stored:

–       In a password protected database only accessible by key members of staff

–       We use a secure online mailing software, “Mail Chimp” for all email communications which automatically removes duplicates and opt outs and allows customers access / information on how to remove / amend records. Only the data officers and one other member of staff have access to this.

 

4. Uses and conditions for processing

The table below documents the various specific types of processing that Tangle carries out, the intended purpose for that processing, the data to be processed and what is the lawful basis for processing the data, and how these conditions for processing are supported.

Outcome/Use Processing required Data to be processed Conditions for processing Evidence for lawful basis
General E-newsletters Adding new sign ups to database Name, email, previous Tangle event attended Consent, legitimate interest Evidence of date consent or how it was given
Teachers and Programmers mail outs Adding new sign ups to database. Segmenting existing mailing list. Names, email addresses, organization Consent, legitimate interest Evidence of date consent given or how it was given
Tangle Friends Newsletter Adding new sign ups to database Names, email, postal addresses Consent Evidence of date consent given or how it was given
Tangle Event Personal Invitations Segmenting existing mailing lists Names, email Consent, legitimate interest Evidence of date or how it was given consent given or how it was given
Post show survey monkey Collating email addresses collected to send survey and then adding to database Names, email addresses Consent Evidence of date consent given or how it was given
Dealing with messages made by users relating to the website or to Tangle Recording names, email addresses and messages sent to us Name, email, your message to us Consent, legitimate interest Evidence of date consent given or how it was given

5. Privacy Impact Assessments

Privacy Impact Assessments (PIAs – also known as Data Protection Impact Assessments, DPIAs) form an integral part of taking a privacy by design, best practice approach, and there are certain circumstances under which organisations must conduct PIAs. They are a tool which can help organisations identify the most effective way to comply with their data protection obligations and meet individuals’ expectations of privacy, and protect against the risk of harm through use or misuse of personal information. An effective DPIA will allow organisations to identify and fix problems at an early stage, reducing the associated costs and damage to reputation which might otherwise occur.

PIAs undertaken by Tangle specifically relating to our consent and legitimate interest conditions for processing data are as follows.

Where the organisation relies on consent as the lawful condition for processing, you should be able to demonstrate and describe how you have reviewed your processes and systems to make sure that consent is freely and unambiguously given for specific purposes, and that you can evidence an affirmative action on the part of the data subject to have indicated consent, and such that data subjects can reasonably understand who is using their personal information, what information, and for what purposes, and using which communications channels. Pursuant these goals, Tangle strives to:

1) Show clearly that by submitting your name and email address on our website you are joining our mailing list and recording how and when such consent was obtained, retaining this information together with the record collected

2) Follow up requests to join our mailing list by showing where our privacy policy can be viewed

3) Include an unsubscribe link in all email communications, allowing for the individual to request cessation of such communications

 

Where ‘legitimate interest’ is the lawful condition for processing, evidence should be given of the process by which the rights and freedoms of the individual have been weighed against the interests of the company, and how consideration/mitigation of the outcomes of the process have been made. To assist us in determining legitimate interest, we have compiled the following Legitimate Interest Test:

 

Purpose

1) We are required to process the data we collect (such as names, emails, postal addresses etc.) in order to communicate relevant information of interest to our customers, supporters and partners, regarding our activities, productions, events and other pertinent materials

2)    Our customers and partners benefit from this processing, as they are kept up-to-date on our latest activities, productions, and news. We also benefit by creating audiences to experience and appreciate our work.

3)    Processing provides the wider public benefit of allowing us to communicate about our work, which seeks to enrich and contribute to society through theatre, and assists us in disseminating this information to the widest possible potential audiences

4)    This public benefit is deeply important for supporting and advancing the cause of African Caribbean theatre in a sphere that struggles with diversity

5)    Without the ability to communicate with our potential and past audiences and supporters, we would be unable to promote our offerings to the widest possible audience and therefore the appreciation for and participation in our art form would suffer

6)    The data collected would never be used in an unlawful or unethical manner

 

Necessity

1)    Processing helps to further our purpose and interest through providing us with the raw material necessary for communication with our potential and future audiences, supporters and partners

2)    The processing of data is reasonable because without such processing the data collected would not be useful

3)    There is not another less intrusive way of obtaining the same result, because basic contact details are required in order to carry out our above stated purposes

 

Balancing

1)    Our relationship with the individuals whose data we process is that of:

a)    Customer

b)    Partner Organisation

c)    Supporter

 

2)    Some of the data, including email, CVs and postal addresses, is sensitive, but it would be reasonable for anyone supplying such information to expect it to be used for communication of information

3)    If needed, we are happy to explain how exactly such data will be used

4)    It is unlikely that, after providing consent, someone would object to their data being used in this way; however, any such objection shall be treated with the utmost seriousness

5)    There is a small chance that by providing such data individuals are open to being contacted through their email or address if a data breach were to occur; however, the chance of any such breach is minimal given the security systems in place

6)    It is likely that any such breached data would be used for marketing purposes and there prove a nuisance to the individual; however, there is a small possibility of identity theft that would have larger ramifications

7)    We are not routinely processing the data of children. That being said, we from time to time do collect the data of children in relation to our productions and (especially) workshops. Any such data shall be obtained with the express permission of the child’s parent or guardian and treated accordingly.

8)    Some of the individuals whose data is processed by us are vulnerable and therefore any such data should be treated with the utmost sensitivity, discretion and protection

9)    All data shall be safeguarded with the encryption provided through our mailing hosting service (MailChimp) and on our online server (“Dropbox”  – Dropbox’s privacy policy can be viewed here)

10) Any individual who does not wish to receive further communications from us may opt-out at any time, as indicated clearly with each email or mailing

On balance, it can be concluded that legitimate interests are an appropriate lawful basis for our processing activities.

6. Data Sharing

Tangle will not enter into agreements to share personal data that we have obtained with third parties. We will request data controller venues we collaborate with to send out a post show email communication inciting direct sign up to our mailing list, as opposed to entering a data sharing agreement wherever possible. Where we are satisfied that data controller venues obtain the correct permissions with clear usage information on our behalf we will enter into a clear and detailed data sharing agreement with them.

 

7. Security measures

We will take sensible technical and structural precautions to prevent the loss, misappropriation, or modification of your personal data.

Data will be stored in a password-protected database on our online server (Dropbox). This will only be accessible by key members of staff who need to access it in accordance with their lawful roles within the company. The password is updated regularly and stored securely.

Data is never emailed between members of Tangle staff. Data is uploaded to Mail Chimp and Dropbox only.

Of course, information transmission over the internet is inherently insecure, and we cannot promise the security of data sent over the internet.

 

8. Subject access requests and privileges

We ensure that all individuals who are the subject of data held by Tangle are entitled to:

• Ask what information the company holds about them and why

• Ask how to gain access to it

• Be informed how to keep it up to date

• Be informed how the company is meeting its data protection obligations

If asked by individuals what information Tangle holds on them we will access their information in the database and respond to their enquiry via email personally addressing each of the question individually and lawfully. Delivery of such information will be subject to the supply of appropriate evidence of your identity. As we are a small team with a relatively small amount of data this is a feasible process and ensures that we are able to be as communicative and transparent as possible.

We can keep data up to date and delete records on a case by case basis and share our data policy and the ways in which we are GDPR compliant.

We retain all data collected for a period of two years, after which information which demonstrates dormancy (for example, the subject has not opened an email from us in two years) is purged from the system.

 

10. The right to be forgotten

In any circumstance in which subjects request to be deleted from our database and we respond to their request we will do so immediately.

 

11. Ongoing documentation of measures to ensure compliance

Meeting the obligations of the GDPR to ensure compliance will be an ongoing process. The ongoing measures implemented include:

1) Maintaining documentation/evidence of the privacy measures implemented and records of compliance

2) Regularly testing the privacy measures implemented and maintain records of the testing and outcomes.

3) Using the results of testing, other audits, or metrics to demonstrate both existing and continuous compliance improvement efforts.

4) Keeping records showing training of employees on privacy and data protection matters.