Data Management Policy - how we use and protect your data.
- Policy prepared by: Mandy Hare
- Approved by board/management: Gravesham Borough Council
- Next review date: 1st May 2024
The Woodville needs to gather and use certain information about individuals. These can include customers, suppliers, business contacts, employees and other people the organisation has a relationship with or may need to contact. This policy describes how this personal data must be collected, handled and stored to meet the company’s data protection standards – and to comply with the law.
Why this policy exists:
This data management policy ensures The Woodville:
- Complies with data protection law and follows good practice
- Protects the rights of customers, staff and partners
- Is transparent about how it stores and processes individuals’ data
- Protects itself from the risks of a data breach
1. Data protection law:
The General Data Protection Regulation (GDPR) applies in the UK and across the EU from May 2018. It requires personal data shall be:
- Processed lawfully, fairly and in a transparent manner in relation to individuals;
- Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research or statistical purposes shall not be considered to be incompatible with the initial purposes;
- Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
- Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
- Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by GDPR in order to safeguard the rights and freedoms of individuals;
- Processed in a manner that ensures appropriate security of personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
- The controller and the contracted ticketing company shall be responsible for, and be able to demonstrate, compliance with the principles.
2. Who? People and responsibilities
Everyone at The Woodville contributes to compliance with GDPR. Key decision makers understand the requirements and accountability of the organisation sufficiently to prioritise and support the implementation of compliance. These responsibilities include (but are not necessarily limited to):
Keeping senior management updated about data protection issues, risks and responsibilities.
Arts & Culture Manager
Documenting, maintaining and developing the organisation’s data protection policy and related procedures, in line with agreed schedule.
Arts & Culture Manager/Data Protection Officer, Gravesham Borough Council
Embedding ongoing privacy measures into corporate policies and day-to-day activities, throughout the organisation and within each business unit that processes personal data.
Arts & Culture Manager
Dissemination of policy across the organisation, and arranging training and advice for staff.
Dealing with subject access requests, deletion requests and queries from clients, stakeholders and data subjects about data protection related matters.
Contracted Ticketing Agent/Venue Manager
Checking and approving contracts or agreements with third parties that may handle the company’s sensitive data.
Contracted Ticketing Agent/Arts & Culture Manager
Ensuring all systems, services and equipment used for storing data meet acceptable security standards.
Arts & Culture Manager and Contracted Ticket Agent
Performing regular checks and scans to ensure security hardware and software is functioning properly.
Contracted Ticketing Agent and Gravesham Borough Council IT department
Evaluating any third party services the company is considering using to store or process data, to ensure their compliance with obligations under the regulations.
Arts & Culture Manager and Gravesham Borough Council Service Manager
Developing privacy notices to reflect lawful basis for fair processing, ensuring that intended uses are clearly articulated, and that data subjects understand how they can give or withdraw consent, or else otherwise exercise their rights in relation to the companies use of their data.
Contracted Ticketing Agent/Arts & Culture Manager
Ensuring that audience development, marketing, fundraising and all other initiatives involving processing personal information and/or contacting individuals abide by the GDPR principles
Data Protection Officer (DPO)
The person responsible for fulfilling the tasks of the DPO in respect of The Woodville is Gayle Jones, GBC DPO
The minimum tasks of the DPO are:
- To inform and advise the organisation and its employees about their obligations to comply with the GDPR and other data protection laws
- To monitor compliance with the GDPR and other data protection laws, including managing internal data protection activities, advise on data protection impact assessments; train staff and conduct internal audits
- To be the first point of contact for supervisory authorities and for individuals whose data is processed (employees, customers etc)
3. Scope of personal information to be processed
- Names of individuals
- Postal addresses of individuals
- Email addresses
- Telephone numbers
- Ticketing history
- Online identifiers
- Any other information relating to individuals’ preferences
This data is collected with consent from individuals actively engaging with The Woodville. It will be stored securely within The Woodville’s ticketing software (Supplied by Contracted Ticketing Agent)
All the data that we collect will be provided by our patrons and checked by us. Transactions on line will invite patrons to input their details and when The Woodville makes contact patrons will be given the opportunity to change and update any data provided, even to opt out of any further engagement with The Woodville. We will review our data before each brochure mail out, within this review we will check for accuracy and duplication.
4. Information Collection
We collect various types of information and in a number of ways:
Information you give us
For example, when you register on our website or buy tickets we’ll store personal information you give us such as your name, email address, postal address and telephone number. We will also store a record of your purchases.
Information about your interactions with us
For example, when you visit our website, we collect information about how you interact with our content. When we send you a mailing we store a record of this.
Sensitive personal data
Data Protection Law recognises that certain categories of personal information are more sensitive such as health information, race, religious beliefs and political opinions. We do not ask for this type of information unless it is for a specific purpose and for example attending a workshop where materials that can cause allergy are used. This information will not be stored beyond the relevant date of the activity.
5. Legal Basis
There are three bases under which we may process your data:
When you make a purchase from us you are entering into a contract with us. In order to perform this contract we need to process and store your data. For example we may need to contact you by email or telephone in the event of a show cancellation.
Legitimate business interests
In certain situations we collect and process your personal data for purposes that are in our legitimate organisational interests. However, we only do this if there is no overriding prejudice to you by using your personal information in this way. We describe later in this policy all situations where we may use this basis for processing.
With your explicit consent
For any situations where the two bases above are not appropriate, we will, instead, ask for your explicit consent before using your personal information in that specific situation.
6. Marketing Communications
We aim to communicate with you about the work that we do in ways that you find relevant, timely and respectful. To do this we use data that we have stored about you, such as what events you have booked for in the past, as well as any preferences you may have told us about.
We use our legitimate organisational interest as the legal basis for communications by post and email. In the case of postal mailings you may object to receiving these at any time using the contact details at the end of this policy. In the case of email, we will give you an opportunity to opt out of receiving them during your first purchase with us. If you do not opt out, we will provide you with an option to unsubscribe in every email that we subsequently send to you, or you can alternatively use the contact details at the end of this policy.
We may also contact you about our work by telephone, however, we will always obtain explicit consent from you before doing this. Please bear in mind that this does not apply to telephone calls that we may need to make to you related to your purchases (as above).
7. Other processing activities
In addition to marketing communications, we also process personal information in the following ways that are within our legitimate organisational interests:
- We may analyse data we hold about you to ensure that the content and timing of communications that we send you are as relevant to you as possible.
- We may analyse data we hold about you in order to identify and prevent fraud
- In order to improve our website we may analyse information about how you use it and the content and ads that you interact with.
In all of the above cases we will always keep you rights and interests at the forefront to ensure that they are not overridden by our interests and that your fundamental rights and freedoms are protected. You have the right to object to any of this processing at any time. If you wish to do this, please use the contact details at the end of this policy. Please bear in mind that if you object this may affect our ability to carry out tasks that are for your benefit.
8. Third Parties
There are certain circumstances under which we may disclose your personal information to third parties. These are as follows:
- To the subsidiaries described above when it is necessary for them to be able to provide you with products or services that you have requested.
- To our own service providers who process data on our behalf and on our instructions (for example our ticket system software provider). In these cases we require that these third parties comply strictly with our instructions and with data protection laws, for example around security of personal data.
- In the unlikely event of there being a duty for us to disclose your personal information in order to comply with any legal obligation (for example to government bodies and law enforcement agencies)
- To specific named visiting companies whose performances you have attended. In these cases we will always ask for your explicit consent before doing so.
- NHS Test and Trace – We will be taking contact details from customers including the time and date of their attendance. These will need to be kept for 21 days and if asked we will provide them to NHS Test and Trace. Data will be handled according to GDPR, security and ethical standards at every stage of the process – from it’s collection and storage by us to its transfer and use by NHS Test and Trace.
Cookies are small text files that are automatically placed onto your device by some websites that you visit. They are widely used to allow a website to function (for example to keep track of your basket) as well as to provide website operators with information on how the website is being used.
There are two types of cookies:
- A persistent cookie remains on your computer for a period of time to allow a website to recognize you when you return and present you with the appropriate customized pages Session-specific cookies are deleted when you shut down your browser. These are used on sites where you log in; the cookie ensures that you stay logged in throughout that visit.
- Which pages are the most popular
- Which pages are seldom or never visited.
- And to give us an idea of how extensively the website is used.
We do not warrant that the functions contained in the material contained in this site will be uninterrupted or error free, that defects will be corrected, or that this site or the server that make it available are free of viruses or represent the full functionality, accuracy, reliability of the materials.
Any IP information is treated as strictly confidential and is not published or divulged to any third party.
COOKIES FOR MEASURING SITE USAGE
We use analytics to set cookies to help us accurately estimate the number of visitors to the website and volumes of usage. This to ensure that the service is available when you want it and fast.
TO DELETE COOKIES OR REJECT COOKIES
We recommend you allow the cookies set by this website as they help us to provide a better service. If you do not want to receive cookies from this website, select cookie settings under the privacy settings in your browser options, add our domain to the list of websites you do not want accept cookies from.
Under settings you can also delete individual cookies or any cookies that your browser has stored. You can find more information on how to delete and control cookies at www.aboutcookies.org
If you have any query about personal information that we may hold, please write to:
Data Protection Officer
Gravesham Borough Council
Kent DA12 1AU
10. Your Debit and Credit Card Information
If you use your credit or debit card to purchase from us we will ensure that this is carried out securely and in accordance with the Payment Card Industry Data Security Standard (PCI-DSS).
We optionally allow you to store your card details for use in a future transaction. This is also carried out in compliance with PCI-DSS and in a way where none of our staff members are able to see your full card number. We never store your 3 or 4 digit security code.
11. Maintaining Your Personal Information
We store your personal information for 3 years after your last booking, within that time period we are able to link your purchases back to your single unique record that is held on our system.
If there are aspects of your record that are inaccurate or that you would like to remove, you can do this by logging in to your account through our website. Alternatively, please use the contact details at the end of this policy.
Any objections that you make to any processing of your data will be stored against your record on our system so that we can comply with your requests.
12. Security of Your Personal Information
We will put in place appropriate safeguards (both in terms of our procedures and the technology we use) to keep your personal information as secure as possible. We will ensure that any third parties we use for processing your personal information do the same.
13. Your Rights to Your Personal Information
You have the right to request a copy of the personal information that we hold about you and to have any inaccuracies in this data corrected. Please use the contact details at the end of this policy if you would like to exercise this right.
14. Contact details and Further Information
The Woodville, Woodville Place, Gravesend, Kent DA12 1DD