Tangle Data Management Policy
1. Context and overview
• Policy prepared by: Debo Adebayo
• Approved by senior management: [23/5/2018]
• Policy became operational on: [24/5/2018]
• Next review date: [24/5/2020]
Tangle needs to gather and use certain information about individuals.
These can include customers, suppliers, business contacts, employees and other people the organisation has a relationship with or may need to contact.
This policy describes how this personal data is collected, handled and stored to meet the company’s data protection standards – and to comply with the law.
Why this policy exists
This data management policy ensures Tangle:
• Complies with data protection law and follows good practice
• Protects the rights of customers, staff and partners
• Is transparent about how it stores and processes individuals’ data
• Protects itself from the risks of a data breach
Data protection law
The General Data Protection Regulation (GDPR) applies in the UK and across the EU from May 2018. It requires personal data shall be:
1. Processed lawfully, fairly and in a transparent manner in relation to individuals;
2. Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research or statistical purposes shall not be considered to be incompatible with the initial purposes;
3. Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
4. Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
5. Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by GDPR in order to safeguard the rights and freedoms of individuals;
6. Processed in a manner that ensures appropriate security of personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
7. The controller shall be responsible for, and be able to demonstrate, compliance with the principles.
2. People and responsibilities
Everyone at Tangle contributes to compliance with GDPR. Key decision makers must understand the requirements and accountability of the organisation sufficiently to prioritise and support the implementation of compliance.
• Keeping senior management and board updated about data protection issues, risks and responsibilities
• Documenting, maintaining and developing the organisation’s data protection policy and related procedures, in line with agreed schedule
• Embedding ongoing privacy measures into corporate policies and day-to-day activities, throughout the organisation and within each business unit that processes personal data. The policies themselves will stand as proof of compliance.
• Dissemination of policy across the organisation, and arranging training and advice for staff
• Dealing with subject access requests, deletion requests and queries from clients, stakeholders and data subjects about data protection related matters
• Checking and approving contracts or agreements with third parties that may handle the company’s sensitive data
• Ensuring all systems, services and equipment used for storing data meet acceptable security standards
• Performing regular checks and scans to ensure security hardware and software is functioning properly
• Evaluating any third party services the company is considering using to store or process data, to ensure their compliance with obligations under the regulations
• Developing privacy notices to reflect lawful basis for fair processing, ensuring that intended uses are clearly articulated, and that data subjects understand how they can give or withdraw consent, or else otherwise exercise their rights in relation to the companies use of their data
• Ensuring that audience development, marketing, fundraising and all other initiatives involving processing personal information and/or contacting individuals abide by the GDPR principles.
3. Scope of personal information to be processed
The scope of the data we process is:
– Data that you provide to us for subscribing to our website services, email announcements, and/or newsletters including:
Names of individuals
The postal address of an individual
The region an individual or organisation resides
The cultural organization, educational establishment or community organisation an individual belongs to
The art form of an artist
– CVs of individuals who have applied for posts at Tangle
– Data about your computer and about your visits to and use of this website via Google Analytics (see below);
– Data that you provide to us for the purpose of working with us;
Tangle’s data is collected:
– From an online form on the Tangle website (primarily)
– On sign up sheets with a clear opt in that matches the Tangle website online form at events, conferences or workshops managed and held by a Tangle member of staff at all times
– From individuals who directly request via email, telephone or in person including, for example by giving a Tangle member of staff a business card, to be added to our database
– From online surveys such as “survey monkey” with a clear “opt in” to our mailing list that matches the Tangle website online form and links to our data policy
– Occasionally from “Data controller” partner venues who we tour our work to and with whom we have a GDPR compliant data sharing agreement
– Via Google Analytics:
* Cookies – Most browsers allow you to reject all cookies, whilst some browsers allow you to reject just third party cookies. Blocking all cookies will, though, have a negative impact upon the usability of many websites.
– Via Mail Chimp
Tangle’s data is stored:
– In a password protected database only accessible by key members of staff
– We use a secure online mailing software, “Mail Chimp” for all email communications which automatically removes duplicates and opt outs and allows customers access / information on how to remove / amend records. Only the data officers and one other member of staff have access to this.
4. Uses and conditions for processing
The table below documents the various specific types of processing that Tangle carries out, the intended purpose for that processing, the data to be processed and what is the lawful basis for processing the data, and how these conditions for processing are supported.
|Outcome/Use||Processing required||Data to be processed||Conditions for processing||Evidence for lawful basis|
|General E-newsletters||Adding new sign ups to database||Name, email, previous Tangle event attended||Consent, legitimate interest||Evidence of date consent or how it was given|
|Teachers and Programmers mail outs||Adding new sign ups to database. Segmenting existing mailing list.||Names, email addresses, organization||Consent, legitimate interest||Evidence of date consent given or how it was given|
|Tangle Friends Newsletter||Adding new sign ups to database||Names, email, postal addresses||Consent||Evidence of date consent given or how it was given|
|Tangle Event Personal Invitations||Segmenting existing mailing lists||Names, email||Consent, legitimate interest||Evidence of date or how it was given consent given or how it was given|
|Post show survey monkey||Collating email addresses collected to send survey and then adding to database||Names, email addresses||Consent||Evidence of date consent given or how it was given|
|Dealing with messages made by users relating to the website or to Tangle||Recording names, email addresses and messages sent to us||Name, email, your message to us||Consent, legitimate interest||Evidence of date consent given or how it was given|
5. Privacy Impact Assessments
Privacy Impact Assessments (PIAs – also known as Data Protection Impact Assessments, DPIAs) form an integral part of taking a privacy by design, best practice approach, and there are certain circumstances under which organisations must conduct PIAs. They are a tool which can help organisations identify the most effective way to comply with their data protection obligations and meet individuals’ expectations of privacy, and protect against the risk of harm through use or misuse of personal information. An effective DPIA will allow organisations to identify and fix problems at an early stage, reducing the associated costs and damage to reputation which might otherwise occur.
PIAs undertaken by Tangle specifically relating to our consent and legitimate interest conditions for processing data are as follows.
Where the organisation relies on consent as the lawful condition for processing, you should be able to demonstrate and describe how you have reviewed your processes and systems to make sure that consent is freely and unambiguously given for specific purposes, and that you can evidence an affirmative action on the part of the data subject to have indicated consent, and such that data subjects can reasonably understand who is using their personal information, what information, and for what purposes, and using which communications channels. Pursuant these goals, Tangle strives to:
1) Show clearly that by submitting your name and email address on our website you are joining our mailing list and recording how and when such consent was obtained, retaining this information together with the record collected
3) Include an unsubscribe link in all email communications, allowing for the individual to request cessation of such communications
Where ‘legitimate interest’ is the lawful condition for processing, evidence should be given of the process by which the rights and freedoms of the individual have been weighed against the interests of the company, and how consideration/mitigation of the outcomes of the process have been made. To assist us in determining legitimate interest, we have compiled the following Legitimate Interest Test:
1) We are required to process the data we collect (such as names, emails, postal addresses etc.) in order to communicate relevant information of interest to our customers, supporters and partners, regarding our activities, productions, events and other pertinent materials
2) Our customers and partners benefit from this processing, as they are kept up-to-date on our latest activities, productions, and news. We also benefit by creating audiences to experience and appreciate our work.
3) Processing provides the wider public benefit of allowing us to communicate about our work, which seeks to enrich and contribute to society through theatre, and assists us in disseminating this information to the widest possible potential audiences
4) This public benefit is deeply important for supporting and advancing the cause of African Caribbean theatre in a sphere that struggles with diversity
5) Without the ability to communicate with our potential and past audiences and supporters, we would be unable to promote our offerings to the widest possible audience and therefore the appreciation for and participation in our art form would suffer
6) The data collected would never be used in an unlawful or unethical manner
1) Processing helps to further our purpose and interest through providing us with the raw material necessary for communication with our potential and future audiences, supporters and partners
2) The processing of data is reasonable because without such processing the data collected would not be useful
3) There is not another less intrusive way of obtaining the same result, because basic contact details are required in order to carry out our above stated purposes
1) Our relationship with the individuals whose data we process is that of:
b) Partner Organisation
2) Some of the data, including email, CVs and postal addresses, is sensitive, but it would be reasonable for anyone supplying such information to expect it to be used for communication of information
3) If needed, we are happy to explain how exactly such data will be used
4) It is unlikely that, after providing consent, someone would object to their data being used in this way; however, any such objection shall be treated with the utmost seriousness
5) There is a small chance that by providing such data individuals are open to being contacted through their email or address if a data breach were to occur; however, the chance of any such breach is minimal given the security systems in place
6) It is likely that any such breached data would be used for marketing purposes and there prove a nuisance to the individual; however, there is a small possibility of identity theft that would have larger ramifications
7) We are not routinely processing the data of children. That being said, we from time to time do collect the data of children in relation to our productions and (especially) workshops. Any such data shall be obtained with the express permission of the child’s parent or guardian and treated accordingly.
8) Some of the individuals whose data is processed by us are vulnerable and therefore any such data should be treated with the utmost sensitivity, discretion and protection
10) Any individual who does not wish to receive further communications from us may opt-out at any time, as indicated clearly with each email or mailing
On balance, it can be concluded that legitimate interests are an appropriate lawful basis for our processing activities.
6. Data Sharing
Tangle will not enter into agreements to share personal data that we have obtained with third parties. We will request data controller venues we collaborate with to send out a post show email communication inciting direct sign up to our mailing list, as opposed to entering a data sharing agreement wherever possible. Where we are satisfied that data controller venues obtain the correct permissions with clear usage information on our behalf we will enter into a clear and detailed data sharing agreement with them.
7. Security measures
We will take sensible technical and structural precautions to prevent the loss, misappropriation, or modification of your personal data.
Data will be stored in a password-protected database on our online server (Dropbox). This will only be accessible by key members of staff who need to access it in accordance with their lawful roles within the company. The password is updated regularly and stored securely.
Data is never emailed between members of Tangle staff. Data is uploaded to Mail Chimp and Dropbox only.
Of course, information transmission over the internet is inherently insecure, and we cannot promise the security of data sent over the internet.
8. Subject access requests and privileges
We ensure that all individuals who are the subject of data held by Tangle are entitled to:
• Ask what information the company holds about them and why
• Ask how to gain access to it
• Be informed how to keep it up to date
• Be informed how the company is meeting its data protection obligations
If asked by individuals what information Tangle holds on them we will access their information in the database and respond to their enquiry via email personally addressing each of the question individually and lawfully. Delivery of such information will be subject to the supply of appropriate evidence of your identity. As we are a small team with a relatively small amount of data this is a feasible process and ensures that we are able to be as communicative and transparent as possible.
We can keep data up to date and delete records on a case by case basis and share our data policy and the ways in which we are GDPR compliant.
We retain all data collected for a period of two years, after which information which demonstrates dormancy (for example, the subject has not opened an email from us in two years) is purged from the system.
10. The right to be forgotten
In any circumstance in which subjects request to be deleted from our database and we respond to their request we will do so immediately.
11. Ongoing documentation of measures to ensure compliance
Meeting the obligations of the GDPR to ensure compliance will be an ongoing process. The ongoing measures implemented include:
1) Maintaining documentation/evidence of the privacy measures implemented and records of compliance
2) Regularly testing the privacy measures implemented and maintain records of the testing and outcomes.
3) Using the results of testing, other audits, or metrics to demonstrate both existing and continuous compliance improvement efforts.
4) Keeping records showing training of employees on privacy and data protection matters.