Data Protection Last modified: 07 Aug 2023 Data Protection Contents: 1. Introduction We worked with Katy Raines from Indigo-Ltd on this guidance, to help you operate legally and ethically, whilst also gaining maximum benefit from the insight you gather. It should be noted that neither Counting What Counts (CWC), nor Katy, are lawyers specialising in data protection. Therefore, these notes should be taken as advisory guidance to organisations, to be used alongside their own approach to data protection. 2. GDPR and the Data Protection Act The General Data Protection Regulation (GDPR), which came into force in May 2018, is a European Union (EU) piece of legislation setting the minimum standards for processing data in the EU. Anticipating Brexit, the 2018 Data Protection Act rewrote the UK’s own data protection laws to mirror GDPR, so there would be no conflict between British and European law. This meant that when Britain left the EU, the Data Protection Act continued to apply rules that were functionally equivalent to GDPR; the difference is that it is now in the UK government’s power to alter those rules. If you operate solely in the UK, you are now under the jurisdiction of the UK’s Data Protection Act, not the EU’s GDPR legislation. In June 2021, the EU Commission found the UK’s data protection regime to be ‘adequate’, meaning that data can continue to flow from the EU and European Economic Area (EEA) without the need for additional safeguards. 3. Data and the Impact & Insight Toolkit Throughout the lifetime of the Toolkit project, we have been responding to and anticipating changes to data protection legislature. For example, before Brexit occurred, we moved over to UK-based servers to store all Toolkit data, minimising the need for any international data transfers. Indeed, as a result of Brexit and clarifications from the Information Commissioners Office (ICO), we have updated our legal agreements which users of the Impact & Insight Toolkit sign. Please see our Policy and Privacy Centre for further information. 4. Data and the evaluation process The process of undertaking evaluations typically happens as follows: Customers give their personal details to a provider when booking or attending an arts or cultural work. This data (or some of this data) is used to email the attendees after the work has taken place, asking them to complete an evaluation. The data gathered from those responses is then used alongside other data collected from peer reviewers and self-assessors to form the full evaluation of the work. Types of data processed Personal data – names, addresses and contact details of named individuals. Insight data – responses to evaluations which, in most cases, does not include any personal data. Privacy considerations At the point the data is captured, the venue operates under its own data protection guidelines for processing this data as outlined in the venue’s privacy policy. This privacy policy should include details of which forms of data are collected, what the potential uses of that data are (which should include mention of customer surveys), and under which legal basis. In some cases, you may have an agreement with partner organisations for their productions, and customers will be asked an additional question as to whether their personal contact data can be shared with the partner organisation in order to keep them informed of their activities. In this case, the following should exist: a clear consent-based option at the point of data capture for the customer to agree to their data being passed to the partner organisation inclusion of this practice in the venue’s privacy policy a data sharing agreement between the venue and the partner organisation, outlining how this process will take place, how and when the data will be passed across from venue to partner organisation, and what the partner organisation will do on receipt of the data. How customers are selected for inclusion in an email to promote the survey should be determined by a venue’s privacy policy. For example, if the venue uses a ‘legitimate interest’ as its basis for contacting any booker to ask for feedback via a survey, then, as long as the venue is content that it has undertaken the appropriate privacy assessments and included this use clearly in their privacy statement, all bookers could likely be emailed with the survey. If, however, the venue operates a ‘consent’ model for who it sends surveys to, then only customers who have given the relevant consent may be emailed. An email is sent to the selected bookers, inviting them to participate in an evaluation of the event. Best practice suggests the email should include the following: Specific reference to the event they came to see, with the names of any partner organisations mentioned specifically. An invitation to complete the survey, stressing, that whilst participation is voluntary, the importance of receiving their feedback to the venue and any partner organisations. Reassurance that all responses are anonymous, and that the findings are only used by the venue, partner organisations and Arts Council England to understand how the work is being received by audiences, and to inform future planning. Insight data is gathered in the Culture Counts platform. If it contains no personal data (e.g. 6-digit postcode, name, address) then it is not personal data, and the resulting analysis can therefore be shared without reference to GDPR or the Data Protection Act. If the insight data does include personal data, then the following considerations need to be made: The data sharing agreement between venue and partner organisation should make provision for such data being seen by the partner organisation but specifying that such data cannot be used by either party for anything other than further analysis on the data. It cannot, for example, be added to a database or used to contact the customer in any way. The privacy policy of both venue and partner organisation should include data being shared by the venue, or received by the partner organisation (using a legitimate interest) in order to understand audience reaction to the work to inform future programming etc. 5. Best practice Checklist for venues Privacy policy outlines uses of data collected at point of sale, to include customer surveys. Point of sale notification regarding data collection is clear regarding potential uses of data (including surveys). Privacy policy includes sharing survey findings with artistic partners and funders. Data sharing agreement setting out how personal and insight data will be shared between venue and touring company. Checklist for partner organisations Privacy policy includes personal and insight data received from venues and how it will be processed; include retention policy (i.e. how long data will be kept). Data sharing agreement setting out how personal and insight data will be shared between venue and touring company. 6. Appendix A: Extracts from example venue privacy policy to outline uses of data Data collection We may collect personal data from you when you buy a ticket, join or renew a membership, ask us to send you information, complete a survey, make a donation, pledge a legacy, attend an event, visit our premises, volunteer or participate in a project or group, supply goods/services to us, pay us for goods/services or apply for a job. How we will use your data We will use your information for the purposes listed below under one of the following legal bases: Performance of a contract between us and you. Your consent (where we require it). To comply with a legal obligation or Our Legitimate interest, or that of a third party. The ways in which we use your data are listed below: Legitimate interest: To invite you to give feedback on our programmes and services via customer surveys in order to improve our offer and feedback to our funders. Sharing data with third parties The personal information that you give us will never be supplied to anyone outside [Organisation A] for contact purposes without first obtaining your consent, unless we are obliged or permitted by law to disclose it, we need to use the services of ‘data processors’ to fulfil your requirements, to support analysis and research for [Organisation A] or the Arts Sector, or for reporting to our funders. The ways in which we share data with third party organisations are listed below: Consent: When you book for one of our artistic partners you may be asked if you would like us to pass your data across to them so that they can keep you informed of their activities. They will inform you once they have your data, along with details of their own privacy policy. Legitimate interest: With agreement about data management protocols, we may make anonymised data available to our artistic partners and other bodies such as PwC and the Impact & Insight Toolkit for analysis and research purposes. This assists with reporting to funders and strategic planning, helping us to make better business decisions. Please do get in touch with us if you have any questions. There is also a wealth of information on the Information Commissioner’s Officer (ICO) website. Discover more resources