Data Management Policy
Context and overview
Introduction:
OVADA (Oxfordshire Visual Arts Development Agency) needs to gather and use certain information about individuals. These can include audiences, suppliers, business contacts, employees and other people the organisation has a relationship with or may need to contact. This policy describes how this personal data must be collected, handled and stored to meet the company’s data protection standards – and to comply with the law.
Why this policy exists:
This data management policy ensures OVADA:
Complies with data protection law and follows good practice
Protects the rights of audiences, staff and partners
Is transparent about how it stores and processes individuals’ data
Protects itself from the risks of a data breach
Data protection law:
The General Data Protection Regulation (GDPR) applies in the UK and across the EU from May 2018. It requires personal data shall be:
Processed lawfully, fairly and in a transparent manner in relation to individuals;
Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research or statistical purposes shall not be considered to be incompatible with the initial purposes;
Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by GDPR in order to safeguard the rights and freedoms of individuals;
Processed in a manner that ensures appropriate security of personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
The controller shall be responsible for, and be able to demonstrate, compliance with the principles.
People and Responsibilities
Everyone at OVADA contributes to compliance with GDPR. Key decision makers (Director and Board of Trustees) must understand the requirements and accountability of the organisation sufficiently to prioritise and support the implementation of compliance and how policy and procedural information is disseminated within the team. These responsibilities include:
Keeping the Board updated about protection issues, risks and responsibilities. A specific Item will be added to the Board meeting Agendas.
Documenting, maintaining and developing the organisation’s data protection policy and related procedures.
Embedding ongoing privacy measures into corporate policies and day-to-day activities, throughout the organisation to ensure proof of compliance.
Dissemination of policy across the organisation, and arranging training and advice for staff where necessary.
Dealing with subject access requests, deletion requests and queries from clients, stakeholders and data subjects about data protection related matters
Checking and approving contracts or agreements with third parties that may handle the company’s sensitive data
Ensuring all systems, services and equipment used for storing data meet acceptable security standards
Performing regular checks and scans to ensure security hardware and software is functioning properly
Evaluating any third party services the company is considering using to store or process data, to ensure their compliance with obligations under the regulations. (N.b. Not currently applicable to OVADA).
Developing privacy notices to reflect lawful basis for fair processing, ensuring that intended uses are clearly articulated, and that data subjects understand how they can give or withdraw consent, or else otherwise exercise their rights in relation to the companies use of their data
Ensuring that audience development, marketing, fundraising and all other initiatives involving processing personal information and/or contacting individuals abide by the GDPR principles
Data Protection Officer (DPO) – the person responsible for fulfilling the tasks of the DPO in respect of OVADA is the Director, who will:
inform and advise the organisation and its employees about their obligations to comply with the GDPR and other data protection laws
monitor compliance with the GDPR and other data protection laws, including managing internal data protection activities, advise on data protection impact assessments; train staff and conduct internal audits
be the first point of contact for supervisory authorities and for individuals whose data is processed (employees, customers etc).
Scope of personal information to be processed
OVADA processes the following data:
names of individuals
postal addresses of individuals
email addresses
telephone numbers
online identifiers
information and contact details relating to personnel
Sensitive special categories of personal information that it is necessary for OVADA to process:
Bank details for paying invoices and issuing refunds (will be stored via Co-Operative Bank online banking and removed after a period of 1 year’s inactivity)
National insurance number/DOB etc (Given directly to PAYE for employees)
Data relating to Protected Characteristics for survey purposes (e.g. Arts Council Board Demographic Survey) will be anonymised.
DBS certificates will be copied, signed by the person who saw the original and redacted to be stored on file.
This data is collected on an ‘opt-in’ basis from:
Paper sign-up sheets in the warehouse or off-site locations
General Mailing List (via Mailchimp)
Associate Application Forms (Via OVADA’s website)
Bookings for classes and events (Via OVADA’s online shop/email)
Emergency Contact Forms for students
Email enquiries to OVADA
Purchasers of ‘A Little Bit Of’ booklets
Donors (Via OVADA’s website)
Consideration is taken to ensure the data is accurate (e.g. check duplication/completeness of data) relevant to the purpose and not excessive. For example, Mailchimp checks whether a subject has an existing record to avoid duplication.
This data is stored as follows:
Paper Mailing List sign-up sheets (stored in a locked filing cabinet in a registered office - held for a maximum of 1 year, then shredded).
General Mailing list stored on Mailchimp database and regularly ‘cleaned’
Associate application information processed using email provider (via secure server and data is stored on a private database on Google Drive).
Bookings for classes and events (via secure server and stored on a private database on Google Drive).
Emergency Contact Forms for students (stored in a locked filing cabinet in a registered office - held for maximum of 1 year, then shredded).
Email enquiries to OVADA (stored on secure server using G-Suite).
Measures to ensure that data is up-to-date and is not kept for longer than is necessary:
There are often legitimate reasons to keep the record of all customers on file, as long as there is a chance that they may return to your organisation. Data Controllers are obliged to ensure that the data they hold remains relevant by periodically “cleaning” the data to identify and suppress from future communications any obsolete data for individuals whose attendance has lapsed, and who may subsequently have moved address or are deceased.
Measures include:
Unsubscribe link at the bottom of each e-newsletter. Mailchimp manages un-subscribers and automatically cleans them from the Mailing List.
Privacy Policy on website (e.g. informing people how they can access their data)
Update information on Associates page and Mailchimp Sign-up form.
Regularly check permissions on shared Google Drive documents.
Only accessed by authorised persons.
Internal PIA’s carried out periodically.
Prompting and encouraging ‘customers’ to periodically review/update their permissions. For arts organisations a pragmatic approach might be to provide such a prompt at least every 2 years.
Uses and conditions for processing
Below is a summary of the various specific types of processing that OVADA carries out, along with the intended purpose for that processing, the data to be processed and what is the lawful basis for processing, and how these conditions for processing are supported.
Outcome/ Use
Processing required
Data to be processed
Conditions for processing
Evidence for lawful basis
Newsletter Subscribers ‘What’s On’ emails used to inform subscribers of events, exhibitions, classes and opportunities at OVADA.
Mail-merge from General Mailing List (Mailchimp subscribers)
Name and email address
(Mailchimp keeps the list accurate - people can update their preferences/details or unsubscribe using the Mailchimp website or alternative reply to info@ovada.org.uk and we will update information/remove entries manually).
Consent
Each subscriber has to opt-in to the mailing-list either in person (using paper sign-up sheet) or online (using Mailchimp Form). Mailchimp provides evidence of how consent was given: if it was added using the online form, it will list when and how the subscription took place. If it was added to the list manually by OVADA (with subject’s permission) evidence can be found on the paper sign-up sheet stored (for up to one year) securely in OVADA’s registered office.
Associates
Used for subscribing to Associates scheme and communicating
-OVADA’s website (Associate Directory)
-Google Docs (an Associate Database is held for on OVADA’s secure Drive)
-Name
-email address
-postal address (to send card)
-website
-Artistic information/images
-Student status
Consent
After 1 year of inactive membership, postal address and phone number will be removed from our records. We will keep an archive record of the names and email addresses of previous Associates so if they choose to renew, they will be able to reinstate their membership using the same Associate number.
The Associates Database and Associates email address is manually cross-referenced to the WordPress Directory to ensure the information is up-to-date and accurate. For example, Associates whose membership has expired will be removed from the specific Associates email list on Mailchimp.
Class Participants
Used to inform them about classes and correspond about bookings/payments etc.
-Google Docs (a Spreadsheet is held for each class, stored on OVADA’s secure Drive)
-OVADA’s Shop (a record of transactions/ order confirmation is held on the website - Squarespace)
-Name
-Email address
-contact phone number.
Consent
People on this list will have made contact with us first to register their interest/book classes and we then reply to the email.
At the end of emails we give them the option to unsubscribe by replying to us.
Studio Mailing List
Used to inform them about studio vacancies.
-Google Docs spreadsheet, held on OVADA’s secure Drive
-Name
-Email address
Consent
People on this list will have made contact with us first to register their interest or apply for a studio and we then reply to the email.
At the end of emails we give them the option to unsubscribe by replying to us.
Consent
OVADA relies on consent as the lawful condition for processing and in accordance with this policy, has reviewed the processes and systems to make sure that consent is freely and unambiguously given for specific purposes. (Note: you cannot use the data for another purpose than the one you told the customer you collected it for. Previously you could assume consent or include a small box ‘tick here if you don’t want to hear from me and my friends’. Now you need to be able to prove active consent).
OVADA can evidence an affirmative action on the part of the data subject to have indicated consent, and such that data subjects can reasonably understand who is using their personal information, what information, and for what purposes, and using which communications channels. Through audit trails (e.g. Mailchimp database, paper sign-up sheets, shop receipts), upon request OVADA can demonstrate how and when this consent was obtained.
The ICO advises that these are all specific activities that should be separately consented. E.g. separate mailing lists for Associates, general mail-out and classes.
Our practices and systems communicate an individual’s right to withdraw consent at any time and our processes and systems support the functionality to do so. (e.g. Mailchimp unsubscribe link or providing contact details on OVADA’s website whereby individuals can directly email/phone OVADA’s team with a request)
Privacy Impact Assessments
Privacy Impact Assessments (PIAs - also known as Data Protection Impact Assessments, DPIAs) form an integral part of taking a ‘privacy by design’, best practice approach, and there are certain circumstances under which organisations must conduct PIAs. They are a tool which can help organisations identify the most effective way to comply with their data protection obligations and meet individuals’ expectations of privacy, and protect against the risk of harm through use or misuse of personal information. An effective PIA will allow organisations to identify and fix problems at an early stage, reducing the associated costs and damage to reputation which might otherwise occur.
OVADA’s PIAs may be detailed here, or else referenced here and presented as an appendix to this data management policy document. PIA’s can address more than one project and contain:
A description of the processing operations and the purposes, including, where applicable, the legitimate interests pursued by the controller. (e.g. when and how should it be shared? Who requires access to the shared personal data and why?)
An assessment of the necessity and proportionality of the processing in relation to the purpose. (e.g. Does all of the data that you hold about a person need to be processed in a particular way to achieve the objective).
An assessment of the risks to individuals and measures in place to address risk, including security framework and to demonstrate that you comply. (e.g. is any individual likely to be damaged by the process? Is any individual likely to object? Might it undermine individuals’ trust in the organisations that keep records about them? Can the objective be achieved without sharing the data or by anonymising it?
Data Sharing
At times OVADA is required to share information relating to personnel with appropriate bodies. For example, data to register a Director with Companies House or process Payroll with an external company.
OVADA uses the ‘bcc’ function in group emails by default unless permission has been explicitly obtained to share email addresses (e.g. group messages to the Board of Trustees).
At present OVADA does not share any other personal information with Third Party organisations and therefore does not have any Data Sharing Agreements in place. There is no intention for this to change however in the event that it does in the future this section will be updated accordingly.
Security measures
The following measures are in place to protect the personal information that OVADA stores from breach:
Technical infrastructure considerations and measures to leverage technology to require or ensure compliance include: restricting and protecting access to the data to those people for whom it is necessary to perform the processing - such as measures like security software and firewalls, encryption, the use of secure Virtual Private Networks (VPN), log-in restricted access and two step authentications, etc.
The procedural and organisational policy measures including using guidance from ICO (www.ico.org.uk)
OVADA’s Email Usage Policy (including Password Management)
Familiarisation with Cloud Data storage guidance for Google Drive (https://cloud.google.com/security/gdpr). All files are confidential and will remain only on the Google Drive
All Staff (salaried and freelance), Trustees and volunteers may not download any files without prior agreement with the Director in writing to another cloud service, device or hard drive
All Staff (salaried and freelance), Trustees and volunteers may not access files or OVADA accounts in the event they leave the organisation
If a data breach has taken place, the following measures are in place to ensure that reporting of any breaches are reported to the ICO within the required timescales. Alongside measures in place to ensure that any data to be deleted, is deleted securely and without further risk of breach:
Adopt a recovery plan, including damage limitation.
Carry out an assessment of any ongoing risks associated with the breach.
Consider whether a breach of security should be notified, who should be notified and what information should be given, including specific advice to individuals on the steps they can take to protect themselves.
Evaluate the cause of a breach and the effectiveness of its response to it.
Automated processing - Not currently relevant
[Update with details of any automated processing or decision making undertaken by your company, including profiling. You should describe the lawful condition for that processing, what the outcomes are, and that in a case where such processing leads to a significant legal or other effect on the individual, how you have weighed the outcomes of that processing against the rights and freedoms of the individuals. The process of weighing the organisation’s interest against the rights of the individual should always be transparently demonstrated. Privacy Statements should include details of any automated processing, (including details of any third party profiling tools or datasets that are used to append information which will build a profile of individuals) and the outcomes of this processing, together with details of how individuals can exercise their right not to be subjected to such].
Subject access requests for information
All individuals who are the subject of data held by OVADA are entitled to:
Ask what information the company holds about them and why
Ask how to gain access to it
Be informed how to keep it up to date
Be informed how the company is meeting its data protection obligations
In the event of receiving a request for information, OVADA will follow the process of the ICO’s ‘Step-By-Step’ Guide for Subject Access Requests: https://ico.org.uk/for-organisations/data-protection-advice-for-small-organisations/how-to-deal-with-a-request-for-information-a-step-by-step-guide
The right to be forgotten
Subjects have the right to be deleted from OVADA’s database. In the event of such a request, OVADA will follow the ICO’s Guidance for the Rights to Get Data Deleted: https://ico.org.uk/your-data-matters/your-right-to-get-your-data-deleted/. Each request will be evaluated on an individual basis and decisions around what data would be deleted and what data may need to be retained will be made in compliance with the ICO.
Privacy Policy and Notices
OVADA aims to ensure that individuals are aware that their data is being processed, and that they understand:
Who is processing their data: OVADA Ltd
What data is involved
The purpose for processing that data
The outcomes of data processing
How to exercise their rights.
To these ends the company has a Privacy Statement, setting out how data relating to these individuals is used by the company. The Privacy Statement can be viewed by individuals on OVADA’s website: www.ovada.org.uk/privacy
Ongoing documentation of measures to ensure compliance
Meeting the obligations of the GDPR to ensure compliance will be an ongoing process. OVADA details here the ongoing measures implemented to:
Maintain documentation/evidence of the privacy measures implemented and records of compliance
Regularly test the privacy measures implemented and maintain records of the testing and outcomes.
Use the results of testing, other audits, or metrics to demonstrate both existing and continuous compliance improvement efforts.
Keep records showing training of employees on privacy and data protection matters.
Ongoing review of the Data Management Policy and online Privacy Statement whenever any changes occur to personnel, practices or policies, or technical infrastructure that impact any of the information given. A formal annual date for holistic review is given in the document header but the document is considered a dynamic articulation of the organisation’s data management policy which is under constant revision.
Under the Data Protection (Charges and Information) Regulations 2018, organisations that process personal data need to pay a data protection fee (£40 for microbusinesses) to the ICO, unless they are exempt. OVADA is currently exempt as we collect data for ‘not-for-profit’ purposes. We will however periodically check exemption still applies by completing the Registration Self Assessment via the ICO’s website: https://ico.org.uk/for-organisations/data-protection-fee. This will enable us to find out if our organisation is required to pay a fee to the ICO. (Last checked November 2020) Organisations may choose to opt-in, even if they are exempt.
13. Resources:
Glossary:
Data Controller
The person who, either alone, jointly or in common with other people determines the purposes for which and the manner in which any personal data is processed. A party may be a Data Controller, even if the information concerned is held by somebody else. There can be more than one Data Controller in respect of a piece of data.
Most, if not all, of the principal obligations in the DPA fall to the Data Controller.
In the cultural sector this is commonly (but not exclusively) an organisation managing ticketing transactions, most often the presenting venue.
Data Processor
A data processor processes personal data only on behalf of a data controller.
Data Subject
An identified natural person or a natural person who can be identified, directly or indirectly, by means reasonably likely to be used by the controller or by any other natural or legal person, in particular by reference to an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.
Personal Data
Any information relating to a data subject.
Personal data is data relating to living individuals who can be identified from that data, or from that data and other information which is in the possession of, or is likely to come into the possession of, the data controller. Data is also defined in the DPA as information which is being processed by means of equipment that operates automatically in response to instructions given for that purpose, or is recorded with the intention that it should be processed by means of such equipment. The DPA therefore applies to automated data, such as that stored on a computer. It also extends to certain manual records. The DPA imposes some additional obligations on the Data Controller in relation to ‘sensitive personal data’. Sensitive personal data is data which relates to race, political opinions, health, sexual life, religious and other similar belief, trade union membership and/or criminal records.
FAQ’s
-General Data Protection Regulations come into force on 25th May 2018, so what should you do in preparation?
Minimise the data held: data should be adequate, relevant and limited to what is necessary to the purpose. Only collect the information that you need and will use.
Have a retention schedule and delete data in a timely way. It is not legal to store data ‘forever’ or for an unlimited time period ‘just in case’ however much value you think it could be in the future as it would be for a different purpose.
Keep the data secure. This information is confidential. Only share it with people for whom you have explicit consent to share it with. Don’t download information on shared computers, and keep all devices where the information is stored password protected. (Put your external hard-drive in a safe.)
You are required to tell people what information you’ll keep and why, how you’ll use it, where it’s stored, who else has access to it and when you’ll delete it – this is your Privacy Policy.
You should have your Privacy Policy on your website separate from any Terms and Conditions and it should include information on cookies. You are also required legally to be able to show any individual all your records on them in all formats, make a change for them, delete them all or restrict use if asked, within 30 days.
-If, in reviewing your past regime for obtaining the necessary permissions from customers, it became clear that the present best practice guidance, or the requirements under GDPR has not always been followed, can you still continue to contact those individuals?
Up until the 25th May 2018, if you are certain that your organisation has a legitimate basis for contacting individuals under the DPA or PECR, you may contact them to further clarify their wishes in such a way as to obtain consents that comply with the requirements of GDPR. However, you cannot contact any individuals that have either expressed a wish not to be contacted by you, or that you have no legitimate basis for contacting under the former DPA legislation or PECR.
After 25th May 2018, if you rely on “consent” as the basis for contact, you can no longer contact anyone from whom you have not gained “consent” in a manner which is compliant with GDPR. OVADA has a record of consent for each individual on the mailing list.
-How do we Export Proof of Consent from Mailchimp?
To get proof of consent data, just export your list. If you only want to see who's in the consent group, view or export segments of your list. You may want to keep a copy of your signup form also, in case you need to prove that the form included all of CASL's required information. When you export your list, you'll get a CSV file with a lot of columns and a ton of information. Look for these columns:
OPTIN-TIME: If double opt-in is turned on, this column will display the date and time the contact clicked the link in the opt-in confirmation email.
OPTIN_IP: If double opt-in is turned on, this column will display the IP address when they accessed your hosted signup form.
CONFIRM_TIME: When the person originally clicked to join your list.
CONFIRM_IP: The IP address from which they confirmed their subscription.
MailChimp tracks this information through your signup form, so we can't determine it for subscribers you import. To be safe, you should also have proof of consent for imported subscribers in a separate document or in hidden text fields in your MailChimp list.
-Do we need to pay to register with the Information Commissioner’s Office (ICO) who keep a public database of ‘data controllers’?
There’s a self-assessment tool on their website you can use to check at https://ico.org.uk/for-organisations/register/self-assessment. Fortunately if you only collect names, addresses and email addresses for not-for-profit purposes then you are probably exempt from registering.
-What classes as ‘held’ data?
Data ‘held’ includes information on spreadsheets/documents saved onto or downloaded on hard drives, laptops, phones, tablets etc a website hosted elsewhere, old emails mentioning people, their names and phone numbers, e.g. Outlook; Yahoo etc Cloud-based data holding and transferring facilities, e.g. Dropbox, GoogleDrive, MailChimp, Cookies on your website. Note: Dropbox/Mailchimp/Google/cloud facilities etc are all data processors as they store data. These are US companies so not subject to GDPR so to use them and comply, you should look for the ‘Privacy Shield’ that shows they have signed up to EU privacy law. Using Paypal is fine if your site ‘spits out’ a customer into the Paypal site – and you don’t provide them with any information. Paypal sends back money against a reference/name which is data you should then keep protected.
APPENDIX 1:
Copy of Online Privacy Notice: www.ovada.org.uk/privacy
Introduction
We have recently updated our Privacy Policy and our Data Protection Policy to ensure that we comply with the new General Data Protection Regulation (GDPR) which came into effect on 25 May 2018. The GDPR moderates how organisations collect, use and store ‘personal data’.
We want you to be fully aware of the data that OVADA collects from you as a supporter, visitor, class participant, audience member or artist involved with our organisation and inform you about how we use and store this information. By providing your personal data to OVADA you will be deemed to have consented to the processing of such data.
Newsletters
The main way that we use personal data is to send out regular newsletters by email telling supporters and artists about forthcoming exhibitions, events, classes, opportunities and general news. We usually send general newsletters to our subscribers once every 4-6 weeks. You can view past newsletters HERE.
To receive these newsletters you can sign up to OVADA’s general mailing list using THIS FORM via MailChimp.
We also hold specific mailing lists for supporters who have signed up to OVADA Associates and Class Participants. These newsletters include specific information related to either the Associates or Education programme.
If you receive newsletters from OVADA that you would prefer not to receive, you can unsubscribe from our mailing list at any time by using the ‘unsubscribe’ link at the bottom of our emails. Alternatively you can email your request to info@ovada.org.uk; write to us at: OVADA, 14A Osney Lane, Oxford OX1 1NJ; or phone us on 01865 200979.
Cookies
Cookies are small data files that are placed on your computer or mobile device when you visit a website. Cookies are widely used by online service providers in order to, for example, make their websites or services work as well as to provide reporting information. Cookies do not typically contain any information that personally identifies a user, but personal information that OVADA stores about you may be linked to the information stored in and obtained from cookies.
You can set or amend your web browser controls to accept/refuse cookies or so you are given a warning when Cookies are being used. If you choose to reject cookies, you may still use our website though access to some functionality may be restricted. Visit your browser’s help menu for more information. Cookies used on our website may include:
-Google Analytics: to analyse how our website is used, create reports and improve your experience when using it. Collected information via Cookies may include the number of visitors to the site, which pages they visited and where they came to our site from. Information is anonymous and cannot be used to personally identify you. We use use this information to report to our employees, trustees and funders. View Google’s Privacy Policy for further information.
-MailChimp: to enable website users to sign-up to our e-newsletter or to recognise when our subscribers have opened an e-newsletter/clicked certain links. These technologies record each subscribers email address, IP address, date, and time associated with each open/click for an e-newsletter. We use this data to create reports about how an email campaign performed and what actions subscribers took. View MailChimp’s Privacy Policy for further information.
-WordPress: to collect information relating to our general enquiries and our Associates Directory. This information can include name, postal address, email address, phone number and information about you as an artist that you provide us with. We use these details to get in touch with you and provide you with further information relating to your enquiry or Associate application. Any data that is used for producing reports is anonymised. View WordPress’ Privacy Policy for further information.
-Third Party Cookies may be sent to you by third-party websites, including Facebook, YouTube, Vimeo, Instagram or Twitter, when using OVADA’s website. These third party cookies are outside of our organisation’s control and we therefore recommend that you check the website of each third-party to view their privacy policies.
Other Websites
Our website or email communications may contain links to external websites which are outside of our organisation’s control and are therefore not be covered by our privacy notice. We therefore recommend that you check individual privacy polices of external sites.
Privacy Notices
-Artists and Associates: If you would like to find out how OVADA manages your personal data, please read our Privacy Notice for Artists and Associates.
-Supporters (including newsletter subscribers, class participants and people who have purchased tickets or items from us): If you would like to find out how OVADA looks after your personal data, please read our Privacy Notice for Supporters.
Privacy Policy
If you would like more information about how OVADA collects, processes, retains and manages personal data; how to access your personal data; have any concerns; or how to make a complaint, please request our full Privacy Policy.
Data Protection Policy
For more information about how OVADA manages data generally, please request our Data Protection Policy.
Updates
Our Privacy Notices and Policies may be updated at any time. OVADA therefore recommends that you review our policies each time you provide us with personal data. We will always keep an updated version of our policies on this page.
Summary
We take your privacy seriously and do not want to send you information that you do not wish to receive or store personal information for longer than necessary. You have the right to unsubscribe, change your preferences, and ask us to stop processing your personal data at any time. You also have a right to ask for a copy of the information we hold about you. If you notice that we have incorrect information for you please inform us so we can amend or remove your personal data immediately.
Contact Us
Please do not hesitate to contact us using the contact details below if you require any further information:
Email: info@ovada.org.uk
Postal Address: Director, OVADA, 14A Osney Lane, Oxford OX1 1NJ
Telephone Number: 01865 200979
APPENDIX 2:
Briefing for Trustees (taken from ICO website):
See 12 Step Guide: https://ico.org.uk/media/1624219/preparing-for-the-gdpr-12-steps.pdf
What’s new under the GDPR (General Data Protection Regulation)?
The documentation of processing activities is a new requirement under the GDPR.
You need to make sure that you have in place a record of your processing activities by 25 May 2018.
What is documentation?
Most organisations are required to maintain a record of their processing activities, covering areas such as processing purposes, data sharing and retention; we call this documentation.
Documenting your processing activities is important, not only because it is itself a legal requirement, but also because it can support good data governance and help you demonstrate your compliance with other aspects of the GDPR.
Who needs to document their processing activities?
If you have fewer than 250 employees, you only need to document processing activities that:
are not occasional; or
could result in a risk to the rights and freedoms of individuals; or
involve the processing of special categories of data or criminal conviction and offence data.
What do we need to document under Article 30 of the GDPR?
You must document the following information:
The name and contact details of your organisation (and where applicable, of other controllers, your representative and your data protection officer).
The purposes of your processing.
A description of the categories of individuals and categories of personal data.
The categories of recipients of personal data.
Details of your transfers to third parties including documenting the transfer mechanism safeguards in place.
Retention schedules.
A description of your technical and organisational security measures.
How do we document our processing activities?
Doing an information audit or data-mapping exercise can help you find out what personal data your organisation holds and where it is.
You can find out why personal data is used, who it is shared with and how long it is kept by distributing questionnaires to relevant areas of your organisation, meeting directly with key business functions, and reviewing policies, procedures, contracts and agreements.
When documenting your findings, the records you keep must be in writing (new Data Management Policy). The information must be documented in a granular and meaningful way.
Publish and regularly update online Privacy Notice