Artlink and Your Information
We need to have some pieces of information about the people who work for us, the people who volunteer for us and the people who use our services. The law tells us how we have to treat this information and we take this very seriously. This document tells you what we promise to do with your information. The law says we must have a Data Controller. This is the person who is responsible for keeping your information safe. You can contact the Data Controller at the addresses below.
WE PROMISE we will only ask you for information that we need to do our work safely and well. Before we ask you for any information, we will think carefully about why we need it and how we will use it. Some information we have to have, because without it we can’t carry out our duties to our staff, volunteers and members. If you don’t know why we need a piece of information just ask the Data Controller at the addresses below.
WE PROMISE that we will keep your information secure and that only the people who need it will be able to access it. Your information will be kept in a secure place. If this is on a computer, it will be password protected and only authorised people will be able to access it. Information on paper will be kept in a locked drawer and only authorised people will have access to the key.
WE PROMISE we will not pass any of your information on to a third party without your permission. We will never sell information about you to a third party. However, there may be times a third party needs some information about you. We will not pass on any information about you unless we have your permission.
WE PROMISE we will only contact you in the ways you have given us permission to. So, if you tell us you want us to contact you by post, not email that is what we will do.
WE PROMISE that you can see the information we keep about you. If you want to see what information we keep about you, you can ask to see it by contacting the Data Controller at the addresses below. We aim for you to be able to see your information within 10 working days of you asking us.
WE PROMISE that we will remove information about you if you ask us to do this. You can ask us to remove information about you from our records by contacting the Data Controller at the addresses below. You can ask for all or some of the information to be removed.
Vanessa Cameron, Data Controller, Artlink, 13a Spittal Street, Edinburgh EH3 9DY
Artlink Data Protection Policy & Key Procedures
1. Aims of this Policy
Artlink needs to keep certain information on its employees, volunteers, service users and trustees to carry out its day to day operations, to meet its objectives and to comply with legal obligations. Artlink will only hold data that is absolutely necessary for the completion of its duties and will limit the access to personal data only to those needing to act out the processing.
The organisation is committed to ensuring any personal data will be dealt with in line with the Data Protection Act 1998 and General Data Protection Regulation 2018. To comply with the law, personal information will be collected and used fairly, stored safely and not disclosed to any other person unlawfully.
The aim of this policy is to ensure that everyone handling personal data is fully aware of the requirements and acts in accordance with data protection procedures. This document also highlights key data protection procedures within the organisation.
This policy covers employees, volunteers, service users and trustees.
In line with the Data Protection Act 1998 principles, Artlink will ensure that personal data will:
• Be obtained fairly and lawfully and shall not be processed unless certain conditions are met
• Be obtained for a specific and lawful purpose
• Be adequate, relevant but not excessive
• Be accurate and kept up to date
• Not be held longer than necessary
• Be processed in accordance with the rights of data subjects
• Be subject to appropriate security measures
• Not to be transferred outside the European Economic Area (EEA)
The definition of ‘Processing’ is obtaining, using, holding, amending, disclosing, destroying and deleting personal data. This includes some paper based personal data as well as that kept on computer.
3. Type of information processed
Artlink processes the following personal information:
• Employees: contact details, DOB, bank account number, payroll information
• Volunteers: contact details, age range, interests/preferences
• Service Users: contact details, age range, nature of support need, interests/preferences
• Trustees: contact details, age range
Personal information is kept in the following forms:
• Electronically on databases.
• Paper based in files.
Designated employees of Artlink that will process personal information are:
• Arts Access Coordinator
• Arts Access Administrator
• Administrative Coordinator
• Midlothian Coordinator
• Programme Support Worker
4. Notification to the Information Commissioner
The needs we have for processing personal data are recorded on the public register maintained by the Information Commissioner. We notify and renew our notification on an annual basis as the law requires.
If there are any interim changes, these will be notified to the Information Commissioner within 28 days.
The name of the Data Controller within our organisation as specified in our notification to the Information Commissioner is Vanessa Cameron
Overall responsibility for personal data in a voluntary organisation rests with the governing body. In the case of Artlink, this is the Artlink Board of Directors.
The governing body delegates tasks to the Data Controller. The Data Controller is responsible for:
• Understanding and communicating obligations under the Act
• Identifying potential problem areas or risks
• Producing clear and effective procedures
• Notifying and annually renewing notification to the Information Commissioner, plus notifying of any relevant interim changes
All employees who process personal information must ensure they not only understand but also act in line with this policy and the data protection principles.
Breach of this policy will result in disciplinary proceedings.
6. Policy Implementation
To meet our responsibilities employees will:
• Ensure any personal data is collected in a fair and lawful way;
• Explain why it is needed at the start;
• Ensure that only the minimum amount of information needed is collected and used;
• Ensure the information used is up to date and accurate;
• Review the length of time information is held;
• Ensure it is kept safely;
• Ensure the rights people have in relation to their personal data can be exercised.
We will ensure that:
• Everyone managing and handling personal information is trained to do so;
• Anyone wanting to make enquiries about handling personal information, whether a member of staff, volunteer or service user, knows what to do;
• Any disclosure of personal data will be in line with our procedures;
• Queries about handling personal information will be dealt with swiftly and politely
7. Gathering and checking information
Before personal information is collected, we will consider:
• What details are necessary for your purposes;
• How long you are likely to need this information
We will inform people whose information is gathered about the following:
• Why the information is being gathered;
• What the information will be used for;
• Who will have access to their information
We will regularly contact you to ensure that personal information kept is accurate.
Personal sensitive information will not be used apart from the exact purpose for which permission was given.
8. Retention periods
Artlink will ensure that information is kept according to the following retention periods guidelines:
• Personnel files – 7 years after employment/volunteering ceases
• Application forms and interview notes (unsuccessful candidates)- 1 year
• Letters of reference – 7 years from the end of employment
• Redundancy details – 7 years from the date of redundancy
• Parental leave – 7 years from birth/adoption or 18 if child receives a disability allowance
• Accident books, accident records/reports – 3 years
• Assessments under health & safety regulations – Permanently
• Income tax, NI returns, income tax records and correspondence with IR – At least 7 years after the end of the financial year to which they relate
• Statutory maternity pay records and calculations – At least 7 years after the end of the financial year to which they relate
• Statutory sick pay records and calculations – At least 7 years after the end of the financial year to which they relate
• Wages and salary records – 7 years
• Employee joining/new starter form – 7 years after employment ceases
• Project information on service users – Data relating to programmes will be retained for as long as is necessary to provide an audit trail for funders, as set out in contractual agreements. Normally up to 7 years.
Specific project retention periods
• Arts Access – 3 years after the client has indicated they are no longer in a position to require the service.
• Art Programmes – 3 years after the client has indicated they are no longer in a position to require the service.
• Volunteers/Artists – 3 years after the volunteer/artists has indicated they no longer wish to be an active part of Artlink
• PVG records – 3 years after the volunteer/artists has indicated they no longer wish to be an active part of Artlink
Once data is no longer required it will destroyed when in paper format. If the information is held electronically then it will be put beyond use. This means that the data controller:
• Is not able, or will not attempt, to use the personal data to inform any decision in respect of any individual or in a manner that affects the individual in any way;
• Does not give any other organisation access to the personal data;
• Surrounds the personal data with appropriate technical and organisational security; and
• Commits to permanent deletion of the information if, or when, this becomes possible.
9. Data Security
The organisation will take steps to ensure that personal data is kept secure at all times against unauthorised or unlawful loss or disclosure. The following measures will be taken:
• Use lockable cupboards with restricted access to keys for paper files.
• Password protection on personal information files on electronic files.
• Back up of data on computers are to the cloud off site.
• Password protected attachments for sensitive personal information sent by email.
Any unauthorised disclosure of personal data to a third party by an employee may result in disciplinary proceedings.
The Board and trustees are accountable for compliance of this policy. A trustee could be personally liable for any penalty arising from a breach that they have made.
Any unauthorised disclosure made by a volunteer may result in the termination of the volunteering agreement.
10. Procedure in case of a breach
When data protection breach occurs that may result in a risk for the rights and freedoms of individuals will notify the Office of the Information Commissioner within 72 hours. We will notify those affected without undue delay after first becoming aware of a data breach.
Once we have notified all relevant parties immediate consideration will be given to reviewing practices.
11. Subject Access Requests
Anyone who Artlink holds data on (data subject) has the right to obtain from the data controller confirmation as to whether or not personal data concerning them is being processed, where and for what purpose. Type of information you may wish to seek is:
• What information we hold and process on them
• How to gain access to this information
• How to keep it up to date
• What we are doing to comply with the Act/GDPR.
They also have the right to prevent processing of their personal data in some circumstances and the right to correct, rectify, block or erase information regarded as wrong.
Data subjects also have the right to be forgotten. The right to be forgotten entitles the data subject to have the data controller erase his/her personal data, cease further dissemination of the data, and potentially have third parties halt processing of the data. The conditions for erasure include the data no longer being relevant to original purposes for processing, or a data subjects withdrawing consent.
Data subjects also have the right to receive the personal data concerning them, which they have previously provided in a ‘commonly use and machine readable format’ and have the right to transmit that data to another controller.
Individuals have a right under the Act to access certain personal data being kept about them on computer and certain files.
Any person wishing to exercise this right should apply in writing to the data controller:
Vanessa Cameron, Data Controller, Artlink, 13a Spittal street, Edinburgh EH3 9DY
The following information will be required before access is granted:
• Full name and contact details of the person making the request
• Your relationship with the organisation (former/current member of staff, trustee, volunteer or service user)
We may also require proof of identity before access is granted. The following forms of ID will be required:
• Proof of address
Queries about handling personal information will be dealt with swiftly and politely.
We will aim to comply with requests for access to personal information as soon as possible, but will ensure it is provided within the 40 days required by the Act from receiving the written request
This policy will be reviewed at intervals of 1 year to ensure it remains up to date and compliant with the law.
There are many ways in which can get involved with Artlink – participate in one of our programmes, volunteer for us or work with us as a sessional artist.
You can find all the forms you need below.
If you would like to be involved in one-off projects with Artlink please complete the short form and send it to us, we will contact you to discuss any possibilities with you.
If you would like to use the Arts Access service to go the theatre, cinema or galleries accompanied by a trained volunteer, please complete and send back.
If you would like to volunteer for the Arts Access service.
Artlink only asks you for information that we need to do our work safely and well. For more information about our approach to data protection and you privacy please visit the Data Protection page on this site.
Artlink has supported Gail Keating, a retired teacher to publish two new books about what her autistic pupils taught her.
Gail Keating, a retired teacher of students with multiple and complex needs has distilled over 30 years learning from people with autism into two volumes. Gail’s books ‘Paper and Pens’ are two illustrated volumes, one of stories and one of tools, intended as friendly supports for parents or support staff working with anyone who has autism related anxiety or requires creative communication.
“This book aims to help all of us who share the lives of those with what is called autism to learn to think differently ourselves so that they can understand us better.”
Readers will discover Gail’s stories in Volume 1 – through anonymous characters or vignettes of those she’s taught (or as she’d describe it, what they’ve taught her), and how they helped her see a different vision of the world. In Volume 2, she shares some of the tools or practical ways which helped mutual communication.
The book is for anyone who supports someone with autism or a learning disability who wants to understand more about another’s perspective.
Gail’s book is available free of charge through Midlothian libraries and is available to buy or download from the Artlink Shop.
This work has been supported by the RS Macdonald Charitable Trust Fund and Midlothian Council Autism Strategy.
Discovery is a new project to design a digital resource for people with complex needs of any age to find activity to appeal to particular sensory interests. So many of the requests we receive are from parents or carers looking for personal, meaningful opportunities that allow people to connect with something that reflects who they are, and have freedom to enjoy that.
With the expertise of a software engineering team from JP Morgan’s Force for Good programme, Artlink will create a unique directory to browse experiences from the perspective of people with particular sensory interests in Midlothian by collating knowledge suggested by parents and support teams. Working in collaboration with park rangers, community organisations and heritage facilities we will share opportunities with sensory appeal.
We aim to create a responsive web page (for phone, iPad or desktop) by Summer 2019 to allow parents or carers of people with profound and multiple learning disability to find specific experiences for those they care for.
Watch this short film – it does a better job of describing this project than words!
Discovery will to use unique local knowledge to share meaningful activity.
Where can I watch owls fly?
Where are there interesting places for someone who loves to listen?
My daughter loves reflection – where can I find lots of mirrors?
I support someone who loves the movement of trains – where can we go?
Supported by JP Morgan Chase, National Lottery Year of the Young Person and Midlothian Council
Join us at the launch of The Ripple Effect – a research project that explored new forms of collaborative arts practice that positively impact on the lives of people with profound and multiple learning disabilities and their care-workers.
We would like to invite you to hear about some of the innovative ideas and concepts presented in this report.
Light refreshments will be served. All are welcome.
0131 229 355
The Ripple Effect report presents the findings of a 12 month project funded by Health Improvement Scotland to explore the work of Artlink within the Cherry Road Learning Centre, and the impact of integrating art into social care in the lives of people with Profound and Multiple Learning Disabilities (PMLD).
The research partnership involved the expertise of Dundee University academics in conducting a qualitative study and the development of recommendations for use in transforming social care.