Data Protection

Artlink and Your Information

We need to have some pieces of information about the people who work for us, the people who volunteer for us and the people who use our services. The law tells us how we have to treat this information and we take this very seriously. This document tells you what we promise to do with your information. The law says we must have a Data Controller. This is the person who is responsible for keeping your information safe. You can contact the Data Controller at the addresses below.

WE PROMISE we will only ask you for information that we need to do our work safely and well. Before we ask you for any information, we will think carefully about why we need it and how we will use it.  Some information we have to have, because without it we can’t carry out our duties to our staff, volunteers and members. If you don’t know why we need a piece of information just ask the Data Controller at the addresses below.

WE PROMISE that we will keep your information secure and that only the people who need it will be able to access it. Your information will be kept in a secure place. If this is on a computer, it will be password protected and only authorised people will be able to access it. Information on paper will be kept in a locked drawer and only authorised people will have access to the key.

WE PROMISE we will not pass any of your information on to a third party without your permission. We will never sell information about you to a third party. However, there may be times a third party needs some information about you. We will not pass on any information about you unless we have your permission.

WE PROMISE we will only contact you in the ways you have given us permission to. So, if you tell us you want us to contact you by post, not email that is what we will do.

WE PROMISE that you can see the information we keep about you.  If you want to see what information we keep about you, you can ask to see it by contacting the Data Controller at the addresses below. We aim for you to be able to see your information within 10 working days of you asking us.

WE PROMISE that we will remove information about you if you ask us to do this. You can ask us to remove information about you from our records by contacting the Data Controller at the addresses below. You can ask for all or some of the information to be removed.

Vanessa Cameron, Data Controller, Artlink, 13a Spittal Street, Edinburgh EH3 9DY

Artlink Data Protection Policy & Key Procedures

1. Aims of this Policy

Artlink needs to keep certain information on its employees, volunteers, service users and trustees to carry out its day to day operations, to meet its objectives and to comply with legal obligations. Artlink will only hold data that is absolutely necessary for the completion of its duties and will limit the access to personal data only to those needing to act out the processing.

The organisation is committed to ensuring any personal data will be dealt with in line with the Data Protection Act 1998 and General Data Protection Regulation 2018. To comply with the law, personal information will be collected and used fairly, stored safely and not disclosed to any other person unlawfully.

The aim of this policy is to ensure that everyone handling personal data is fully aware of the requirements and acts in accordance with data protection procedures. This document also highlights key data protection procedures within the organisation.

This policy covers employees, volunteers, service users and trustees.

2. Definitions

In line with the Data Protection Act 1998 principles, Artlink will ensure that personal data will:
• Be obtained fairly and lawfully and shall not be processed unless certain conditions are met
• Be obtained for a specific and lawful purpose
• Be adequate, relevant but not excessive
• Be accurate and kept up to date
• Not be held longer than necessary
• Be processed in accordance with the rights of data subjects
• Be subject to appropriate security measures
• Not to be transferred outside the European Economic Area (EEA)

The definition of ‘Processing’ is obtaining, using, holding, amending, disclosing, destroying and deleting personal data. This includes some paper based personal data as well as that kept on computer.

3. Type of information processed

Artlink processes the following personal information:
• Employees: contact details, DOB, bank account number, payroll information
• Volunteers: contact details, age range, interests/preferences
• Service Users: contact details, age range, nature of support need, interests/preferences
• Trustees: contact details, age range

Personal information is kept in the following forms:
• Electronically on databases.
• Paper based in files.

Designated employees of Artlink that will process personal information are:
• Arts Access Coordinator
• Arts Access Administrator
• Administrative Coordinator
• Midlothian Coordinator
• Programme Support Worker
• Bookkeeper

4. Notification to the Information Commissioner

The needs we have for processing personal data are recorded on the public register maintained by the Information Commissioner. We notify and renew our notification on an annual basis as the law requires.

If there are any interim changes, these will be notified to the Information Commissioner within 28 days.

The name of the Data Controller within our organisation as specified in our notification to the Information Commissioner is Vanessa Cameron

5. Responsibilities

Overall responsibility for personal data in a voluntary organisation rests with the governing body. In the case of Artlink, this is the Artlink Board of Directors.

The governing body delegates tasks to the Data Controller. The Data Controller is responsible for:
• Understanding and communicating obligations under the Act
• Identifying potential problem areas or risks
• Producing clear and effective procedures
• Notifying and annually renewing notification to the Information Commissioner, plus notifying of any relevant interim changes

All employees who process personal information must ensure they not only understand but also act in line with this policy and the data protection principles.

Breach of this policy will result in disciplinary proceedings.

6. Policy Implementation

To meet our responsibilities employees will:
• Ensure any personal data is collected in a fair and lawful way;
• Explain why it is needed at the start;
• Ensure that only the minimum amount of information needed is collected and used;
• Ensure the information used is up to date and accurate;
• Review the length of time information is held;
• Ensure it is kept safely;
• Ensure the rights people have in relation to their personal data can be exercised.

We will ensure that:
• Everyone managing and handling personal information is trained to do so;
• Anyone wanting to make enquiries about handling personal information, whether a member of staff, volunteer or service user, knows what to do;
• Any disclosure of personal data will be in line with our procedures;
• Queries about handling personal information will be dealt with swiftly and politely

7. Gathering and checking information

Before personal information is collected, we will consider:
• What details are necessary for your purposes;
• How long you are likely to need this information

We will inform people whose information is gathered about the following:
• Why the information is being gathered;
• What the information will be used for;
• Who will have access to their information

We will regularly contact you to ensure that personal information kept is accurate.

Personal sensitive information will not be used apart from the exact purpose for which permission was given.

8. Retention periods

Artlink will ensure that information is kept according to the following retention periods guidelines:
• Personnel files – 7 years after employment/volunteering ceases
• Application forms and interview notes (unsuccessful candidates)- 1 year
• Letters of reference – 7 years from the end of employment
• Redundancy details – 7 years from the date of redundancy
• Parental leave – 7 years from birth/adoption or 18 if child receives a disability allowance
• Accident books, accident records/reports – 3 years
• Assessments under health & safety regulations – Permanently
• Income tax, NI returns, income tax records and correspondence with IR – At least 7 years after the end of the financial year to which they relate
• Statutory maternity pay records and calculations – At least 7 years after the end of the financial year to which they relate
• Statutory sick pay records and calculations – At least 7 years after the end of the financial year to which they relate
• Wages and salary records – 7 years
• Employee joining/new starter form – 7 years after employment ceases
• Project information on service users – Data relating to programmes will be retained for as long as is necessary to provide an audit trail for funders, as set out in contractual agreements. Normally up to 7 years.

Specific project retention periods
• Arts Access – 3 years after the client has indicated they are no longer in a position to require the service.
• Art Programmes – 3 years after the client has indicated they are no longer in a position to require the service.
• Volunteers/Artists – 3 years after the volunteer/artists has indicated they no longer wish to be an active part of Artlink
• PVG records – 3 years after the volunteer/artists has indicated they no longer wish to be an active part of Artlink

Once data is no longer required it will destroyed when in paper format. If the information is held electronically then it will be put beyond use. This means that the data controller:
• Is not able, or will not attempt, to use the personal data to inform any decision in respect of any individual or in a manner that affects the individual in any way;
• Does not give any other organisation access to the personal data;
• Surrounds the personal data with appropriate technical and organisational security; and
• Commits to permanent deletion of the information if, or when, this becomes possible.

9. Data Security

The organisation will take steps to ensure that personal data is kept secure at all times against unauthorised or unlawful loss or disclosure. The following measures will be taken:
• Use lockable cupboards with restricted access to keys for paper files.
• Password protection on personal information files on electronic files.
• Back up of data on computers are to the cloud off site.
• Password protected attachments for sensitive personal information sent by email.

Any unauthorised disclosure of personal data to a third party by an employee may result in disciplinary proceedings.

The Board and trustees are accountable for compliance of this policy. A trustee could be personally liable for any penalty arising from a breach that they have made.
Any unauthorised disclosure made by a volunteer may result in the termination of the volunteering agreement.

10. Procedure in case of a breach
When data protection breach occurs that may result in a risk for the rights and freedoms of individuals will notify the Office of the Information Commissioner within 72 hours. We will notify those affected without undue delay after first becoming aware of a data breach.

Once we have notified all relevant parties immediate consideration will be given to reviewing practices.

11. Subject Access Requests

Anyone who Artlink holds data on (data subject) has the right to obtain from the data controller confirmation as to whether or not personal data concerning them is being processed, where and for what purpose. Type of information you may wish to seek is:
• What information we hold and process on them
• How to gain access to this information
• How to keep it up to date
• What we are doing to comply with the Act/GDPR.

They also have the right to prevent processing of their personal data in some circumstances and the right to correct, rectify, block or erase information regarded as wrong.

Data subjects also have the right to be forgotten. The right to be forgotten entitles the data subject to have the data controller erase his/her personal data, cease further dissemination of the data, and potentially have third parties halt processing of the data. The conditions for erasure include the data no longer being relevant to original purposes for processing, or a data subjects withdrawing consent.

Data subjects also have the right to receive the personal data concerning them, which they have previously provided in a ‘commonly use and machine readable format’ and have the right to transmit that data to another controller.

Individuals have a right under the Act to access certain personal data being kept about them on computer and certain files.

Any person wishing to exercise this right should apply in writing to the data controller:
Vanessa Cameron, Data Controller, Artlink, 13a Spittal street, Edinburgh EH3 9DY

The following information will be required before access is granted:
• Full name and contact details of the person making the request
• Your relationship with the organisation (former/current member of staff, trustee, volunteer or service user)

We may also require proof of identity before access is granted. The following forms of ID will be required:
• Passport
• Proof of address

Queries about handling personal information will be dealt with swiftly and politely.
We will aim to comply with requests for access to personal information as soon as possible, but will ensure it is provided within the 40 days required by the Act from receiving the written request

12. Review

This policy will be reviewed at intervals of 1 year to ensure it remains up to date and compliant with the law.