Key Definitions and Facts
- GDPR (General Data Protection Regulation) supercedes the original data protection act.
- PECR (Privacy and electronic communications directive (regulation)) interacts with GDPR.
- Personal data – anything that can identify a person.
- Sensitive personal data – includes ethnicity, sexual orientation, disability status, Religious or philosophical beliefs. Genetic and biometric information is also newly classified in this legislation.
In accordance with General Data Protection Regulation 2018, Peshkar (Company Limited by Guarantee No. 3918088 and a Charity in England and Wales No. 1091092)is a Data Controller.
The Old Museum,
The Data Protection Officer for the organization is Steph Meskell-Brocken. She should be contacted on email@example.com for any enquiries regarding Data Protection or requests for Data.
Peshkar collects Data on Participants, Staff members (including freelance staff), Board Members and partner contacts.
Staff, Board Member and Partner data is collected under the basis of Legitimate Interest.
Participant data, including photographic and video footage is collected on the basis of Consent.
Peshkar collects the following Data as part of our regular monitoring procedures:
- Dates of Birth
- Disability Status
- Evaluation comments
- Photographic images
- Video footage
This Data is collected in the following ways:
- Project registration forms
- Project evaluation forms
- Video evaluation
- Arts Award cover sheets
- Within artistic sessions in the creation of artworks
- Within artistic sessions for the promotion and marketing of projects
- Online communications such as website comment forms, Facebook, Twitter and Instagram data.
Data is shared with funders on receipt of requests for monitoring information. These funders include but are not limited to Arts Council England, Heritage Lottery Fund, Oldham Council and British Council (administering Erasmus and Creative Europe).
Peshkar works in partnership with other organisations across the charities sector and, as such, will sometimes need to share data with these organsiations for the purposes of creating artworks, marketing and promoting projects and reporting to funders. When this is the case, data sharing agreements will be drawn into the partnership contracting procedure.
Peshkar uses Google as its email and cloud client. Data is held via Google Drive in secure files. Only those which do not contain Sensitive Personal Data are shared across the staff team. Google is GDPR compliant and has published details of its compliance here https://www.google.com/cloud/security/gdpr/
Peshkar occasionally uses other clients such as Mailchimp and Eventbrite as a ways of communicating with audiences. Both these are GDPR compliant. An outline of Mailchimp’s compliance tools can be found here https://blog.mailchimp.com/gdpr-tools-from-mailchimp/and Eventbrite’s can be found here https://www.eventbrite.co.uk/support/articles/en_GB/Troubleshooting/eventbrite-eu-data-protection?lg=en_GB
Peshkar hosts photographic images on Flickr (photographic permissions are sought from all participants) and video footage via Youtube (a Google service and, therefore covered by their policies).
Peshkar artists also make use of Dropbox to host imagery from workshops and projects. This may occasionally include photographic or video images of participants. Dropbox’s compliance information can be found here https://www.dropbox.com/en_GB/security/GDPR.
Image Processing and Social Media
Peshkar uses imagery and videos to promote projects on Social Media. Peshkar’s social media channels are Facebook, Twitter and Instagram. Peshkar takes the following safeguards regarding data shared via Social Media
- Photographs or videos of participants under the age of 18 never feature names.
- Blog posts or links to blogs that include the name of the participant do not feature any additional personal data
- Sensitive personal data is never shared via social media
- Historic social media posts including images and video are cleared or hidden every five years.
Peshkar holds all data for a maximum of five years on inactivity. After this point, records of participants, staff and board members including photo and video records, evaluation and forms are deleted and shredded (if held in hard copy). If it is deemed that an individual is of worth to the organization as a contact after five years inactivity has lapsed, Peshkar may contact this person to seek their consent to retain their data.
Any individual coming into contact with Peshkar has the following rights over their Data:
- the right to be informed
- the right of access
- the right to erase/to be forgotten
- right to rectification
- right to restrict processing
- right to data portability
- right to object
- rights in relation to automatic decision-making.
The exercising of any of these rights can be undertaken through contacting the Data Protection Officer. Any requests will be dealt with in 30 days or less according to the guidance of the Information Commissioner’s Office.
Any complaints or concerns regarding data protection at Peshkar can be raised with the Data Protection Officer named above or, in the worst case scenario, with the Information Commissioner’s Office (www.ico.org.uk).
Peshkar carries out Privacy Risk Assessments on all its data. This process is undertaken by the Data Protection Officer and overseen by the Trustee responsible for Data and Safeguarding. Data reports are made to the Board of Trustees at every meeting.