Our data protection policy sets out our commitment to protecting personal data and how we implement that commitment with regards to the collection and use of personal data.
Data Protection Principles
We will comply with the eight enforceable data protection principles by making sure that personal data is:
- Fairly and lawfully processed
- Processed for limited purposes
- Adequate, relevant and not excessive
- Accurate and kept up to date
- Not kept longer than necessary
- Processed in accordance with the individual's rights
- Not transferred to countries outside the European Economic area unless the country to which the data is to be transferred has adequate protection for the individuals
We will ensure that at least one of the following conditions is met before we process any personal data:
- The individual has consented to the processing.
- The processing is necessary for the performance of a contract with the individual.
- The processing is required under a legal obligation (other than one imposed by a contract).
- The processing is necessary to protect vital interests of the individual.
- The processing is necessary in order to pursue our legitimate interests or those of third parties (unless it could unjustifiably prejudice the interests of the individual).
Under the Act, one of a set of additional conditions must be met for 'sensitive personal data':
- The individual has explicitly consented to the processing
- We are required by law to process the information for employment purposes
- We need to process the information in order to protect the vital interests of the individual or another person
- The processing in necessary to deal with the administration of justice or legal proceedings.
We will ensure that individuals are given their rights under the Act including:
- The right to obtain their personal information from us except in limited circumstances
- The right to ask us not to process personal data where it causes substantial unwarranted damage to them or anyone else
- The right to claim compensation from us for damage and distress caused by any breach of the Act
While it is unlikely, Arts Council England may be required to disclose your user data by a court order or to comply with other legal requirements. We will use all reasonable endeavors to notify you before we do so, unless we are legally restricted from doing so.
No commercial disposal to third parties
Arts Council England shall not sell, rent, distribute or otherwise make user data commercially available to any third party, except as described above or with your prior permission.
Our commitment to data protection
We will ensure that:
- Everyone managing and handling personal information understands that they are responsible for following good data protection practice
- There is someone with specific responsibility for data protection in the organization
- Staff who handle personal information are appropriately supervised and trained
- Queries about handling personal information are promptly and courteously dealt with
- People know how to access their own personal information
- Methods of handling personal information are regularly assessed and evaluated
- Any disclosure of personal data will be in compliance with approved procedures.
- we take all necessary steps to ensure that personal data is kept secure at all times against unauthorized or unlawful loss or disclosure
- All contractors who are users of personal information supplied by the council will be required to confirm that they will abide by the requirements of the Act with regard to information supplied by us.
We have appointed a head of information compliance to lead on data protection for the Arts Council. This person is responsible for ensuring that the policy is effectively implemented.