Last revision: 15/12/2020
Understanding our audiences, ticket buyers, Friends and donors is a fundamental part of our work. It enables us to better plan our artistic and operational future, including the support we provide to education, collaborators, communities, our volunteers and to new and established artists and composers. In addition to personal contact, much of this understanding comes from looking at and combining attendance history, Friends membership and renewal habits and donation data.
- Explain how we collect, store, manage and protect your data
- Outline the kind of data that we process
- Explain how we use personal data to manage the people with whom we work
- Explain how we use personal data to provide services to our audiences, the participants in our education/bursaries, community and outreach programmes and our supporters
- Explain how we use personal data to support our purpose.
We will only send marketing communications to you if we have a legal basis to do so. You can control the nature of these communications by getting in touch with us.
Our marketing communications include information about upcoming concerts and events, our digital programme, news, artistic opportunities and outreach activity. If you would like to receive these communications but have not opted in, or think you may have accidentally opted out, please contact us at firstname.lastname@example.org.
How we collect your data
If you supply personally identifiable data to us, we become responsible for that data.
When you purchase a ticket or a Friends membership, talk to us, or give to us directly
Whether online, in person or over the telephone, when you buy seats or memberships or when you donate to Irish Heritage, we will collect and store information about you. When you talk to us, it is possible that we might keep a record of what was said, but we will always carefully consider whether the benefit to our charitable objectives is legitimately balanced against your right to privacy before doing so.
When you give to us indirectly
If you have given your consent to a third party to share your personal data, and then they supply some or all of that data to us under the terms of the consent that you gave, we may add that data to the data we already hold about you.
When you apply to take part, or take part in a bursary competition
When you apply to take part in, or take part in an Irish Heritage bursary competition, you will be required to provide digital media, for example images and video of yourself, contact details and copies of relevant supporting documentation to us. This data is encrypted and not accessible by any third-party whose services we might use to deliver the application processes. We destroy the data when it is no longer required. Access to the data is limited within Irish Heritage to those individuals who require it.
When you use our website or our apps
Our website, like most others, may use “cookies” in the future to make it function more effectively. A cookie is a small text file, containing information about how you arrived at a website, the pages you may have visited or information about your device.
The purpose of cookies is threefold:
To manage your session on our website - A cookie might indicate whether you have logged in yet, what is in your shopping basket, whether you are using a phone, a tablet, laptop or desktop computer, and what browser you are using. This information is used to make the website function properly on your device and ensure that the technical enhancements in which we invest will be as helpful as possible to the greatest number of people.
To help us to understand how our website is being used - We use analytics services provided by third parties to help us understand how people use our site, and to help us connect our marketing efforts to online sales. By doing this, we can save money on marketing and ensure that the enhancements we make to the site are worthwhile.
When you work with or work for Irish Heritage
As a successful candidate, the information you provide to us as part of your application will form part of your overall employment record and will be treated with the same care and confidentiality as the data we hold about our employees.
We retain data relating to unsuccessful candidates for three months following the last contact with the candidate. Thereafter we may choose to retain the data for a further twenty-one (21) months if, in our judgement, the candidate may be of future interest as an employee. After twenty-four (24) months from the last contact, or sooner if the candidate is not considered to be of future interest, we will delete the candidate information, retaining only the name, address (including email address), date of application and the post applied for, and a brief and objective record of the decisions taken. This summary retained candidate information will be held for a maximum of five (5) years from the date of last contact and then deleted. In the event of further contact from the candidate, including a fresh application for employment, the data retention periods described above reset.
When we work with freelance professionals and contractors, we will collect enough personal information as is necessary, depending on the nature of the work being undertaken. As with staff, this may include contact details, Disclosure and Barring Service check data and data regarding the right to work in the UK.
Staff will be invited to confidentially provide information regarding race, gender, ethnic origin or ethnicity, religion or religious beliefs and sexual orientation. This information is encrypted in storage and access to it is restricted. Periodically it is anonymised, aggregated and transferred to the Arts Council as part of our funding agreement with them. Staff do not have to provide any of this information; it is optional.
Third Party Organisations
When you consent to sharing
You may have given your consent to another organisation, like a business, a charity or a website to share your data with us or simply with third parties, including other charities. In these cases, we may add that data to the data we already hold about you. This might have happened when you bought a product or service from them, when you booked a seat with them, donated to them or used recruitment services.
When you book for an Irish Heritage event in another venue
If we run an event in partnership with another organisation, some of your data may need to be shared with them, for operational purposes. We will only share essential data with them, and we will be very clear with you about what will happen to your data, and why, if you register or book for an event of this kind.
According to your settings for social networks and messaging services like Facebook, Instagram and Twitter, you may have given us permission to access some of your information from those services. You may also have given permission for those services to access information about your interactions with all the websites you visit, including ours. Please check their privacy policies for more detail.
Payment data is dealt with by third parties (see Payment Processing, below). To protect the payment and personal data that is processed during a transaction, we work to ensure that physical payment devices and online technologies adhere to common standards, like network traffic encryption and routine physical checks. Payment data that you enter when using our website to purchase tickets, donate or buy music and memberships is handled directly by the payment processor, not by Irish Heritage.
Publicly Available Information
Publicly available information may include information found in places such as Companies House and information that has been published in newspaper or magazine articles, or online. If information about you is publicly available, we may combine that information with the data we already hold about you. This information might then be used to assess your inclination and capacity to support Irish Heritage. In doing this, we take the consideration of legitimate interest very seriously indeed, carefully examining the balance of your rights against the interests of Irish Heritage, using a specially prepared, legitimate, interest assessment process.
Our responsibilities and legal basis for processing your data
While we rely on our legitimate interests as the legal basis for the processing of personal data (where this is not overridden by the interests and rights or freedoms of the individuals concerned) we recognise that it is not the only lawful ground for processing data. As such, where appropriate, we will sometimes process your data on an alternative legal basis; for example, because you have given us consent to do so.
Legitimate interest requires an assessment and balancing of the risks and benefits of processing for both Irish Heritage and for you. In assessing and balancing these risks and benefits, we take into account what we consider to be your reasonable expectations regarding the processing of your data. This places the burden of protecting individuals on us, as we are in the best position to undertake an analysis of risks and benefits, and to devise appropriate mitigations.
We adhere to the UK Data Protection Act 2018, and keep a close watch on changes in legislation. This ensures that the personal information we look after is processed (audited, stored, used, transferred, kept updated and destroyed) in accordance with applicable laws. When legislation is updated, revised or replaced, we review our data processing practices.
- Communicating with our audiences, supporters, event attendees and project participants.
- Providing benefits and services to our audiences, supporters, event attendees and project participants.
- Furthering Irish Heritage’s charitable purpose (which includes fundraising).
- Enabling Irish Heritage to achieve its strategic and operational goals.
We may pursue these legitimate interests by contacting you by email or post. Information about how you can manage the ways that we contact you, including how to opt out from some or all contact from us, is outlined in the section entitled “Your Rights”.
Collected data and its use by Irish Heritage
Attendance reporting and ticket, membership, and donation administration
If you attend a concert, or you buy a Friends membership or donate money to Irish Heritage, we will usually collect some of this information:
- Name, title, contact details including postal address, email address, phone number and links to social media accounts.
- Gender information. This is optional.
- Date of birth. This is optional, unless you wish to participate in our £5 tickets for students’ scheme.
- Information about what prompted you to transact with us.
- Your preferences regarding receiving news, marketing and campaign information from us.
- If you opted to pay for your Friends membership by Direct Debit, we will collect and process your bank account number and sort code in accordance with the Direct Debit Guarantee, Direct Debit Mandate and associated regulations
- Payment card data is not stored or processed by Irish Heritage, but we do provide means to collect and transfer credit card data to third parties for payment processing. The nature of the data and the parties involved are described in more detail later in this policy
- If you participate in an Outreach event, we will usually process anonymised attendance data. We may also process data relating to medical conditions, if it is necessary to properly manage your participation in the event or project.
Wisely investing in marketing by grouping customers and sending direct communications
We routinely group people in our database, based upon their buying or giving habits, their address data, publicly available information about them, or combinations of these things. We use these groupings when we send out marketing, fundraising campaign materials and news. Working in this way helps us to keep our costs down; we send out fewer letters and emails, and those we do send go to the people most likely to respond to them.
Taking account of health issues
Where necessary, health data collected for certain Outreach event participants may be verbally shared with volunteers, partners and those involved with the delivery of projects. We take the utmost care to respect the rights and freedoms of individuals involved when we consider the information that is necessary to be shared in this way.
Enabling contact preferences
We will sometimes write to you or send you emails about the progress we are making, upcoming concerts, livestreams, events or fundraising activities.
If you do not want to hear from us, it is easy to control the communications you receive by contacting us at email@example.com.
Sharing your stories
We invite individuals to tell us about their experiences with us at concerts, education and study events, outreach projects and at special events. Wider sharing of these stories can be of tremendous benefit to our fundraising efforts. If we have the explicit and informed consent of the individuals concerned, or their parent or guardian if they are Under 18, this information may be made public by us at events, in materials promoting our artistic programme, campaigning and fundraising work, or in documents, such as our annual report.
Access to your personal data is limited to those at Irish Heritage whose responsibilities require access to our customer relationship management systems. In line with legislation, sensitive data (e.g. data relating to children or vulnerable adults and medical data) is further limited to selected, appropriately skilled or trained volunteers.
We carry out a periodic information audit, which helps us to maintain controls on the personal information we store. We track the source of the information, its nature, our legal basis for processing it and the controls that are in place to ensure its accuracy, accessibility, security and timely removal.
Transferring and Sharing Data
In order to perform some of our day to day operations, personal data is sometimes securely transferred to and subsequently processed by external companies. Where external companies process your personal data (e.g. postal and email addresses, to send out promotional brochures or emails on our behalf), we ensure that the data is encrypted where appropriate and that proper controls are in place regarding how those companies manage the personal data they collect or have access to.
If one of these companies runs their operations outside the European Economic Area (EEA), although they may not be subject to same data protection laws as a company based in the UK, we take steps to make sure they provide an adequate level of protection in accordance with UK data protection law by requesting and checking their data policies and associated documents and specific legislation and checking for an adequacy decision between the EEA and that company’s country of origin.
When you make an online payment to Irish Heritage using a credit card or PayPal, the payment data is processed by a third-party payment gateway called Stripe. We do not store the payment data, but we do store other transactional data, as described in this policy. Stripe uses the payment data to authorise payment with your card issuer or with PayPal, and it is retained to allow for further administration of transactions, like refunds, and for reporting.
When you make a credit card payment to Irish Heritage over the phone or in person, the payment data is processed by a third-party payment gateway called iZettle. We do not store the payment data, but we do store other transactional data, as described in this policy. iZettle uses the payment data to authorise payment with your card issuer, and it is retained to allow for further administration of transactions, like refunds, and for reporting.
We may need to pass your details, if required, to the police, regulatory bodies or legal advisors.
Sharing with our partners
In order to properly manage the care of individuals participating in projects and events, it is sometimes necessary to share data classed as ‘Special Category’ under the UK Data Protection Act 2018 with professionals or organisations delivering the projects on behalf of or in partnership with Irish Heritage. In these cases, we will always ensure that consent is in place before sharing.
Sharing is done using secure means, and we ensure that everyone with whom we share data for these purposes has signed a data sharing agreement, which sets out the method of sharing and the rules for retention, rectification and erasure of data and includes a blank copy of the consent agreement signed by the individuals.
We will only ever share your data in other circumstances if we have your explicit and informed consent.
Keeping your information up-to-date
We appreciate your help in keeping us informed of changes to your contact details. In addition to updates provided by you, we may use the Post Office’s National Change of Address database and postcode database.
You have a right to ask us to stop processing your personal data. If it’s no longer necessary for the purpose for which you provided it to us (e.g. processing your donation or Friends membership, booking seats for a concert or registering you for an event) we will do so. If you have any concerns, you can contact us at firstname.lastname@example.org.
You have a right to ask for a copy of the information we hold about you and we will endeavour to provide this information within 40 days. If there are any discrepancies in the information we provide, please let us know and we will correct them.
If you want to access your information, send a description of the information you want to see and proof of your identity by post to Data Protection Executive, Irish Heritage, Second Floor, 17 Short’s Gardens, London WC2H 9AT. We do not accept these requests by email and we may contact you directly for confirmation of the request before providing any information. This extra confirmation is in place to safeguard against identity fraud.
If you have any questions please send them to email@example.com.
For further information see the Information Commissioner’s guidance.
Changes to this Policy
If you have any questions, comments or suggestions, please let us know by contacting The Data Protection Executive, Irish Heritage, Second Floor, 17 Short’s Gardens, London WC2H 9AT or by emailing firstname.lastname@example.org.