We are committed to protecting your personal information and being transparent about what we do with it, no matter how you interact with us. That’s whether you want to work, volunteer or advocate for us, donate, use our services, want information, training or want to learn more about what we do.
We are committed to using your personal information in accordance with our responsibilities. We won’t do anything with your information you wouldn’t reasonably expect. We are required to provide you with the information in this Privacy Notice under applicable law which includes (but is not limited to):
- the Data Protection Act 1998, which will be replaced by the General Data Protection Regulation (EU) 2016/679 from 25 May 2018 (the "GDPR"), and
- the Privacy and Electronic Communications (EC Directive) Regulations 2003.
This Privacy Notice applies to the personal information of individuals who interact with The Art Room. This Privacy Notice does not apply to the personal information of children to whom The Art Room provides therapy or other services, or employees. If you use The Art Room's services or are employed by The Art Room, please contact us and we will advise you of the applicable Privacy Notice for your situation.
Processing of your personal information is carried out by or on behalf of The Art Room which is a company incorporated in the United Kingdom with company number 4268723 and a charity registered in England and Scotland, with registered charity numbers 1088739 and SC0449409 ("The Art Room", "We" or "us").
If you have any queries about our Privacy Notice, please get in touch:
Phone: 0207 923 5500
Post: The Art Room, Oxford Spires Academy, Glanville Road, Oxford, OX4 2AU
How and when we collect information about you
When you directly give us information
We may collect and store information about you when you interact with us. For example, this could be when you:
- get in touch with us via phone, website or other method of communication;
- support our work through a donation
- fundraise on our behalf
- register for an event
- tell us your story
- submit an enquiry
- register for or use our services
- participate in our training
- give us feedback
- make a complaint
- apply for a job
- apply to volunteer with us
- enter into a contract with us
When you indirectly give us information
When you interact with us on social media platforms such as Facebook, Twitter or LinkedIn we may also obtain some personal information about you. The information we receive will depend on the privacy preferences you have set on each platform and the privacy policies of each platform. To change your settings on these platforms, please refer to their privacy notices. You should be aware that The Art Room has no ownership over these websites who may process your data for their own purposes if you choose to use them.
We may obtain information about your visit to our site, for example the pages you visit and how you navigate the site, by using cookies.
When you give permission to other parties to share it with us
Your information might be shared with us by independent event organisers, for example the London Marathon or fundraising sites like Just Giving or Virgin Money Giving. These independent third parties will only do so when you have indicated that you wish to support The Art Room, and only with your consent.
What information we might collect
When you engage with us by phone, mail, in person or online, we may collect information about you (referred to in this Privacy Notice as 'personal information'). This may include:
iii) email address
iv) telephone number
v) date of birth
vi) job title and details of your education and career
vii) why you are interested in The Art Room
viii) other information relating to you personally which you may choose to provide to us such as diversity information.
Data protection law recognises that certain types of personal information are more sensitive. This is known as 'sensitive' or 'special category' personal information and covers information revealing racial or ethnic origin, religion, philosophical beliefs and political opinions, trade union membership, genetics, biometrics (where it is used for ID purposes), information concerning health or data concerning a person's sexual orientation, or sex life.
Sensitive information will only be collected where necessary, for example, we may need to collect health information from you when you register for a challenge event. Clear notices will be provided at the time we collect this information, stating what information is needed, and why.
In addition, we may process special categories of data, such as information about ethnic origin, sexual orientation or religion or belief. We may also collect information about whether or not applicants are disabled to make reasonable adjustments for candidates who have a disability. We process such information to carry out our obligations and exercise specific rights in relation to employment.
With your explicit consent, we may also collect sensitive personal information if you choose to tell us about your experiences relating to our services for use in a case study.
If you're 16 or under
If you're aged 16 or under, you must get your parent/guardian’s permission before you provide any personal information to us.
How and why we use your information
We will use your personal information for the following purposes:
- Donation processing: We will process personal information you provide in order to administer any one-off or on-going donations you make and claim Gift Aid.
- Responding to a request: If you contact us with a query, we may use your personal information to provide you with a response.
- Fundraising or direct marketing: We will only send you marketing information by email, SMS, or phone if you have given us specific consent. If you withdraw your consent and then subsequently opt in to receive marketing information again, then your most recent preference may supersede.
If you have responded to a letter of appeal, you may also receive fundraising mail, which you can opt out of at any time by:
Calling us on 01865 779779
By email to email@example.com
Writing to Fundraising, The Art Room (Oxford), Oxford Spires Academy, Glanville Road, Oxford OX4 2AU
- Monitoring and Evaluating: We may use your information in order to improve current and future delivery of our services. If diversity information is collected on an individual, all reporting will be anonymised.
- Processing an application to work or volunteer with us: We may process your information if you send or fill in an application form or send us your CV or details in respect of an opportunity to work with us in order to evaluate your suitability, respond to you and take steps at your request to possibly enter into a contract with you. If you use The Art Room's services or are employed by The Art Room, please contact us and we will advise you of the applicable Privacy Notice for your situation.
- Transactional purposes: We will need to use your personal information in order to carry out our obligations arising from any contracts entered into between you and us for goods or services, for example, processing your order.
- Using our website: We may use your personal information to help provide you with access to our website, personalise your experience, and improve and develop it further.
- Should you volunteer with us, we will need your personal information in order to process your placement with us.
- Administration: We may use your personal information to record and deal with a complaint, record a request not to receive further marketing information, record what our counsellors on placement have done for us, and for other necessary internal record keeping purposes.
- Protecting your vital interests: We may process your personal information where we reasonably think that there is a risk of serious harm or abuse to you or someone else.
- Market research and surveys: We may invite you to participate in surveys or market research to help us improve our website, fundraising, services and strategic development. Participation is always voluntary and no individuals will be identified as a result of this research, unless you consent to us publishing your feedback. With each request we will provide you with an option to opt-out of further communication.
- Legal, regulatory and tax compliance: Where we are subject to a legal obligation, we may process your personal information to fulfil that obligation. Profiling and analysis: We may occasionally and for the purposes of our legitimate interests use your personal information to conduct profiling of our supporters or potential supporters. This will help us target communications in a more focused, efficient and cost effective way, helping us reduce the chances of supporters and potential supporters receiving inappropriate or irrelevant communications.
You can unsubscribe to such use of your personal information for profiling at any time by contacting us at the details set out at the end of this Privacy Notice in Table 1. Details will also be included with each communication.
Our profiling and analysis activities can be broken into five categories:
1. Data matching
We may combine the personal information you have given us with data obtained from external sources, such as the Office for National Statistics, and infer the likely social, demographic and financial characteristics, so we can tailor our communications and services to better meet your needs or the needs of others like you based on the insight we gain from the profile we build. We will not use the results of this data matching activity in a way that intrudes on your privacy or your previously expressed privacy preferences.
We may conduct analysis of supporters by group, post code or particular area where supporters may be based. This is to ensure that campaigns or mailings are sent to those who will be most interested or likely to respond. This type of activity is not aimed at identifying specific individuals to target, but rather many individuals who may fall within a certain segment of supporters.
3. Donor analysis
We may use your personal information in conjunction with other third party data we may receive to carry out research to determine whether you would be interested in hearing more about us and/or being involved with our charitable work. We may use publicly available information from third party sources such as Google; Companies House; published biographies and publicly available LinkedIn profiles.
Occasionally we may also research any key networks that the individual is publicly known to be a member of, such as on the board of a not for profit or philanthropic body which may have relevance to our activities.
4. High value event planning
We may also use profiling to produce short biographies of people who are due to meet with our leadership or attend an event that we may be hosting.
This helps our people to understand more about those we engage with, and their interests or connection to us.
5. Ethical screening and minimising risk
As a registered charity, we are subject to a number of legal and regulatory obligations and standards, which we take seriously. The public naturally expect charities to operate in an ethical manner and this is integral to developing high levels of trust and demonstrating our integrity.
This means that we may carry out appropriate due diligence of donors, check donations and implement robust financial controls to help protect the charity from abuse, fraud and/or money laundering.
We may carry out background checks and due diligence on potential donors or anyone planning on making a significant donation or gift before we can accept it.
We may also ethically screen supporters to minimise risk of creating an association with an individual or group that conflicts with the standards we have set out in our overarching ethical policy.
Lawful Basis of Us Processing Your Data
The GDPR sets out six reasons why we may lawfully process your personal information. When we process your personal information, we will ensure that we comply with one of these six lawful basis. We have set these out below.
Where processing your data is within our legitimate interests
We are allowed to use your personal information where it is in our interests to do so, and those interests are not outweighed by any potential prejudice to you.
We don't think that any of the following activities prejudice individuals in any way. However, you do have the right to object to us at any time about processing your personal information on this basis. We have set out details regarding how you can go about doing this in the section on your rights to your data. Further, when we contact you by e-mail, we will include an option for you to unsubscribe or alter the method with which we interact with you, at the end of the e-mail.
We process on the basis of our legitimate interests for:
- Profiling and analysis: This will help us communicate with you in a more focused, efficient and cost effective way, helping us reduce the chances of you receiving inappropriate or irrelevant communications
- Postal Marketing: Alternatively you may prefer we contact you using the postal system.
- Recruitment: We have a legitimate interest in processing personal information during the recruitment process and for keeping records of the process. Processing data from job applicants allows us to manage the recruitment process, assess and confirm a candidate’s suitability for employment and decided to whom to offer a job. We may also need to process data from job applicants to respond to and defend against legal claims.
- Volunteers: We also have a legitimate interest in processing personal information during the placement process and for keeping records of the process. This allows us to manage the placement process, assess the volunteers suitability and decide to whom to offer the placement.
Where you give us your consent to process your personal information
We are allowed to use your data where you have specifically consented. In order for your consent to be valid:
- You have to give us your consent freely, without us putting you under any type of pressure;
- You have to know what you are consenting to – so we'll make sure we give you enough information to make an informed consent;
- You should only be asked to consent to one processing activity at a time – we therefore avoid "bundling" consents together so that you know exactly what you're agreeing to; and
- You need to take positive and affirmative action in giving us your consent – we're likely to provide a tick box for you to check so that this requirement is met in a clear and unambiguous fashion.
Where we have sought your consent, we will only process for the purposes we specified at the time you provided your data. However, in the future we may wish to process your data for a different purpose as long as the new purpose is one you might reasonably expect and we will notify you of it beforehand, seeking fresh consent if required.
You have the right to withdraw your consent to these activities. You can do so at any time, and details of how to do so can be found below in the section on your rights to your data.
We seek your consent for:
- Necessary processing for the fulfilment of your financial interactions with The Art Room (when you donate, attend our training courses or procure our clinical services). Your decision to engage with these financial interactions is taken as affirmative action that you consent to our processing your personal information for this purpose, including the sharing of your payment details with our payment suppliers.
- Direct marketing by email or telephone, we seek your specific consent before contacting you by electronic means for marketing purposes.
We do not think that any of the above activities prejudice you in any way. However, you do have the right to object to us processing your personal information in certain circumstances. If you would like to know more about these circumstances and how to object to our processing activities, please see the "Right to object" section below.
Where processing is necessary for us to carry out our legal obligations
As well as our obligations to you under our contract, we also have other legal obligations that we need to comply with and we are allowed to use your personal data when we need to in order to comply with those other legal obligations.
An example of a legal obligation that we need to comply with is our obligation to cooperate with tax authorities.
Where processing is necessary for the performance of a contract between you and us.
We may have a contract or other agreement in place with you, for example as a volunteer, or as a supplier. In order for us to complete our obligations under this contract, we are permitted to process your personal information in furtherance of this contract. If we are discussing matters with a view to enter into an agreement, then the GDPR permits us to process your personal information in this instance also.
Who do we share your information with?
We will only use your information for the purposes for which it was obtained. We will not, under any circumstances, sell or share your personal information with any third party for their own purposes, and you will not receive marketing from any other companies, charities or other organisations as a result of giving your details to us.
We will only share your data for the following purposes:
- Place2Be: Place2Be is the UK's leading children's mental health charity providing in-school support and expert training to improve the emotional wellbeing of pupils, families, teachers and school staff. On the 1st January 2018, the Art Room merged with Place2Be with the aim of improving the mental wellbeing of vulnerable children using school-based interventions. Whilst the Art Room will continue to run its provision from its 8 sites around the UK, all 'back office' functions have been fully integrated with Place2Be. This means that Place2Be will be processing all data on behalf of the Art Room.
- Third party suppliers: We may need to share your information with data hosting providers or service providers who help us to deliver our services, projects, or fundraising activities and appeals. These providers will only act under our instruction and are subject to pre-contract scrutiny and contractual obligations containing strict data protection clauses.
- Where legally required: We will comply with requests where disclosure is required by law, for example, we may disclose your personal information to the government for tax investigation purposes, or to law enforcement agencies for the prevention and detection of crime. We may also share your information with the emergency services if we reasonably think there is a risk of serious harm or abuse to you or someone else.
We always aim to ensure that personal information is only used by those third parties for lawful purposes in accordance with this Privacy Notice.
- All, or substantially all the assets of an entity within The Art Room are merged with or acquired by a third party, or we expand or re-organise our business, in which case your personal information may form part of the transferred or merged assets or we may need to transfer your information to new entities or third parties through which our business will be carried out.
- In the case of people applying for jobs or volunteers at The Art Room, applications will be shared with the Recruitment team, recruiting managers and interview panels.
For volunteers, your information will be shared with:
- Colleagues within The Art Room;
- Your family and personal representatives;
- Individuals and organisations who hold information related to your reference or volunteer application, such as current, past or prospective employers, educators and examining bodies and employment and recruitment agencies;
- Third parties who hold information related to your financial record such as financial organisations, credit reference agencies and debt collection and tracing agencies;
- Medical professionals such as your GP or an occupational health specialist;
- Tax, audit, or other authorities, when we believe in good faith that the law or other regulation requires us to share this data (for example, because of a request by a tax authority or in connection with any anticipated litigation);
- Third party service providers who perform functions on our behalf (including benefits administration, external consultants, business associates and professional advisers such as lawyers, auditors, accountants, technical support functions and IT consultants carrying out testing and development work on our business technology systems);
- Third party outsourced IT providers where we have an appropriate processing agreement (or similar protections) in place; an
Payment Processors: To process your payments (including donations) to The Art Room, we need to pass some of your personal information to one or more of the following suppliers. Please follow the links for information on these company’s privacy policies:
Direct debits: Rapidata— http://rapidataservices.com/terms-conditions/
Single payments: Your choice of either:
• SagePay— https://www.sagepay.co.uk/policies/privacy-policy
• PayPal— https://www.paypal.com/uk/webapps/mpp/ua/privacy-full
• CAF - https://www.cafonline.org/navigation/footer/privacy
The Art Room websites may include links to other sites, not owned or managed by us. We cannot be held responsible for the privacy of your personal information collected by these websites not managed by us.
How we protect your information
We use technical and corporate organisational safeguards to ensure that your personal information is secure. We limit access to information on a need-to-know basis and take appropriate measures to ensure that our people are aware that such information is only used in accordance with this Privacy Notice.
We undertake regular reviews of who has access to information that we hold to ensure that your information is only accessible by appropriately trained staff, volunteers and contractors.
Our online forms are always encrypted and our network is protected and routinely monitored.
If you use your credit or debit card to donate to us or make a booking online, we pass your card details securely to our payment processing partners.
We do this in accordance with industry standards and do not store the details on our website.
However, please be aware that there are always inherent risks in sending information by public networks or using public computers and we cannot 100% guarantee the security of data (including personal information) disclosed or transmitted over public networks.
If you suspect any misuse or loss of or unauthorised access to your personal information please let us know immediately. Details of how to contact us can be found in Table 1 below.
How long will we keep your information?
We will keep your personal information in respect of financial transactions for as long as the law requires us to for tax or accounting purposes (which may be up to seven years after a particular transaction).
If you request that we stop processing your personal information for the purpose of marketing we may in some instances need to add your details to a suppression file to enable us to comply with your request not to be contacted.
In the case of people applying for jobs or volunteering for The Art Room, all information collected on applicants will be permanently deleted after 6 months from the last applications submitted to the portal.
In the case of people undergoing volunteering at The Art Room, all information will be permanently deleted after 6 years from the end date of their last placement. Please note that in certain circumstances, we may hold this data for a longer period if for example we believe in good faith that the law or relevant regulators require us to preserve your data.
In respect of other personal information, we will retain it for no longer than necessary for the purposes for which it was collected, taking into account guidance issued by the Information Commissioner’s Office.
International transfers of information
We may, on occasion decide to use the services of a supplier outside the European Economic Area (EEA), which means that your personal information is transferred, processed and stored outside the EEA. You should be aware that, in some countries legal protection for personal information in countries outside the EEA may not be equivalent to the level of protection provided in the EEA.
However we take steps to put in place suitable safeguards to protect your personal information when processed by the supplier such as entering into the European Commission approved standard contractual clauses. By submitting your personal information to us you agree to this transfer, storing or processing at a location outside the EEA.
Your rights to your personal information
Data protection legislation gives you the right to request access to personal information about you which is processed by The Art Room and to have any inaccuracies corrected.
Phone: 0207 923 5500
Post: Data Protection Officer, Place2Be, 175 St John St, Clerkenwell, London EC1V 4LW.
You also have the right to ask us to erase your personal information, ask us to restrict our processing of your personal information or to object to our processing of your personal information.
If you wish to exercise these rights, please refer to the above contact details to find out more.
HOW CAN YOU ACCESS, AMEND OR TAKE BACK THE PERSONAL INFORMATION THAT YOU HAVE GIVEN TO US?
One of the GDPR's main objectives is to protect the rights of individuals with regards to data privacy. Where we hold your personal information, you have various rights in relation to it, which are set out below.
To get in touch about these rights, please contact us, using the details listed in Table 1 above. We aim to deal with your request without undue delay, and in any event within one month (subject to any extensions to which we are lawfully entitled). Please note that we may keep a record of your communications to help us resolve any issues which may be raised.
The GDPR gives you the following rights in relation to your personal information:
Right to object: this right enables you to object to us processing personal information you give us where we do so for one of the following reasons:
- because it is in our legitimate interests to do so;
- to enable us to perform a task in the public interest or exercise official authority;
- to send you direct marketing materials; or
- for scientific, historical, research, or statistical purposes.
The "legitimate interests" category above is the one most likely to apply, and if your objection relates to us processing your personal information because we deem it necessary for our legitimate interests, we must act on your objection by ceasing the activity in question unless:
We can show that we have compelling legitimate grounds for processing which overrides your interests; or we are processing your data for the establishment, exercise or defence of a legal claim.
Right to withdraw consent: Where we have obtained your consent to process your personal information for certain activities, you may withdraw all or part of your consent at any time and we will cease to carry out that particular activity unless we consider that there is an alternative lawful basis to justify our continued processing of your data for this purpose, in which case we will inform you of this condition.
Data Subject Access Requests (DSAR): You may ask us to confirm what personal information of yours we hold about you at any time, and request us to modify, update or delete such information. We may ask you for more information about your request. If we provide you with access to the information we hold about you, we will not charge you for this unless your request is "manifestly unfounded or excessive". If you request further copies of this information from us, we may charge you a reasonable administrative cost. Where we are legally permitted to do so, we may refuse your request. If we refuse your request we will always tell you the reasons for doing so.
Right to erasure: You have the right to request that we "erase" your personal information in certain circumstances. Normally, the information must meet one of the following criteria:
- The data are no longer necessary for the purpose for which we originally collected and/or processed them;
- Where previously given, you have withdrawn your consent to us processing your data, and there is no other valid reason for us to continue processing;
- The data has been processed unlawfully (i.e. in a manner which does not comply with the GDPR);
- It is necessary for the data to be erased in order for us to comply with our obligations as a data controller under EU or Member State law; or
- If we process the data because we believe it necessary to do so for our legitimate interests, you object to the processing and we are unable to demonstrate overriding legitimate grounds for our continued processing.
We would only be entitled to refuse to comply with your request for one of the following reasons:
- To exercise the right of freedom of expression and information;
- To comply with legal obligations or for the performance of a public interest task or exercise of official authority;
- For public health reasons in the public interest;
- For archival, research or statistical purposes; or
- To exercise or defend a legal claim.
When complying with a valid request for the erasure of data we will take all reasonably practicable steps to delete the relevant data.
Right to restrict processing: You have the right to request that we restrict our processing of your personal information in certain circumstances. This means that we can only continue to store your data and will not be able to carry out any further processing activities with it until either: (i) one of the circumstances listed below is resolved; (ii) you consent; or (iii) further processing is necessary for either the establishment, exercise or defence of legal claims, the protection of the rights of another individual, or reasons of important EU or Member State public interest.
The circumstances in which you are entitled to request that we restrict the processing of your personal information are:
- Where you dispute the accuracy of the personal information that we are processing about you. In this case, our processing of your personal information will be restricted for the period during which the accuracy of the data is verified;
- Where you object to our processing of your personal information for our legitimate interests. Here, you can request that the data be restricted while we verify our grounds for processing your personal information;
- Where our processing of your data is unlawful, but you would prefer us to restrict our processing of it rather than erasing it; and
- Where we have no further need to process your personal information but you require the data to establish, exercise, or defend legal claims.
If we have shared your personal information with third parties, we will notify them about the restricted processing unless this is impossible or involves disproportionate effort. We will, of course, notify you before lifting any restriction on processing your personal information.
Right to rectification: You also have the right to request that we rectify any inaccurate or incomplete personal information that we hold about you, including by means of providing a supplementary statement. If we have shared this personal information with third parties, we will notify them about the rectification unless this is impossible or involves disproportionate effort. You may also request details of the third parties that we have disclosed the inaccurate or incomplete personal information to. Where we think that it is reasonable for us not to comply with your request, we will explain our reasons for this decision.
Right of data portability: If you wish, you have the right to transfer your personal information between data controllers. In effect, this means that you are able to transfer the details we hold on you to a third party. To allow you to do so, we will provide you with your data in a commonly used machine-readable format so that you can transfer the data to a third party. Alternatively, we may directly transfer the data for you. This right of data portability applies to: (i) personal information that we process automatically (i.e. without any human intervention); (ii) personal information provided by you; and (iii) personal information that we process based on your consent or in order to fulfil a contract.
Right to lodge a complaint with a supervisory authority: You also have the right to lodge a complaint with your local supervisory authority which is the Information Commissioner's Office in the UK. You can contact them in the following ways:
- Phone: 0303 123 1113
- Email: firstname.lastname@example.org
- ICO.org.uk via Live chat
- Post: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF
If you would like to exercise any of these rights, or withdraw your consent to the processing of your personal information (where consent is our legal basis for processing your personal information), please contact us using the details found in Table 1. Please note that we may keep a record of your communications to help us resolve any issues which you raise.
How to make a complaint or raise a concern
If you would like more information, or have any questions about this policy, to make a formal complaint about our approach to data protection or raise privacy concerns please contact the Data Protection Team:
Phone: 0207 923 5500
Post: Data Protection Officer, Place2Be, 175 St John St, Clerkenwell, London EC1V 4LW.
If you are not happy with the response you receive after making a complaint, then you can raise your concern with the relevant statutory body:
Information Commissioner’s Office: Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Alternatively you can visit their website.
Changes to our Privacy Notice
Our Privacy Notice may change from time to time, so please check this page occasionally to see if we have included any updates or changes, and that you are happy with them.
(Last updated: 15 May 2018)