Privacy and Data Protection Policy
Duckie takes your privacy seriously and are committed to protecting your personal information and working with honesty, transparency and integrity. This policy sets out how the company uses the information that you provide us with to help further our work in delivering arts, heritage and cultural events to communities across London, the South East and beyond.
Duckie will not sell your data to any third parties, but we may sometimes share your information with our subsidiaries.
Duckie is a Data Controller, as identified through GDPR legislation. By Duckie, we mean Duckie Ltd (05294486) and all subsidiaries in the Duckie Group including The Posh Club.
The Data Protection Supervisor for the Duckie group is Emmy Minton and she can be contacted by emailing email@example.com
Data- what do we collect?
Duckie and its subsidiary companies collect individual’s data in a number of different ways, for a number of different purposes- for example we will:
1) Ask for contact details when we are booking audiences or participants into events, workshops or training. This will be a name, phone number, email address and occasionally an address- if we are working with older audiences that do not use email.
2) Ask for monitoring information from audiences, participants and volunteers, which typically includes information about postcode, date of birth, sexuality, gender or ethnicity.
3) Ask audiences, participants, interns and volunteers to complete evaluation to support the development of our events, workshops and training. This would typically include feedback about the activity and/or tracking changes to wellbeing, activity levels etc. as a result of taking part in the activity.
4) Ask individuals, groups or organisations who are financial supporters to give us information that allows us to administrate donations. This would typically include information such as a name, contact details, address, email, telephone number and payment details.
5) Ask for contact details from audiences, participants and community members to keep them informed about our events, programmes and opportunities or fundraising initiatives. This would typically be an email address.
6) Ask for consent to collect cookies from the website to allow Duckie to use google analytics
Why do we collect this data?
Duckie and its subsidiary companies collect this data for a number of specific reasons, which are as follows:
1) We ask for contact details so that we can contact you if an event is cancelled or changes in some way.
2) We ask for monitoring information in order to ensure that we are reaching the target groups for our projects and services. The majority of Duckie’s work is created for specific audiences so if we have created a service for adults over 60 living in Hackney, it is important for us to know how successful we are in attracting audiences from this target group.
3) We ask for evaluation and feedback on what we do, so that we can improve our work and make a case for funding.
4) We ask for financial information if you have asked to make a donation to us so that we can carry out our charitable aims.
5) We ask for your contact details so that we can occasionally contact you via email with news about our projects and services or with suggestions of ways in which you could become involved with our work.
6) We analyse information from audiences, participants and community members to ensure that all of Duckie’s communications are tailor-made to their needs, interests and requests.
7) We use google analytics to help us understand who is engaging with our website and in what way, in order to improve its functionality.
Privacy and the Law
The Law on Data Protection is derived from various pieces of legislation including the Data Protection Act and the General Data Protection Regulation or GDPR, to which all organisations based in the UK will need to be compliant by May 2018. The GDPR states that personal data can only be ‘processed’ (i.e. collected, stored and analysed) if there is a legal ground to do so. The GDPR provides six legal grounds under which personal information can be legally processed. Five out of the six grounds for processing that are most relevant to Duckie’s use of your data are:
1) Consent: where you have given us clear consent for us to process your personal data for a specific purpose – i.e. to sign up to join one of our clubs.
2) Contract: where processing your data is necessary for us to complete a contract that we have entered with you – i.e. to send you tickets that you have ordered for an event.
3) Legal Obligation: where processing your data is necessary for us to comply with the law – i.e. to complete a DBS check in order to employ you to work with vulnerable people.
4) Vital interests: where processing your data might be necessary to protect your safety or your life – i.e. to follow Duckie’s safeguarding policy for vulnerable adults by alerting the relevant authority to follow up a serious safeguarding concern.
5) Legitimate interests: where processing your data is necessary for our legitimate interests- i.e. to analyse monitoring information of specific audiences to stimulate outreach work with under-represented groups or to undertake university-led research work.
Duckie will always ensure we have specific consent to hold your data, we will be clear about why we are processing or analyzing it and we will treat the information you give us with respect. The company will never rent, swap or sell your personal information to other organisations for them to use in their own marketing activities and we will always be able to give you a clear and straight forward answer about what data we hold, how we store it, what we will use it for and what the legal grounds for doing so are.
Duckie have always asked for your consent before we have communicated with you and from May 2018, this will be specific and time-based – i.e. we will only hold it for a stated period of time. You will also be able to withdraw your consent at any time by emailing Duckie’s Data Protection Supervisor on firstname.lastname@example.org
There are times when it is not practical to record consent- for example if older people who don’t use email are booking to attend The Posh Club over the phone. At those times, we will only process personal information if this action would meet another legal ground for processing personal data - e.g. Legitimate Interests. In this instance, we would process the individual’s contact details in order to send them a registration and consent form through the post, so that they can join The Posh Club. This would be a Legitimate Interest as it is necessary to fulfill our charitable purpose and would not supersede the individual’s rights to privacy.
What is Legitimate Interest
This legal ground for processing means that organisations can process your personal information if they 1) Have a genuine and legitimate reason for doing so and 2) That use does not harm any of your rights and interests as an individual.
Duckie’s Legitimate Interest
We believe that Duckie’s community understand and support what we are trying to achieve and want to hear about our work. Unless you tell us not to, we think you are happy for us to process your personal information so we can let you know what we are up to and how to get involved. Duckie serve different population groups which share an identity, situation, interest or problem and the company’s main audiences can be divided into the following groups:
1) Arts, culture and heritage audiences
2) The Posh Club audiences (adults over 60)
3) Audiences with high needs such as rough sleepers, adults with chronic addictions or those living with dementia
Existing audiences on our mailing list have already completed a ‘soft opt-in’ to receiving emails from us through subscribing to our mailing list through the Duckie website, and we believe that they will want to continue to hear about our work. We also believe that we treat their personal data with respect and care and that the 2-3 emails we share with them a year, do not infringe on their personal rights to privacy. We have always offer our audiences a simple and easily accessible ‘unsubscribe’ button on each email so they can opt-out of this service at any time and this will practice will continue after the GDPR regulations come into play from May 2018.
New audiences from May 2018 will be asked to opt-in to receiving communications from us for the next five years, with information tailored to each specific groups’ interests. For example, group 1 (who will sign up through Duckie’s website) will receive information about all of Duckie’s activities but Group 2 (who will sign up through The Posh Club’s website) would only receive information about Duckie’s work with older people. Group 3 will not receive any communications from the company except for when it is needed for contractual purposes.
Financial Supporters - Handbag
Duckie is due to launch Handbag, a Private Giving Scheme in 2018 and this will include contacting audience groups 1 and 2 about ways in which they can support the company’s work. Handbag will comprise of a series of promotional campaigns, which will be tailor-made for each group. Duckie believe that the audience groups held on the company’s CRM system which have already opted in to receiving communications about the company’s work will be interested in hearing about these campaigns. Group 3 will never be contacted about Duckie’s fundraising activities.
How long will we hold your data for?
If you have opted in to receive information about Duckie’s work either through the Duckie or The Posh Club websites, we will ask for your consent to hold your data for 5 years. This is because this is the period of time in which we plan cycles of our work, with each of our services running to 5-year business plans. We know from our existing data that our audiences are loyal and stay with us over long periods of time and feel confident that this time period is appropriate for those accessing our work. There are some exceptions to this rule such as health and safety records which we are required by law to keep for 7 years but as a general rule, we will seek your permission to keep your data after 5 years.
Changing Your Mind
Engaging with Duckie is always your choice. If you don’t think we have got the level of communication quite right for you, you can tell us to change your preferences or ask us to remove you from our database permanently by emailing email@example.com and we will act on your wishes immediately.
Duckie are a Data Controller – this means that the company will collect data from audience members (for example monitoring information) and the company will analyse it to understand how well the project is working (for example how many of an audience group come from a target post-coded area). This analysis of monitoring surveys is completed and the results of the analysis are typically written as a % point, such as 80% of older people attending The Posh Club report that they live in a West Hackney post coded area. Once this analysis is completed, all of the monitoring surveys are shredded and all links to individuals’ data are removed. The percentage line is then submitted to a small number of third parties – which are usually funding bodies, as evidence of each projects performance against the funder’s preset targets. In this way Duckie collects data from individuals but analyses it quickly and only retains key points from the analysis that cannot infringe on the rights of individuals.
GDRP legislation specifies that each company differentiates between Data Processors and Data Controllers. Duckie has 6 named Data Processors who are responsible for distributing, receiving back and storing data which is collected in the form of contact details, monitoring surveys or questionnaires from audience members and participants attending each of the company’s projects. These are the Coordinators for all of Duckie’s projects and they have received training and guidance on safely storing individuals’ data until it can be passed to Emmy Minton the Fundraising and Development Manager for analysis. The guidelines include using password protected computers with encrypted files, storing questionnaires safely in locked filing cabinets until they can be processed and analysed and not sharing the data that the company holds with any third parties.
Duckie and its subsidiary companies are Data Controllers. The Data Controllers hold the responsibility to provide written advice and guidance to the Data Processors (or the staff members who Coordinate each project) to ensure that they are using systems that will protect your data and your privacy, and that this can be evidenced if any of the companies are investigated or audited.
Data Bases and CRM Systems
Duckie stores the data that the company and its subsidiaries collects on a tailor-made CRM system. This has been built so that all of the Data Processors can access the information that they need to run their projects- but that they are unable to access information from other projects that they don’t need. For example, The Coordinator of The Posh Club, Hackney will be able to access the data base of guests and volunteers, plus add new guests and volunteers as they join. They will also be able to upload monitoring and evaluation data from individuals engaged with The Posh Club, Hackney so that it can be analysed centrally. They will not be able to access any data from the QTIPOC collective, the Slaughterhouse Club, Palace of Varieties or any of the other projects and services, unless there is a specific reason for them to do so and they are given a specific password to access other parts of the CRM system.
Cookies and Web Privacy
The Collection of Information
Every time you log on to our website your IP (Internet Protocol) address registers on our servers. Your IP address reveals no information other than the number assigned to you. We will not use this technology to get any personal data against your knowledge or free will (i.e. automatically recording e-mail addresses of visitors). Nor do we use it for any purpose other than to help us monitor traffic on our website, or (in case of criminal activity or misuse of our information) to cooperate with law enforcement.
We use a number of different cookies on our site. If you do not know what cookies are, or how to control or delete them, then we recommend you visit http://www.aboutcookies.org for detailed guidance.
First Party Cookies
These are cookies that are set by the websites concerned directly.
Duckie uses Google Analytics to collect information about visitor patterns on each of the websites in the Duckie Group. Google Analytics stores information about what pages are visited, how long each visitor spends on the site, how they got here and which pages are visited. This Analytics data is not tied to personally identifiable information - your personal information such as your name and address is not stored and therefore cannot be used to identify who you are. You can find out more about Google's position on privacy as regards its analytics service.
Third Party Cookies
These are cookies set by external websites whose services are used on Duckie websites. Cookies of this type are the sharing buttons across the site, which allow visitors to share content from any of the Duckie websites onto social networks such as Facebook or Twitter.
Third Party Cookies are currently set by Twitter, Facebook, Google+, Instagram and Pinterest if you share content from any of the Duckie websites to these platforms. In order to implement these buttons, and connect them to the relevant social networks, Duckie uses scripts from domains outside of our website. You should be aware that these sites are likely to be collecting information about what you are doing all on the internet, including when you access the Duckie websites. If you are concerned about your privacy, you should check the respective policies of each of these sites to see how exactly they use your information and to find out how to opt out, or delete, such information.
The majority of the emails that Duckie sends are not tracked at all. However occasionally, we will send out an email with news about what is coming up and these will track whether the user has opened and clicked on the email. We do not use this information at a personal level, rather we use it to understand ‘open and click’ rates on our emails to try and improve them. If you want to be sure that none of your email activity is tracked, then you should opt out of our emails which you can do via the unsubscribe link at the bottom of every email that is sent.
All donations to Duckie on this site are secure. No one can access your credit card details via the internet.
How we process your payments
When you have completed your donation, your web browser will be connected directly to a secure server. You can see that the connection is secure by looking at the padlock or key icon in the bottom left hand corner of your browser. Your browser may also alert you to the fact that you are connecting to a secure server, and if so, it will also tell you when you are closing the connection once you have donated. The secure server communicates with your browser using SSL (Secure Sockets Layer) protocols, so that all your personal information, including credit card number and name and address, is encrypted. This process takes the words and figures you enter, and converts them into bits of code that are then securely transmitted over the internet.
Protocol in the Event of a Data Breach
In the event of a significant data breach, Duckie will notify the ICO within 72 hours, notify any individuals affected and contact the board of directors. A ‘significant breach’ would be an incident where individuals’ data was released into the public domain and there was a serious risk to their privacy.
Documentation – the use of photographs, audio and video data
All digital photographs, audio and video files, which document our work up to May 25 2018 will be held in our historical archive, which we will continue to hold as we believe that it is of ‘Legitimate Interest’ to the LGBTQ community. Information in the public domain prior to the 25 May is also exempt from GDPR legislation – this includes all photographs, audio files and films that are held on the Duckie websites.
After May 25 2018, Duckie will seek consent to collect and hold digital photographs, audio and video files. This consent will be specific, time based and the data will only be collected and processed when the company has a ‘Legitimate Interest’ for doing so.
Right to be Forgotten
Finally, Duckie, will be happy to provide you with all the data that we hold on you and to delete it from our records if requested. If you wish to see or delete the data that we hold on you, we will need to see an original piece of primary identification such as a passport or driving license before we will be able to release the information. Once you have made a request we will respond within 30 days as required by the GDPR legislation. If you have a request please, contact us on firstname.lastname@example.org