Data protection policy
- Information covered by the Act
- Data protection principles
- Individuals’ rights
- Legal requirements
- No commercial disposal to third parties
- Our commitment to data protection
- Further information
In order to operate efficiently, we must collect information about people with whom we work. These may include members of the public, current, past and prospective employees, funded bodies and suppliers. In addition we may be required by law to collect and use information in order to comply with the requirements of central government.
This personal information must be handled properly under the Data Protection Act 1998 (‘the Act’). The Act regulates the way that we handle ‘personal data’ that we collect in the course of carrying out our functions and gives certain rights to people whose ‘personal data’ we may hold.
We consider that the correct treatment of personal data is integral to our successful operations and to maintaining trust of the persons we deal with. We fully appreciate the underlying principles of the Act and support and adhere to its provisions.
We are registered with the Information Commissioner to process personal data. We are named as a data controller under the register kept by the Information Commissioner in accordance with section 19 of the Act.
Information covered by the Act
The Act uses the term ‘personal data’. For information held by the Arts Council, personal data essentially means any recorded information held by us and from which a living individual can be identified. It will include a variety of information including names, addresses, telephone numbers, photographs of people and other personal details. It will include any expression of opinion about a living individual or any indication of our intentions about that individual.
Data protection principles
We will comply with the eight enforceable data protection principles by making sure that personal data is:
1. fairly and lawfully processed
2. processed for limited purposes
3. adequate, relevant and not excessive
4. accurate and kept up to date
5. not kept longer than necessary
6. processed in accordance with the individual’s rights
8. not transferred to countries outside the European Economic area unless the country to which the data is to be transferred has adequate protection for the individuals
We will ensure that at least one of the following conditions are met before we process any personal data:
1. the individual has consented to the processing
2. the processing is necessary for the performance of a contract with the individual
3. the processing is required under a legal obligation (other than one imposed by a contract)
4. the processing is necessary to protect vital interests of the individual
5. the processing is necessary to carry out public functions eg. administration of justice
6. the processing is necessary in order to pursue our legitimate interests or those of third parties (unless it could unjustifiably prejudice the interests of the individual)
Under the Act, one of a set of additional conditions must be met for ‘sensitive personal data’. This includes information about racial or ethnic origin, political opinions, religious and other beliefs, trade union membership, physical or mental health condition, sex life, criminal proceedings or convictions. We will ensure that one of the following additional conditions are met before we process any sensitive personal data:
1. the individual has explicitly consented to the processing
2. we are required by law to process the information for employment purposes
3. we need to process the information in order to protect the vital interests of the individual or another person
4. the processing in necessary to deal with the administration of justice or legal proceedings
We will ensure that individuals are given their rights under the Act including:
• the right to obtain their personal information from us except in limited circumstances
• the right to ask us not to process personal data where it causes substantial unwarranted damage to them or anyone else
• the right to claim compensation from us for damage and distress caused by any breach of the Act
While it is unlikely, Arts Council England may be required to disclose your user data by a court order or to comply with other legal requirements. We will use all reasonable endeavours to notify you before we do so, unless we are legally restricted from doing so.
No commercial disposal to third parties
Arts Council England shall not sell, rent, distribute or otherwise make user data commercially available to any third party, except as described above or with your prior permission.
Our commitment to data protection
We will ensure that:
- everyone managing and handling personal information understands that they are responsible for following good data protection practice
- there is someone with specific responsibility for data protection in the organisation
- staff who handle personal information are appropriately supervised and trained
- queries about handling personal information are promptly and courteously dealt with
- people know how to access their own personal information
- methods of handling personal information are regularly assessed and evaluated
- any disclosure of personal data will be in compliance with approved procedures.
- we take all necessary steps to ensure that personal data is kept secure at all times against unauthorised or unlawful loss or disclosure
- all contractors who are users of personal information supplied by the council will be required to confirm that they will abide by the requirements of the Act with regard to information supplied by us.
We have appointed a head of information compliance to lead on data protection for the Arts Council. This person is responsible for ensuring that the policy is effectively implemented.
The Information Commissioner – www.informationcommissioner.gov.uk
The Department of Constitutional Affairs – www.dca.gov.uk
Contact us at:
Arts Council England
14 Great Peter Street
London SW1P 3NQ
Phone: 0845 300 6200