Privacy Policy July 2023
1. Introduction
Collective Act’s Privacy Policy details what personal data we collect, what we do with the information you give us and your rights over that data.
We are committed to protecting the privacy and confidentiality of your personal information and we aim to ensure that all personal information in our possession is processed in accordance with the principles of the General Data Protection Regulations (GDPR) and the Information Commissioner’s Office (ICO).
Depending on which experiences and services you use, we will hold different kinds of information from or about you.
2. Our Details
Collective Act is a limited company
Address:
Hackney Downs Studios
17 Amhurst Terrace,
Hackney, London,
United Kingdom,
E8 2BT
Company number: 13424702
ICO registration number: ZB247323
3. Contacting us
Collective Act’s Data Manager is Executive Director Cathy Hirschmann.
Please email cathy.hirschmann@collectiveact.co.uk if you would like to:
See below for more details on your rights to accessing, changing or deleting your data, and Collective Act’s complaints process. Alternatively, you are entitled to raise a concern to the Information Commissioner’s Office (ICO) without first referring your complaint to us.
This privacy notice explains:
We will treat information you provide to us in confidence and we will not disclose it to third parties unless we are required to do so by law, or as explained in this privacy notice.
Data gathered via the website
We gather information about site usage to help the development and improvement of services to the public, and to protect the integrity of our systems from malicious users. We also gather information through the various functions available on the site that allow you to provide us with information (such as online forms and the live-chat function) for the purposes described later in this privacy notice. At the moment this information consists of:
We are operating a Cookie Bot plugin on our website that will allow you greater control over cookies and which areas you would like to provide consent for.
4. What is personal data?
Personal data is any information we handle that relates to an identified or identifiable natural person. An ‘identifiable natural person’ is anyone who can be identified, directly or indirectly from information, including by reference to a name, identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
5. What types of personal data do we process?
Personal information is collected directly from you when you interact with Collective Act, and this will change depending on the experiences or services you are accessing. Typically, we collect your name, contact details, address and access requirements when you:
To help us safeguard minors (under 18s) participating in our programmes, to help us provide the facilities and access equipment, and for equalities monitoring purposes, we may collect further information. Where special category data is required, express consent will be sought.
Information may be collected in person, over the phone, through our website, social media, mobile devices or from something you posted to us.
The types of personal data we process will vary depending on the purpose. We aim to process the minimum amount of personal data necessary for the relevant purpose. You should not assume that we hold personal data in all of the categories identified for every person whose personal data we process.
The categories identified may not be complete as occasionally we may gather personal data in other categories for the purposes described.
We will set out those categories and reasons for using your personal data before asking for your express consent on a case by case basis.
6. When do we share your personal data?
We commit to making all reasonable efforts to keep your details secure and will only share them with partners, suppliers or professional agents working on our behalf, for example when an event is run in partnership with them. Any personal information you provide to us will be shared with these partners and their subcontractors for the purpose of providing a service you have requested or signed-up for. We will only share information with them if we are confident that they will protect it, and we have a contract in place with them that assures this.
Certain third party organisations collect information on our behalf as well as for their own use. We may receive your personal details from other organisations for our marketing or monitoring purposes where you have consented for this information to be shared. These organisations have their own data protection and privacy policies and your consent must be considered in reference to both policies.
We may also use other companies to provide experiences or services and process your personal information on our behalf, including delivering postal mail, making telephone calls, sending emails, sending SMS messages, processing card payments and analysing our supporter information as outlined above, to help us offer you communications that are most appropriate to you and your interests. In some cases, our suppliers may use software which analyses publicly available information to build up a picture about you based on the factors set out in the ‘Targeting our communications and researching our supporters’ section’.
7. More about our direct marketing
You may indicate your preference for receiving direct marketing from us. You will be given the opportunity to indicate that you no longer wish to receive our direct marketing material each time we contact you. Once properly notified by you, we will take steps to stop using your information in this way.
8. How do we use your information?
We use your information, both personal and anonymised, in these ways:
8.1 Provide an experience you have booked for
We offer a range of experiences and services where you will have provided information to us.
We will also use information to manage your attendance on a project or event.
If you have told us about an access requirement – such as a requirement for a wheelchair space – we will collect the required information from you in order to make sure you have the best experience possible. We will share information in an identifiable form only with those people internally and with our event partners who need to know. We will anonymise your information and process it further in order to improve our access provisions.
8.2 Communicating with you
There are a number of ways that we may communicate with you. We use information you have provided to:
8.3 To manage your booking or purchase with us.
We will use your personal information to:
8.4 To know if you have completed a pre-booking form before participating in some of our events
In order to attend the High Sensory Dreamachine experience you must complete a pre-booking form. The form contains information about medical conditions or sensitivities that may be relevant to your participation.
For attendance at the Dreamachine, we collect personal data (name, email address and date of birth) from the webform to record if you have successfully completed the form or not. No health data will be retained or shared.
We will share your name, email address and date of birth along with confirmation that you have completed this form with box office partners and event staff for Dreamachine to support your booking.
8.5 Sharing marketing materials with you
Marketing materials that we might share with you include information about our activities, our news, events and other ways you can become involved with us.
Where you have provided your postal address or telephone number we may send information to you by post or by calling your telephone if you have consented to this. We may also email you this information or send by SMS if you have agreed for us to do so.
You can let us know at any time if you’d prefer to change how we share this information with you or stop it altogether. Simply use the details in the our contact details section to let us know your preferences. If you receive our e-newsletters, you can also use the unsubscribe link in the emails we send.
We will keep your personal information for no longer than is necessary for the purposes for which it is processed which will be reviewed every 4 years. If you ask us not to contact you, we will keep some basic information about you on our suppression list in order to avoid sending you unwanted materials in the future or delete your information completely if requested.
8.6 Building an understanding of audiences, improve existing experiences or create new ones.
We undertake various research and analysis of our audiences such as event attendees and project participants. We do this because it allows us to understand our audience members and the people who support us, and helps us to send appropriate communications and make appropriate requests to those who may be able and interested in attending or giving more than they already do.
We also perform analysis on the experiences, services and projects we offer. We do this so we can understand how well we are performing and to help create a better experience for you.
8.7 Targeting our communication and researching our supporters
We want to send the most effective messages we can in the most efficient way possible. In order to work out who to contact, what to say and when to get in touch, we carry out the following activities:
8.8 Inform Scientific Research
There are two points at which we collect data that may be used for research purposes: The Perception Census and the Sensory Tool. Any personal data provided to us as part of The Perception Census will be used solely for communication purposes and you may unsubscribe from this at any time. Any further information you provide will be provided directly to the University of Sussex for the use of scientific research.
Any personal data you provide to us as part of the Sensory Tool will be used solely for communication purposes to receive your sensory profile. You may choose to opt-in for your information to be cross-referenced with your Perception Census results. Any information you provide will be anonymised for the use of scientific research and processed on the basis of public interest.
9. How long do we retain your personal data?
We keep your personal data for as long as necessary for the particular purpose or purposes for which we hold it.
Your data is always held securely.
We maintain Customer Relationship Management systems Ticket Tailor, Mailchimp, Vercel, Mailgun, JISC and Retool and access is strictly controlled to people who need it to do their job.
Certain data, for example sensitive data or data pertaining to a minor has additional controls and is only made visible to members of staff who have a reason to work with it. In addition, we protect your personal information in a range of ways including secure servers, firewalls and SSL encryption.
Right to Data Portability: You have the right to obtain and reuse your personal information for your own purposes, transferring it from one environment to another. This right only applies to personal data provided by an individual, where the processing is based on their consent or for the performance of a contract and when that processing is carried out by automated means. If you wish to discuss this right, you can do so using the contact details in this privacy notice.
Right to Object: You have the right to object to:
Any objection must be on grounds relating to your particular situation. If you want to exercise your right to object you can do so using the contact details in this privacy notice.
10. If you are applying for a job with Collective Act
Your application, C.V, cover letter and Equality Opportunities Monitoring Form for any position with Collective Act will be used during the recruitment process to short-list suitable candidates who will be invited to proceed to the interview stage, and to select the final candidate that the role will be offered to.
If we choose to use third-party job application platforms, for example recruitment agencies, to publish and receive applications for roles through these portals the organisation’s privacy information will be available to you. We will only work alongside other organisations in this way if we are satisfied that they will keep your information safely and use it only in the same legal ways that we would.
During the recruitment process, we will perform some checks on your identity, your right to work in the UK, your eligibility to work with young people (where required in the role) and your past employment references.
If you are appointed to the position, your information will form part of your personnel file and will be stored securely. This data is retained for the duration of your employment and destroyed 7 years after you leave our employment.
We delete the personal information of unsuccessful applications 6 months after the application process ends in case there are follow-up queries about the process, unless a candidate requests that we keep their details for longer. Statistical information including but not exclusive to ethnicity, sexuality and disability is kept to ensure that our recruitment processes are inclusive and not discriminatory, but this is completely anonymised.
If we are required by law to share your information, (for example; in response to a warrant or court order), we will do so.
11. Use of Photography and film
Collective Act, its commissioners or funders may wish to record a project or event for the purpose of archiving work, and/or sharing in marketing, publicity and other materials and communications in any medium. Where the use of photography and film is used in a public domain, signs will be visible to notify the public there are recordings being made. Where photography and filming is being used in a closed event (e.g workshop setting) explicit consent will be sought from participants with a clear explanation on the purpose of the photography and filming – and where it will be used.
12. Our legal basis for contacting you and using your personal information
When you sign up to a newsletter or opt-in to our communications using our forms (e.g email subscription) or in person/over the phone, then you are giving your consent to send you marketing materials by the methods you have chosen (e.g email or phone call). We will never send you information by email or SMS without your consent, and you can withdraw your consent at any time.
If you have provided us with your postal or telephone contact details, but haven’t specifically opted-in to receive our communications (for example, event marketing or making a donation by post), then we will carry out an assessment of whether it would be fair and reasonable to use them to send marketing information to you without your explicit consent. This is called a ‘legitimate interests assessment’. You can opt out of our marketing communications at any time if you don’t want to receive them.
We will ensure we have a legal basis to use your personal information for the other purposes mentioned in this policy (usually with your consent, further to a legitimate interests assessment or because the use of your data is necessary to comply with a legal obligation).
13. CCTV
CCTV is in use to view and record audience members in and around the Dreamachine experience in order to maintain a safe environment for staff and audiences, to help respond to health issues, to capture images for research purposes, and to assist in the effective resolution of any disputes. Collective Act recognises that the images of individuals recorded by CCTV cameras are personal data which must be processed in accordance with data protection legislation and has registered its use of CCTV with the Information Commissioner.
Camera locations are chosen to minimise viewing of spaces not relevant to the participation in the project.
CCTV systems will not be used to record sound.
Images are monitored by authorised personnel and contractors, who have been given appropriate training to ensure they understand and observe the legal requirements related to the processing of relevant data. We will provide signage at the venue to remind you that CCTV is in operation.
We will ensure that data gathered from CCTV cameras is stored in a way that maintains its integrity and security. This may include encrypting the data, where it is possible to do so.
Given the large amount of data generated by CCTV systems, we may store video footage using a cloud computing system. We will take all reasonable steps to ensure that any cloud service provider maintains the security of our information, in accordance with industry standards.
We may engage data processors to process data on our behalf. We will ensure reasonable contractual safeguards are in place to protect the security and integrity of the data.
We may share data with our research organisations, in accordance with written data sharing agreements.
Data from CCTV cameras will not be retained indefinitely but will be permanently deleted once there is no reason to retain the recorded information. Exactly how long images will be retained for will vary according to the purpose for which they are being recorded. For example, where images are being recorded for the monitoring of participant’s health, data will be kept long enough only for incidents to come to light. Any CCTV recordings may be retained for research purposes for the full period of the research project. In all other cases, recorded images will be kept for no longer than 30 days. We will maintain a comprehensive log of when data is deleted.
At the end of their useful life, all images stored in whatever format will be erased permanently and securely. Any physical matter such as tapes or discs will be disposed of as confidential waste. Any still photographs and hard copy prints will be disposed of as confidential waste.
In other appropriate circumstances, we may allow law enforcement agencies to view or remove CCTV footage where this is required in the detection or prosecution of crime.
No images from CCTV will ever be posted online or disclosed to the media.
Data subjects may make a request for disclosure of their personal information and this may include CCTV images (data subject access request). A data subject access request is subject to the statutory conditions from time to time in place and should be made in writing.
In order for us to locate relevant footage, any requests for copies of recorded CCTV images must include the date and time of the recording, the location where the footage was captured and, if necessary, information identifying the individual.
We reserve the right to obscure images of third parties when disclosing CCTV data as part of a subject access request, where we consider it necessary to do so.
14. What are your rights over your personal data we process, and how can you exercise them?
Under the Act you have a number of rights that you can exercise in relation to personal data we process about you. You do not have to pay to exercise your rights (other than a reasonable fee if a request for access is clearly unfounded or excessive but we agree to fulfil it anyway).
We sometimes need to request specific information from you to help us confirm your identity and ensure your authority to exercise the rights.
Right of Access: You can request access to the personal data we hold about you free of charge. Normally we will provide it within one month of receipt of your request unless an exemption applies. You can request access to the personal data we hold about you using the contact details in this privacy notice.
Right to be Informed: You are entitled to be told how we obtain your personal information and how we use, retain, and store it, and who we share it with. This privacy notice gives you that information, as well as telling you what your rights are under the relevant laws.
Right to Rectification: If we hold personal data about you that is inaccurate or incomplete you have the right to ask us to correct it. You can ask us to correct your personal data using the contact details in this privacy notice. We will reply to you within one month unless the request is complex.
Right to Request Erasure: Under certain circumstances you have the right to ask us to delete your personal data to prevent its continued processing where there is no justification for us to retain it. The circumstances most likely to apply are:
Right to Restrict Processing: Under certain circumstances you have the right to ask us to restrict the processing of your personal data. This may be in cases where:
You can ask us to restrict processing of your personal data using the contact details in this privacy notice.
15. Further information
You can find out more about your data protection rights on the Information Commissioner’s Office (ICO) here.
You can find out about data protection law here.
Data Protection Act here.
General Data Protection Regulation here.
16. How you can complain
The Information Commissioner’s Office (ICO) regulates the processing of personal data. You can complain to the ICO if you are unhappy with how we have processed your personal data.
The Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Helpline number: 0303 123 1113
Information Commissioner’s Office website
17. Date of last update and changes
We last reviewed this privacy notice in March 2022. We keep this privacy policy under regular review and update it if any of the information in it changes.