How we collect and use personal data
CultureRunner is committed to protecting the privacy and security of your personal information (‘personal data’).
CultureRunner (CR, “we”, “our”, “us”) adheres to the principles of protecting and processing personal data as laid out in the General Data Protection Regulation (EU) 2015/679 (GDPR).
We have used the guidance from the UK Information Commissioner’s Office (ICO) on GDPR to develop this policy. The ICO guidance offers further depth to and illustrative examples for many of the issues presented in this policy.
Definition and scope
This Data Protection Policy sets out how CultureRunner handles the Personal Data of our users (including web visitors), clients, suppliers, associates and other third parties.
Following this Policy is expected of everyone working on behalf of CultureRunner (“you”, “your”). You must read, understand and comply with this Policy when processing Personal Data on our behalf.
Personal Data is any information that allows a living individual to be identified. It may include names, contact addresses or similar information, photographs. It may include data that are not personal data but could be combined with personal data to identify an individual e.g. a cross-referenced record in a filing system. It also includes any expression of opinion about an individual.
Sensitive Personal Data are personal data that could be used to discriminate against an individual, so are to be treated with even greater care. This may include information about race, sexual orientation or activity, health, political or religious beliefs or memberships, allegations of or convictions for criminal behaviour.
A Data Subject is an individual who is the subject of personal data.
A Data Controller is a person (which means an entity recognised in law i.e an individual, or an organisation or group) who determines the purposes for which personal data is or will be used and in the way in which it is used.
Processing data means obtaining, recording or holding the information or data or carrying out any operation on the data. Almost any conceivable use of data is likely to be a form of processing.
A Data Processor is a person or organisation who carries out any operation on the data. It will often be the case that a Data Controller and Data Processor are the same entity.
A Data Breach is the sharing of Personal Data with a third party without the explicit consent of the Data Subject. Data breaches may be accidental, or deliberate, or forced i.e. Personal Data could be stolen from a Data Controller/Processor by a third party. All data breaches are serious.
The Director is responsible for overseeing this Data Protection Policy and developing related policies. Please contact the Director if:
You are unsure of the lawful basis on which you are relying to process Personal Data
If you are unsure about the retention period for the data being processed
If you need any assistance dealing with any rights invoked by a data subject.
Because CultureRunner is not a public authority and does not process large volumes of Sensitive Personal Data, we have not appointed a Data Protection Officer.
Personal Data protection principles
The principles of protecting and processing personal data laid out in the GDPR states that the personal information we hold about individuals must be:
Used lawfully, fairly and in a transparent way
Collected only for valid, specified purposes that we have clearly explained (through relevant Privacy Notices) and not used in any way that is incompatible with those purposes
Relevant to the specified purposes and limited to what is necessary for those purposes
Accurate and kept up to date
Kept only as long as necessary for the specified purposes
Made available to data subjects on request to allow them to exercise their rights in relation to their personal data.
CultureRunner must be able to demonstrate compliance with the data protection principles listed above. The following sections of this Policy further detail these principles.
Lawfulness, fairness and transparency
Personal data must be processed lawfully and fairly and in a transparent manner. The law allows processing of personal data for specific purposes where:
The data subject has given their consent
The processing is necessary for the performance of a contract with the data subject
To meet our legal compliance obligations
To protect the data subject’s vital interests
To pursue our legitimate interests.
We will identify the legal ground being relied on for each processing activity. Our known forms of processing types of personal data and the legal basis for this are summarised in the CR Data Management and Retention Schedule which is stored in the Operations folder of the company computer system. Any new or potentially new processing activity should be checked against this Schedule.
As a Data Controller, CR will provide specific information to data subjects on how we treat personal data through appropriate Privacy Notices. These notices will be in clear and plain language so that a data subject can easily understand them. Notices will be provided at point of collecting data and must include the identity of the data controller i.e. our name and address, and how and why we will use, process and retain and delete the data.
Purpose limitation and data minimisation
Personal data must be collected only for valid, specified purposes that we have clearly explained. It must not be further used (processed) in any manner incompatible with those purposes. In most cases we cannot use the data for a new purpose unless we have obtained consent from the data subject, or there is a basis in law.
We will not gather more information than is needed for the specified purposes.
We will take reasonable steps to ensure the personal data we process is accurate and kept up to date. If we need to update personal data to continue to fulfil the specified purpose, we will have a system in place to do so.
We will take any challenge to the accuracy of personal data seriously and consider it carefully. We must change or delete any inaccurate or misleading personal data as soon as reasonable after identifying it is inaccurate.
A data subject has the right to ask us to rectify or complete any inaccurate or incomplete data about them. We will record all such requests whether received verbally or in writing and must respond within one month.
In certain circumstances it may be appropriate to refuse a rectification request from a data subject e.g. if the personal data held contains an opinion with which they disagree, but the information is clearly identified as an opinion in our records. We must be able to justify the refusal and be able to communicate this clearly to the data subject.
Personal data must not be kept for longer than is necessary for the specified purposes or for longer than is necessary to comply with any legal, accounting or reporting requirements.
The CR Data Management and Retention Schedule details for how long what types of data held by the Museum may be stored, and how we store it with appropriate security. Any potential new data collection types or new processing activity should be checked against this Schedule before being put in place.
CR will schedule a review of data storage on a yearly basis to ensure that the Data Management and Retention Schedule is being followed.
Protecting personal data
As part of the scheduled reviews of data storage we will undertake an analysis of the risks presented by our processing of personal data and make any necessary changes to the security measures we have implemented. Our security measures will be reasonable and practical and related to the identified level of risk.
Reporting a personal data breach
As a Data Controllers CR will notify serious personal data breaches to the applicable regulatory authority – in the UK, the Information Commissioner’s Office (ICO) – and in certain instances notify the data subject.
If you know or suspect a personal data breach has occurred, do not attempt to investigate the matter yourself. Inform the Director as soon as possible.
Because this policy follows the provisions of the European Union GDPR, we will restrict data transfer to countries outside the European Economic Area (EEA) to ensure that the level of data protection for individuals is not undermined.
If you find a situation in which it appears to be necessary to transfer personal data outside the EEA, please the Director before you transfer the data.
Data subjects’ rights and requests
Data subjects have rights when it comes to how we handle their personal data. These include rights to:
The right to be informed about whether and how we may be processing their personal data
The right of access to their own personal data.
The right to rectification if the information we have is inaccurate
The right to erasure if there is no longer a lawful reason for us to retain the data e.g. if consent was the lawful reason, and consent is withdrawn. This is also known as ‘the right to be forgotten’.
The right to restrict processing e.g. if the accuracy of data is being challenged, the data subject can request their data is not processed until that situation is resolved
The right to data portability, when data has been provided in an easily transferable machine-readable format
The right to object to the processing of their personal data, especially in relation to direct marketing
Rights in relation to automated decision making and profiling.
Typically, we CR must respond to such requests, whether verbal or in writing or through any communication channel, within one calendar month.
You must immediately forward any data subject request to the Director. There may be grounds for the company to refuse a request, but these will need to be considered carefully in all cases.
We will keep full and accurate records of all our data processing activities. The CR Data Management and Retention Schedule details our processing approach – including purposes, processing activities, data storage and security measures, and data retention periods – for different data types.
We will also keep and maintain accurate records of data subjects’ consents – where applicable as the legal basis for holding and processing data – as part of the personal data held.
We will ensure that any staff (there is only 1 staff member at present) take part in adequate training to meet the requirements of this policy.
We will provide a copy of this policy as a point of contract with any contractors and/or associates.
Sharing personal data
As part of our security measures, access to personal data held by the company will be limited to those members of company who have a direct role in processing the data.
We will only share personal data we hold amongst our staff, agents, associates or representatives when there is a legitimate job-related reason to do so, and it is in line with the specified purposes for that data.
We will only share the personal data we hold with third parties such as our service providers when there is a legitimate contract-based reason to do so, it is in line with the specified purposes for that data, the third party has appropriate security measures in place and this sharing with a third party has been clearly stated within the privacy notice provided to the data subject.
The company’s policy schedule shall be reviewed every calendar year.
Any policies requiring review e.g. because of legislative changes, changes to CR circumstance, should be identified and actioned for review.
Date of next review
This Data Protection Policy is next due for review on 25 May 2022.
 For fuller definitions please see https://ico.org.uk/for-organisations/guide-to-data-protection/key-definitions/