Moogie Wonderland

Data Management & Privacy Policy

1.    Context and overview

Key details:

• Policy prepared by: Matt Ashdown
• Approved by board/management: 23/08/2020
• Policy became operational on: 23/08/2020
• Next review date: 01/11/2020

Introduction:                                                                                             

Moogie Wonderland needs to gather and use certain information about individuals.

These can include participants (including children and vulnerable adults), customers, suppliers, business contacts, employees and other people the organisation has a relationship with or may need to contact.

This policy describes how this personal data must be collected, handled and stored to meet the company’s data protection standards – and to comply with the law.

Why this policy exists:

This data management policy ensures Moogie Wonderland:

• Complies with data protection law and follows good practice
• Protects the rights of customers, staff and partners
• Is transparent about how it stores and processes individuals’ data
• Protects itself from the risks of a data breach

Terms used

Certain terms used in this notice have specific meanings, as follows:

“Data Protection Law” means the European Union General Data Protection Regulation 2016/679, the UK Data Protection Act 2018 and any other privacy or data protection laws (including any statutes, regulations, by-laws, ordinances, mandatory codes of conduct or rules of common law or equity) applying at any time.

“Personal Data” means any personal data (as that term is defined in the GDPR) provided to or accessed or obtained by us under or in connection with this notice. In essence, this means any information relating to any identified or identifiable natural person (known under Data Protection Law as a ‘data subject’). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.

“staff” means all volunteers, employees and contractors of the Moogie Wonderland.

“we”, “us” or “our” are references to Moogie Wonderland.

“you” and “your” are references to our participants, audiences, board members and staff.

Our status

Moogie Wonderland is a data controller for the purpose of Data Protection Law. This means that we alone determine the purposes and means of processing the Personal Data that we hold.

We have assessed our status and determined that we are not required to register ourselves as a data controller with the Information Commissioner’s Office (the UK regulator, “ICO”) or pay a data protection fee to the ICO, because we collect and use Personal Data only for not-for-profit purposes, a permitted exemption under Data Protection Law.

Data protection law:

The General Data Protection Regulation (GDPR) applies in the UK and across the EU from May 2018. It requires personal data shall be:

1. Processed lawfully, fairly and in a transparent manner in relation to individuals;
2. Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research or statistical purposes shall not be considered to be incompatible with the initial purposes;
3. Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
4. Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
5. Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by GDPR in order to safeguard the rights and freedoms of individuals;
6. Processed in a manner that ensures appropriate security of personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
7. The controller shall be responsible for, and be able to demonstrate, compliance with the principles.

2.    Who? People and responsibilities

Everyone at Moogie Wonderland contributes to compliance with GDPR. Key decision makers must understand the requirements and accountability of the organisation sufficiently to prioritise and support the implementation of compliance. Key areas of responsibility include (but are not necessarily limited to):

• Keeping senior management and board updated about data protection issues, risks and responsibilities
• Documenting, maintaining and developing the organisation’s data protection policy and related procedures, in line with agreed schedule
• Embedding ongoing privacy measures into corporate policies and day-to-day activities, throughout the organisation and within each business unit that processes personal data. The policies themselves will stand as proof of compliance. 
• Dissemination of policy across the organisation, and arranging training and advice for staff 
• Dealing with subject access requests, deletion requests and queries from clients, stakeholders and data subjects about data protection related matters
• Checking and approving contracts or agreements with third parties that may handle the company’s sensitive data
• Ensuring all systems, services and equipment used for storing data meet acceptable security standards
• Performing regular checks and scans to ensure security hardware and software is functioning properly
• Evaluating any third party services the company is considering using to store or process data, to ensure their compliance with obligations under the regulations
• Developing privacy notices to reflect lawful basis for fair processing, ensuring that intended uses are clearly articulated, and that data subjects understand how they can give or withdraw consent, or else otherwise exercise their rights in relation to the companies use of their data
• Ensuring that audience development, marketing, fundraising and all other initiatives involving processing personal information and/or contacting individuals abide by the GDPR principles

Data Protection Officer (DPO) – the person responsible for fulfilling the tasks of the DPO in respect of Moogie Wonderland is Matt Ashdown, Director. 

The minimum tasks of the DPO are:

• To inform and advise the organisation and its employees about their obligations to comply with the GDPR and other data protection laws
• To monitor compliance with the GDPR and other data protection laws, including managing internal data protection activities, advise on data protection impact assessments; train staff and conduct internal audits
• To be the first point of contact for supervisory authorities and for individuals whose data is processed (employees, customers etc)

3.    Scope of personal information to be processed

The scope of the date we process includes:

• names of individuals
  • postal addresses of individuals
  • email addresses
  • telephone numbers (staff only)
  • online identifiers
  • gender
  • ethnicity
  • age
  • access requirements (which may constitute Sensitive Data – see below)
  • dietary requirements (which may constitute Sensitive Data – see below)
  • sexual orientation (which may constitute Sensitive Data – see below)
  • socio-demographic information (which may constitute Sensitive Data – see below)
  • medical details (which may constitute Sensitive Data – see below)
  • educational attainment (which may constitute Sensitive Data – see below)
  • details of prior artistic experience
  • IP addresses (if you have made contact with us via our website)
  • Cookie information (if you have made contact with us via our website)
  • Employment/role details and related candidate background and experience (staff only)

How data is stored and who has access to it:

Category of individual	How stored and for how long	Who has access
Participants on Moogie Wonderland programmes and opportunities (which includes musicians and young musicians, artists, performers, educators and children and young people, for more information on this specific group please also see our Child Protection Policy)	For booking/applyingStored on Eventbrite, WooCommerce, and downloaded onto Moogie Wonderland encrypted file storage (excel/pdf) following booking/application period and deleted from Eventbrite or WooCommerceFor email bookings – stored on Gmail, processed into Eventbrite or WooCommerce, and/or excel/pdf file within two weeks and deleted from GmailForms or participant lists are also shared digitally with any external contractors where essential to the activity, who are contractually required to keep the data secure and to delete the forms after their work for the organisation is completed For up to a two year period following the final evaluation of the participant’s project  For evaluation and equal opportunities monitoring: Separated at point of submission of booking/applicationAs non-identifiable data  Marketing collateral:  Google DriveDropboxMoogie Wonderland’s secure file storageFor up to a two year period, unless otherwise requested by the individual	Booking / application formsNamed Moogie Wonderland team membersNamed external contractors wgere essential to the activity Equal Opportunities monitoring form   All members of the organisation
Featured composers, musicians, artists, and other participants	For featuring on website and in other publications:·       Mailchimp ·       Wordpress·       Google Drive·       Dropbox·       Moogie Wonderland’s secure file storage·       For up to a five year period, unless otherwise requested by the individual	·       Director·       External PR consultant·       External arts facilitators
Donors (which include individual donors and individuals working for funding bodies)	PayPalCrowdfunderMailchimpFor up to a five year period, unless otherwise requested by the individual	Director
Email subscribers	·       Mailchimp ·       Data cleaned twice a year	Director
Applicants for employment or Board membership	Application Form: Moogie Wonderland’s secure file storage No longer than 6 months after end of recruitment process  Equal Opportunities monitoring form Separated at point of submission from application formAs non-identifiable data	Application form: DirectorEqual Opportunities monitoring form: All members of the organisation
External advisers and suppliers (which includes partner organisations, advisory board members, freelance workers and other external providers)	Moogie Wonderland’s secure file storageFor up to a five year period, unless otherwise requested by the individual	Director

Sensitive Data: We may request certain sensitive Personal Data (known under Data Protection Law as ‘special category personal data’) from you, where it is appropriate and necessary for the purpose for which it is obtained. For example, we may ask you to confirm any medical/access requirements in connection with the administration of an events (see the section headed ‘Uses and conditions for processing’ below).

We will only use this Sensitive Data where we have your explicit consent to do so. We will anonymise sensitive data where the data is not needed to be attached to an individual (for example, evaluations reports for projects would usually not require identifiable data).

4.    Uses and conditions for processing

Outcome/Use	How data is collected?	What data is collected?	Lawful basis for processing and evidence fot this	How the data is used?
Participants on Moogie Wonderland programmes and opportunities  (which includes musicians and young musicians, artists, performers, educators and children and young people, for more information on this specific group please also see our Child Protection Policy)	For booking/applying Digitally: via email and/or WooCommerce or Eventbrite order formFrom partnering organisations enrolling participants to our programmes and opportunities (e.g. when an organisation asks us to run an activity for their participants and is it necessary for us to collect participant data to be able to carry the activity  out to a high standard) For evaluation and equal opportunities monitoring: In an equal opportunities monitoring formIn evaluation questionnaires (paper, Eventbrite, WooCommerce, email, audio, video)In evaluation notes (paper, digital, audio, video)	Personal data including name, address, email, age, education and phone (that may be of the participant or the participant’s parent/guardian)Sensitive personal data: this may include gender, ethnicity, sexual orientation, socio-demographic information, medical details, educational attainment, details of prior artistic experience and learning difficulties or special access requirements Marketing collateral:  Includes data such as name, location, profession, age (if first name only is used for child), web links, social media links, images, audio, and visual material.	For booking/applying: Participants give Moogie Wonderland consent to hold personal and sensitive personal data for the duration of the application process, for the purposes of communication and the selection process itself  For evaluation and equal opportunities monitoring: Collected in order to meet contractual obligations with funding bodies such as Arts Council England regarding their support of our workParticipants give Moogie Wonderland consent to hold personal and sensitive data for monitoring, reporting, and evaluating purposes  Marketing collateral: Moogie Wonderland has a legitimate interest in capturing this information in order to promote, profile and showcase those participating on our programmes	This information will be used in order to plan and deliver the very best artistic and educational experiences for participants, to keep participants safe throughout their experience with us, and may be passed to emergency services for use should any emergency situation arise. This data will also be used to monitor and evaluate our projects for reports internally (to work towards high quality standards) to external funders and government bodies. Data will be anonymised and aggregated for any monitoring, reporting, evaluating and campaigning purposes Marketing collateral:  To inform effective delivery of agreed promotional activity To create marketing materials and content To meet any access requirements
Featured composers, musicians, artists, and other participants	For featuring on website and in other publications: Digitally: via email; and/or WooCommerce or Eventbrite order form; and/or via phone/meeting and typed up into Word or Ecxel.	Personal data including name, address, email, age, education and phone (that may be of the participant or the participant’s parent/guardian)Sensitive personal data: this may include gender, ethnicity, sexual orientation, socio-demographic information, medical details, educational attainment, details of prior artistic experience and learning difficulties or special access requirements	Contributors and other participants: Give Moogie Wonderland consent for to hold their personal data for the purposes of profiling their work or activity or for the purposes of communication Marketing collateral:  Moogie Wonderland has a legitimate interest in capturing this information in order to promote, profile and showcase those working on our programmes	To inform and improve platforms and services To enable people to create, contribute and access content To ensure a relevant and bespoke experience for audiences To communicate with auciences and participants  Marketing collateral:  To inform effective delivery of agreed activity To create marketing materials and content
Donors (which include individual donors and individuals working for funding bodies)	Individual donors  Via PayPalVia Crowdfunder Individuals working for funding bodies  · Via email	Individual donors  Name, address and email  Individuals working for funding Bodies Name and work contact details, email address, telephone number and professional title	Individual donors and individuals working for funding bodies give Moogie Wonderland Consent for the purposes of communication, or Consent to regular gifts i.e. monthly donations	Individual donors To ensure that donors are contacted with the most appropriate, timely and relevant communication To better understand the background of the people who support Moogie Wonderland and assist the organisation in making appropriate requests to supportersTo monitor and evaluate donors experience  Individuals working for funding bodies  Contained within Excel (encrypted) for the purpose of managing relationship and correspondence with funding body
Email subscribers	Via MailchimpVia emailIn digital or paper form	Personal data including name, location, email, and age	Email subscribers give Moogie Wonderland consentto hold personal data until unsubscribed or requested in another manner.	To ensure that subscribers are contacted with the most appropriate, timely and relevant communication about our programmes, opportunities, and other news.
Applicants for employment or Board membership	In two ways: In an Application Form In an Equal Opportunities monitoring form	Application form:  Personal data including name, location, age , education, and contact details (voluntary question in the application form) Sensitive personal data including gender, ethnicity, disability, socio-economic background, health and sexual orientation  Equal Opportunities monitoring form:  Includes data about age, location, socio-economic background ethnicity, gender, disability and sexual orientation	Application form:  Applicants give Moogie Wonderland consent to hold personal and sensitive data for the duration of the selection process Moogie Wonderland also has a legitimate interest in holding forms of personal data that allow Moogie Wonderland to communicate with applicants as part of the selection process  Equal Opportunities monitoring form:  · This information is collected as part of Moogie Wonderland’s requirements in order to report on progress in meeting high standards of Equality, Inclusion and Diversity.	Application form:  To enable the shortlisting and selection of candidates and to meet any access requirements, in line with Moogie Wonderland’s  Equality, Diversity and Inclusion Policy and Action Plan  Equal Opportunities monitoring form:  In order to measure progress this information is anonymised and aggregated for monitoring, reporting, evaluating and campaigning purposes
External advisers and suppliers (which includes partner organisations, advisory board members, freelance workers and other external providers)	Via contracts and agreements	Personal data including name, location, contact and payment details	Moogie Wonderland has a legitimate interest in holding personal data relating to external advisers and suppliers, which is to facilitate efficient communication with themIn some cases Moogie Wonderland may hold such data in order to fulfil contractual obligations	To ensure effective communication To set up payment processes and contractual agreements

Consent: If you have given us your consent to process your Personal Data, you can of course withdraw that consent at any time, by emailing or writing to us using the details in section headed ‘Contact us’ below. Where you have subscribed to our electronic newsletters (“e-newsletters”), we will always include an option for you to unsubscribe from receiving these at any time. See the section headed ‘Your rights’ below for further detail.

Legitimate interest: where we use (process) your Personal Data on the basis of legitimate interest, we do so in order to carry out our legitimate charitable operations and objectives for the benefit of our all our members, officers, trustees and staff (as applicable), providing always that our legitimate interests are not overridden by your data protection interests or fundamental rights and freedoms.

Contractual obligations: processing which is necessary for compliance with our legal obligations

How long we keep your information for

Moogie Wonderland keeps your information for no longer than is necessary. We will retain your information for any period required by law, for example for compliance with HMRC and/or employee requirements. Where we are not under a legal obligation to retain your information, the organisation has determined what is necessary by reference to the lawful basis for processing set out above and our legitimate interests please see the table above for further information. 

If you have any questions about how long we keep your information, please contact us 

How we hold your Personal Data

We hold your Personal Data strictly in accordance with our Document Retention Schedule. That document sets out, among other things, the periods of time for which we hold certain records that may contain your Personal Data and is available on request.

5.    Data Sharing

Third Parties

Moogie Wonderland only works with third parties who are fully GDPR compliant. We may share personal data with the following third parties:

Mailchimp 

Stripe

PayPal 

WooCommerce

WordPress

Google (for use of Google Drive) 

Dropbox

Dropbox

Eventbrite

With the explicit consent of participants in our programmes, we may also share their personal data with organisations we are partnering with in order to deliver those programmes

Moogie Wonderland may share your personal information with third parties for marketing purposes in accordance with Your Preferences

If you do not want us to share your personal data with any third party for marketing purposes, please let us know using the contact details Contact Us or by updating Your Preferences on the relevant platform

Moogie Wonderland may need to provide your information to freelance contractors and suppliers who provide services on our behalf, to the extent necessary to enable you to receive those services.

If you make a payment or donation to us we will need to share your information with our payment processor. By paying via our payment processor you agree to accept their Terms and Conditions for the use of their services, including their Privacy Policy.

Moogie Wonderland strongly suggests that you read their Privacy Policy when using their service as we are not responsible for data you share with them. Moogie Wonderland may also need to disclose your information if required to do so by law or as expressly permitted under applicable data protection legislation.

Our website may, from time to time, contain links to and from the websites of our partner networks, advertisers and affiliates. If you follow a link to any of these websites, please note that these websites have individual Privacy and Cookies Policies and that Moogie Wonderland does not accept any responsibility or liability for these policies.

Please check these policies before you submit any personal data to these websites.

International transfers

Our relationship with MailChimp (explained above) means your Personal Data may be transferred overseas, in this case to the USA, where MailChimp are head-quartered.

We adopt the following safeguards when transferring Personal Data overseas:

• we will always make such transfers in accordance with Data Protection Law; and
• we will always require any overseas third party to which we transfer your Personal Data (including MailChimp) to, among other things: (a) only use the Personal Data for the purposes for which it was disclosed; (b) use all technical and organisational measures that are reasonable in the circumstances to secure the Personal Data; (c) delete Personal Data when it is no longer required; and (d) treat Personal Data in accordance with this notice and their local data privacy law.

For information, a copy of MailChimp’s privacy policy is available here: https://mailchimp.com/legal/privacy/

We do not transfer Personal Data overseas in any other circumstance.

6.    Security measures

Moogie Wonderland is committed to keeping your Personal Data confidential and secure. We have appropriate technical and organisational measures in place to prevent accidental or unlawful destruction, loss, alternation, unauthorised disclosure of or access to the Personal Data that we hold. We use the following security measures to protect your Personal Data:

1. Encryption on our website with SSL technology
2. Use of reputable security software and firewalls
3. Encryption of data on electronic devices, and on backups stored on external hard drives
4. Staff passwords must be: ‘strong’ passwords (hard-to-guess); not shared with anyone; changed upon indication of compromise; not written down or stored in an insecure manner.
5. Access controls on systems and to information comprising Personal Data
6. Data in transit measures must be implemented, physically and electronically. This includes encryption for digital transit, and pseudonymization where possible.
7. Security awareness at induction for all board members and staff (we treat it is a disciplinary matter if Personal Data is misused or not looked after properly)

Notwithstanding all of the above, absolute security of your Personal Data cannot be guaranteed. Should you have any concerns about a particular method of data transmission or security measure, please contact us using the details set out in the section headed ‘Contact us’ below and we will take all reasonable steps to address your concerns. We act on breaches as a priority and will ensure that any breaches are reported to the ICO within the required timescales. We will ensure that any data is to be deleted, is deleted securely and without further risk of breach.

7.    Automated processing

We do not currently carry out any automated processing.

8.    Your rights

You have various rights under Data Protection Law. If you would like to exercise any of these, please write to us using the details provided in the section headed ‘Contact us’ below.

Where you exercise any of these rights, we will provide you with the requested information and/or take the relevant action without undue delay and in any event within one month of our notice of your exercise of your right(s). In accordance with Data Protection Law, this period may be extended by two further months in some cases, where necessary, taking into account the complexity and number of any requests you make. We will inform you of any such extension within one month of receipt of your initial request(s), together with the reasons for any anticipated delay. Where you make a request in electronic form (e.g. by email), we will respond and provide any requested information in electronic form where possible, unless otherwise requested by you.

Your right to access your Personal Data: You have the right to obtain access to and a copy of any Personal Data we hold about you. You also have the right to find out whether your Personal Data has been transferred outside the EU and any safeguards relating to this transfer (though please see the section headed ‘International Transfers’ above in the first instance).

Your right to have your Personal Data rectified: You have the right to request that we update any Personal Data you think is inaccurate or incomplete.

Your right to object to us using your Personal Data: You have the right to request that we stop using your Personal Data in certain circumstances. Please note that where you exercise this right, this may cause delays or prevent us from delivering a particular service/membership benefit to you. If this is the case, you will be informed of the consequences.

Your right to restrict our use of your Personal Data: In certain circumstances, you have the right to ask us not to use your Personal Data for certain purposes.

Your right to have your Personal Data erased: You have the right to request that we destroy all of the Personal Data that we hold about you in certain circumstances, providing we do not have any lawful reason for needing to retain it (in which case, we will explain this to you).

Your right to Personal Data portability: In certain circumstances, you have the right to request a copy of your Personal Data in a structured, commonly used and machine-readable format and to ask that we transfer the Personal Data you gave us from one organisation to another, or give it to you.

Your right to refuse automated individual decision-making and profiling: you have the right not to be subject to a decision based solely on automated processing, including profiling. Moogie Wonderland does not conduct any automated decision-making or profiling.

Your right to withdraw consent: as set out above, if you have given us your consent to process your Personal Data, you can withdraw that consent at any time, by emailing or writing to us using the details in the section headed ‘Contact us’ below.

As explained above, we will always include an option for you to unsubscribe from receiving our e-bulletins at any time.

Your right to complain to the ‘supervisory authority’: you have the right to complain to the ICO (as the UK’s supervisory authority) at any time. Details are available via the ICO website: www.ico.org.uk

Contact Us

You are welcome to ask us any questions or raise any concerns you have about how we deal with your Personal Data by contacting our Company Secretary, in the first instance, by email at info@moogiewonderland.co.uk or via our address: Director, Moogie Wonderland, Seaways House, Commercial Road, Penryn, TR10 8AQ. We may ask you to verify your identity in order to help us respond efficiently to your request.

9.     Privacy notices

Moogie wonderland aims to ensure that individuals are aware that their data is being processed, and that they understand:

• Who is processing their data
• What data is involved
• The purpose for processing that data
• The outcomes of data processing
• How to exercise their rights.

To these ends the company has a privacy statement, setting out how data relating to these individuals is used by the company.

10. Ongoing documentation of measures to ensure compliance

Meeting the obligations of the GDPR to ensure compliance will be an ongoing process. Moogie Wonderland details here the ongoing measures implemented to:

Maintain documentation/evidence of the privacy measures implemented and records of compliance 

Regularly test the privacy measures implemented and maintain records of the testing and outcomes.

Use the results of testing, other audits, or metrics to demonstrate both existing and continuous compliance improvement efforts.

Keep records showing training of employees on privacy and data protection matters