Introduction

UK GDPR post Brexit

On the 1^st of January 2021 the UK GDPR and Data Protection Act of 2018 are the de facto Data Protection Legislation for the United Kingdom. It is called the UK GDPR because it is essentially the GDPR with some modifications. For example, the UK GDPR reads differently because notions like ‘European Union’ have been replaced with ‘United Kingdom’ and ‘European Union law’ has been replaced with ‘domestic law’. Also no longer the European Data Protection Board but the Information Commissioners Office (ICO) will be the highest supervisory authority for enforcing data protection regulation in the United Kingdom.

Other changes can be found in the United Kingdom Government’s DPPEC regulation. 

Data Protection and Public-i

As a Data Controller and Data Processor, Public-i (we) collect, handle and store data related to individuals. As such, we are committed to safeguarding the privacy of our clients (you), our website visitors and website creation service users; below we explain how we will handle your personal data.

We will ask you to consent to our use of cookies in accordance with the terms of this policy when you first visit our website. This is an explicit acceptance. We will provide a link to a reliable website to give you information to help you to change your cookie settings if you do not wish to accept cookies from our website. You can read our cookie policy here.

What we Collect about You

This relates to the Personal Data that we collect, our processing method and the nature of what personal data we collect.

When we establish a relationship with you or when you visit our website and use our contact form or registration form(s), we will collect the following information from you (as well as other data which will be seen on each form):

• Your name
• Your email address
• Your business name or organisation name*
• Your postal address*
• Your telephone number*
• Information related to you as an artist or supporter of artists or events*
• Information related to social media feeds such as Facebook account or twitter account*

* these items are not collected on all forms.

Please note that we do not gather any other information about you from any third party.

In order for us to work with you, then there are certain processes which will require that we provide your information to a third party. An example of this is to pass your details to one of our partner organisations such as the Foodies Festival organisers or their agents, our Internet Radio and TV partners and so on. On these occasions we will need to include your name and address and email address as well as other associated data in order to fufill out obligation to you. We ask your explicit permission to do this as part of our registration form data.

Where such information is made available to such a third party, one of the lawful bases contained within Article 6 GDPR will be applied. For example, the lawful bases of consent, contract, legal obligation and/or legitimate interests as our basis/bases for processing will apply.

How we use your data

Analytics

Processing Method : Google Analytics : Used to collect web interactions.

Personal Data: Cookies and Usage data.

Managing Contacts and Sending Email Messages

Processing Method : Microsoft Outlook : Used for day to day email communications and email address management with and for you.

Personal Data: various types of data including names and e-mail addresses.

Forms for Gathering Information

Processing Method : Website Forms : Used for gathering specific information about you ans storing that data in a secure MySQL database.

Personal Data: various types of data including names and e-mail addresses, permission agreement records, supplementary data which is form specific.

User Database Management

Processing Method : MS Excel : used to manipulate and sort/manage the data you provide to pass to our third party partners.

Personal Data: names, e-mail addresses, geographic  data, telephone numbers and permission agreement records, supplementary data which is partner use specific.

How we use your personal data - more detail.

In this section we set out:

1. the general categories of personal data that we may process;
2. in the case of personal data that we might not obtain directly from you, the source and specific categories of such data;
3. the purposes for which we may process personal data; and
4. the legal bases of the processing.
5. categories of personal data that we may process

In all instances, we only collect and use information which is absolutely necessary to enable us to provide our services on a legal basis for processing. If you enter a relationship with us and subsequently terminate the relationship then information which we will have processed about you will be retained for a period of 12 months after which point it will be deleted from our database. You of course have the right to removal on your information at any time.

Summary of how we use your data

The information which you provide to us will be used to help us deliver the services which you have requested to be involved in. The information which you provide is then used only by us so that we can communicate with you in relation to anything associated with our business relationship. We also use that data in full or segemted ways to communicate your profile to our third party partners. By consent, we may also contact you by email about other services, advice and support which we believe might be of interest to you and might help you.

Categories of Data

There are a number of different categories of data which we may process about you. The following information outlines what this information type is so that you are fully aware.

With respect to visiting our website, we may process data about your use of our website and services, ("usage data"). The usage data may include your IP address, approximate geographical location, browser type and version, operating system, referral source, (how you reached our website) , length of visit, pages views and website navigation paths, as well as information about the timing, frequency and pattern of your service use. The source of the usage data is our web embedded analytics tracking system. This usage data may be processed for the purposes of analysing the use of the website and our services. The legal basis for this processing is our legitimate interests, namely, monitoring and improving our website and services.

With respect to our relationships with you as a client, we may process your account data ("account data"). The account data will normally include your name and email address as an absolute minimum. Additional data ("profile data") that we may process in respect to your identification can include your postal address, telephone or mobile phone number and many other elements of meta data related to you as a client of ours (even if we have not entered into a formal arrangement). The source of the account data is provided directly by you when you establish a relationship with us when you complete a registration form. The account data may be processed for the purposes of providing our services and communicating with you about the nature of the services that we provide for you.  The legal basis for this processing is your consent by virtue of you providing your data to us and also our legitimate interests, namely the proper administration of our relationship with you and therefore the performance of any duties which mighgt arise between us.

We may process personal data that are provided in the course of the use of our services ("service data"). The service data may include web addresses, router IP addresses, hosting account credentials, database credentials. These are data which you do not provide directly but which are nevertheless related to you as a user of our service. The source of the service data is from our web hosting platform and its automated database. The service data may be processed for the purposes of operating your website, providing our services, ensuring the security of the website and services associated with the website, maintaining back-ups of our files (and hence your other data) and databases and communicating with you. The legal basis for this processing is your consent and our legitimate interests, namely the proper administration of our website and the performance of a relationship between us.

We may process information contained in any enquiry you submit to us regarding services that we advertise or offer ("enquiry data"). The data gathered as part of enquiry data will include your name, your e-mail address, any information which you provide within the enquiry, your IP address, and the time when the enquiry was made. The enquiry data may be processed for the purposes of offering marketing and relevant services to you and to facilitate responding to your queries. The legal basis for this processing is your consent and / or our legitimate interests, namely the proper administration of our website and the performance of a relationship between you and us.

We do not process information relating to transactions, including purchases of goods and services, that you enter into with us and/or through our website ("transaction data").

We may process information that you may provide to us for the purpose of subscribing to our email notifications and/or newsletters ("notification data"). The notification data may be processed for the purposes of sending you the relevant notifications and/or newsletters. The legal basis for this processing is consent and the performance of a relationship between us.

We may process information contained in or relating to any communication that you send to us ("correspondence data"). The correspondence data may include the communication content and metadata associated with the communication. Our website will generate the metadata associated with communications made using the website contact forms. The correspondence data may be processed for the purposes of communicating with you and record-keeping. The legal basis for this processing is our legitimate business interests, namely the proper administration of our website and relationship management and communications with you.

We may process any of your personal data identified in the other provisions of this policy where necessary for the establishment, exercise or defence of legal claims, whether in court proceedings or in an administrative or out-of-court procedure. The legal basis for this processing is our legitimate interests, namely the protection and assertion of our legal rights, your legal rights and the legal rights of others.

In addition to the specific purposes for which we may process your personal data set out in this section, we may also process any of your personal data where such processing is necessary for compliance with a legal request or obligation to which we are subject, or in order to protect your vital interests or the vital interests of another natural person.

Marketing to You

Marketing communications is part of our day to day relationship with you. In other words, we will hold your email address so that we can provide the legal obligation to fulfil our services to you and we may use this same information to send marketing information to you.

You will always have the option to retract your consent for marketing communications by unsubscribing at any time which can be done by using the appropriate unsubscribe link shown at the footer of all of our marketing communications. Equally, you are able to send an email to us or call our standard number to request that we remove you from our marketing list.

This unsubscription is recorded so that we have evidence of your choice; ideally you should keep a copy of any records about your subscription status in this respect.

Providing your personal data to others - more detail

We may disclose your personal data to any member of our business insofar as reasonably necessary for the purposes set out in this policy.

We may disclose your personal data to our insurers and/or professional advisers insofar as reasonably necessary for the purposes of obtaining and maintaining insurance coverage, managing risks, obtaining professional advice and managing legal disputes.

We may disclose profile data on our website insofar as reasonably necessary for the purposes of displaying testimonial quotations, expressly given to us by you and with your permission to do so. The only data so shown will be your name and your organisation name.

In addition to the specific disclosures of personal data set out in this section, we may also disclose your personal data where such disclosure is necessary for compliance with a legal obligation to which we are subject, or in order to protect your vital interests or the vital interests of another natural person.

International transfers of your personal data

In this section we provide information about the circumstances in which your personal data may be transferred to countries outside the European Economic Area (EEA).

We have no offices, facilities or subcontractors or agents in countries outside the European Economic Area (EEA). As such no personal data will be transferred outside of the EAA.

The hosting facilities for our website are situated in the United Kingdom. As such no personal data will be transferred outside of the EAA.

You acknowledge that personal data that you submit for publication through our website may be available, via the internet, around the world. We cannot prevent the use (or misuse) of such personal data by others.

Retaining and deleting personal data

This section sets out our data retention policies and procedure, which are designed to help ensure that we comply with our legal obligations in relation to the retention and deletion of personal data.

Personal data that we process for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.

We will retain and delete your personal data as follows:

1. Usage Data will be retained for a period of 60 months, at the end of which period it will be deleted from our systems.
2. Account data will be retained for a period of 10 years, at the end of which period it will be deleted from our systems unless your business relationship with us extends past that time.
3. Profile data will be retained for a period of 5 years, at the end of which period it will be deleted from our systems unless your business relationship with us extends past that time.
4. Service data will be retained for a period of 5 years, at the end of which period it will be deleted from our systems unless your business relationship with us extends past that time.
5. Enquiry data will be retained for a period of 5 years, at the end of which period it will be deleted from our systems unless your business relationship with us extends past that time.
6. Transaction data will be retained for a period of 5 years, at the end of which period it will be deleted from our systems unless your business relationship with us extends past that time.
7. Notification data will be retained for a period of 5 years, at the end of which period it will be deleted from our systems unless your business relationship with us extends past that time.
8. Correspondence data will be retained for a period of 5 years, at the end of which period it will be deleted from our systems unless your business relationship with us extends past that time.
9. Notwithstanding the other provisions of this section, we may retain your personal data where such retention is necessary for compliance with a legal obligation to which we are subject, or in order to protect your vital interests or the vital interests of another natural person.

Protection of your Information

Data protection ensures that Public-i:

1. complies with data protection law and follows good practice
2. acts only with the explicit instructions of our client (you)
3. has appropriate technical and organisational security
4. protects the rights of staff, customers and partners
5. is open about how it stores and processes individuals’ data
6. protects itself from the risks of data breach
7. focuses on the expectations of the UK GDPR Data Protection Regulation in how we act as a data processor (service provider) and also as a data controller.

Public-i as Data Controller and Data Processor

The Information Commissioner's Office (ICO) have defined roles and responsibilities for Data Controllers and Data Processors.

1. With reference to the state of being a Data Controller
   1. Public-i is the Data Controller for those processes necessary for performing its own business.
   2. In this respect we collect, handle and store (i.e 'Process') data about individuals in order to run our business.
2. With reference to the state of being a Data Processor
   1. Public-i is a Data Processor for our customer who use our services

In all cases, under the UK GDPR, we have a general obligation to implement technical and organisational measures to show that we have considered and have integrated data protection into our processing activities. This approach is termed "Privacy by Design" and the ICO has published guidance on privacy by design, which is an evolving document to support business in this area. Although this approach is not a requirement of the Data Protection Act, it helps us to comply with our obligations under the legislation.

Data Protection Law

The Data Protection Act of 2018 describes how organisations must collect, handle and store personal information. These rules apply regardless of whether the data is stored electronically, on paper or on other materials. To comply with the law, personal information must be collected and used fairly, stored safely and not disclosed unlawfully. The Data Protection Act is underpinned by eight important principles; these state that personal data must:

1. be processed fairly and lawfully
2. be obtained only for specific law purposes
3. be adequate, relevant and not excessive
4. not be held for any longer than necessary
5. be processed in accordance with the rights of data subjects
6. be protected in appropriate ways
7. not be transferred outside the European Economic Area (EEA) unless that country or territory also ensures an adequate level of protection

People, risks and responsibilities

Scope

This applies to

1. the head office of Public-i
2. all staff and any volunteers of Public-i
3. all contractors, suppliers and other people working on behalf of Public-i

It applies to all data which Public-i holds relating to identifiable individuals, even if the information technically falls outside of the Data Protection Act 2018. This can include:

1. Names of individuals
2. Postal addresses
3. E-mail addresses
4. Telephone numbers
5. Any other information relating to individuals which can be used to identify them uniquely.

Data protection risks

This assessment helps to protect Public-i from some very real data security risks, including:

1. Breaches of confidentiality. For instance, information being given out or shared inappropriately.
2. Failing to offer choice. For instance, all individuals should be free to choose how Public-i uses data relating to them.
3. Reputational damage. For instance, Public-i could suffer reputational damage if unauthorised personnel successfully gained access to sensitive data.

Responsibilities

Everyone who works for, or with Public-i has responsibility for ensuring data is collected, stored and handled appropriately.

Each person or team that handles personal data must ensure that it is handled and processed in line with our proccesses and data protection principles.

However, these people have key areas of responsibility:

1. The directors are ultimately responsible for ensuring that Public-id meets its legal obligations
2. The managing director is responsible for:
   • Keeping the board updated about data protection responsibilities, risks and issues.
   • Reviewing all data protection procedures and related policies, in line with an agreed schedule.
   • Arranging data protection training and advice for the people covered by our data protection principles.
   • Handling data protection questions from staff and anyone else covered by our data protection principles
   • Dealing with requests from individuals to see the data which Public-i holds about them - this is also called ‘Subject Access Requests’.
   • Checking and approving any contracts or agreements with third parties that may handle Public-i’s sensitive data.
   • Ensuring that all systems, services and equipment used to store data meet acceptable security standards.
   • Performing regular checks and scans to ensure security hardware and software is functioning properly.
   • Evaluating any third-party services that Public-i is considering using to store or process data. For instance, cloud computing service providers.
   • Approving any data protection statements attached to communications such as e-mails and letters.
   • Addressing any data protection queries from journalists or media outlets such as newspapers.
   • Where necessary, working with other staff to ensure marketing initiatives abide by data protection principles.

General guidelines for staff employed by Public-i

1. The only people able to access data covered by our data protection principles should be those who need it for their work
2. Data should not be shared informally. When access to confidential information is required, employees must request it from the managing director.
3. Public-i will provide training to employees to help them understand their responsibilities when handling data.
4. Employees should keep all data secure, taking sensible precautions and following the guidelines outlined in our data protection principles.
5. In particular, strong passwords must be used and they should never be shared.
6. Personal data should not be disclosed to unauthorised people, either within the company or externally.
7. Data should be reviewed regularly and updated if it is found to be out of date. If the data is no longer required, it should be deleted and be disposed of.
8. Employees should request help from the managing director if they are unsure about any aspect of data protection.

Data storage

These rules describe how and where data should be safely stored. Questions about storing data safely can be directed to the managing director.

When data is stored on paper, it should be kept in a secure locked place, so that unauthorised people cannot see it.

These guidelines also apply to data that is usually stored electronically and which has been printed out for a specific reason:

1. When not required, the paper or file should be kept in a locked drawer filing cabinet.
2. Employees should make sure that paper copies and printouts are not left where unauthorised people could see them, such as on the printer.
3. Data printouts should be shredded and disposed of securely where no longer required.
4. When data is stored electronically, it must be protected from unauthorised access, accidental deletion and malicious hacking attempts:
5. Data should be protected by strong passwords that are changed regularly and never shared between employees.
6. If the data is stored on removable media, such as CD, DVD, USB memory stick, then they should be kept locked away securely when not being used.
7. Data should all be stored on designated driver and servers, and should only be uploaded to an approved cloud computing service.
8. Services containing personal data should be sited in a secure location, away from general office space.
9. Data should be backed up frequently. Those backups should be tested regularly, in line with the company's standard backup procedures.
10. Data should never be sent directly to laptops or other mobile phones such as tablets or smart phones.
11. All servers and computers containing data should be protected by approved security software and a firewall.
12. Where websites are employed to present information or forms that collect information that the company might use, then the website will be protected by an SSL Certificate.

Data Use

Personal data is of no value to Public-i unless the business can make use of it. However we are aware that when personal data is accessed and used that it can be at the greatest risk of loss, corruption of theft.

1. Working with personal data, employees should ensure the screens of their computers are always locked when left unattended.
2. Personal data should not be shared informally. In particular, it should never be sent by e-mail, as this form of communication is insecure.
3. Data must be encrypted before being transferred electronically. The managing director can explain how to send data in this way.
4. Personal data should never be transferred outside of the EEA.
5. Employees should not save copies of personal data to their own computers. Always access and update central copies of data.

Data Accuracy

The law requires Public-i to take reasonable steps to ensure that data is kept accurate and up-to-date.

1. The more important it is that the personal data is accurate, then the greater the effort Public-i put into ensuring its accuracy.
2. It is the responsibility of all employees who work with data to take reasonable steps to ensure it is kept as accurate and up to date as possible.
3. Data will be held in as few places as necessary. Staff should not create any unnecessary additional data sets.
4. Staff should take every opportunity to ensure data is updated. For instance, by confirming a customer’s details when they call.
5. Public-i will make it easy for data subjects to update the information Public-i holds about them. For instance, via contact form on the company website, by e-mail or by telephone.
6. Data should be updated as inaccuracies are discovered. For instance, if a customer can no longer be reached on their stored telephone number, it should be removed from the database.

Subject access requests

All individuals who are the subject of personal data held by Public-i are entitled to:

1. Ask what information Public-i holds about them and why.
2. Ask how to gain access to it.
3. Be informed how to keep it up to date.
4. Be informed how Public-i is meeting its data protection obligations.

If an individual contacts Public-i requesting this information, this is called a subject access request.

Subject access requests from individuals should be made by email, addressed to the managing director.

The managing director will supply a standard request form by return, although individuals do not have to use this.

Individuals will be not be charged for serving subject access requests. The managing director will aim to provide the relevant data within 14 days.

The managing director will always verify the identity of anyone making a subject access request before handing over any information.

Disclosing data for other reasons

In certain circumstances, the Data Protection Act 2018 allows personal data to be disclosed to law enforcement agencies without the consent of the data subject.

Under these circumstances, Public-i will disclose the requested data. However, the managing director will ensure the request is legitimate, seeking assistance from the company’s legal advisers where necessary.

Your rights

In this section, we have summarised the rights that you have under data protection law. Some of the rights are complex, and not all the details have been included in our summaries below. Accordingly, you should read the relevant laws and guidance from the regulatory authorities for a full explanation of these rights.

Your principal rights under data protection law are:

1. the right to access;
2. the right to rectification;
3. the right to erasure;
4. the right to restrict processing;
5. the right to object to processing;
6. the right to data portability;
7. the right to complain to a supervisory authority; and
8. the right to withdraw consent.

You have the right to confirmation as to whether or not we process your personal data and where we do this, together with certain additional information. That additional information includes details of the purposes of the processing, the categories of personal data concerned and the recipients of the personal data. Providing the rights and freedoms of others are not affected, we will supply to you a copy of your personal data. The first copy will be provided free of charge, but additional copies may be subject to a reasonable fee.

You have the right to have any inaccurate personal data about you rectified and, taking into account the purposes of the processing, to have any incomplete personal data about you completed.

In some circumstances you have the right to the erasure of your personal data without undue delay. Those circumstances include: the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed; you withdraw consent to consent-based processing; the processing for which is direct marketing purposes; and where the personal data have been unlawfully processed. However, there are certain general exclusions of the right to erasure. Those general exclusions include where processing is necessary: for exercising the right of freedom of expression and information; for compliance with a legal obligation; or for the establishment, exercise or defence of legal claims.

In some circumstances you have the right to restrict the processing of your personal data. Those circumstances are: you contest the accuracy of the personal data; processing is unlawful but you oppose erasure; we no longer need the personal data for the purposes of our processing, but you require personal data for the establishment, exercise or defence of legal claims; and you have objected to processing, pending the verification of that objection. Where processing has been restricted on this basis, we may continue to store your personal data. However, we will only otherwise process it: with your consent; for the establishment, exercise or defence of legal claims; for the protection of the rights of another natural or legal person; or for reasons of important public interest.

You have the right to object to our processing of your personal data on grounds relating to your particular situation, but only to the extent that the legal basis for the processing is that the processing is necessary for: the performance of a task carried out in the public interest or in the exercise of any official authority vested in us; or the purposes of the legitimate interests pursued by us or by a third party. If you make such an objection, we will cease to process the personal information unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing is for the establishment, exercise or defence of legal claims.

You have the right to object to our processing of your personal data for direct marketing purposes (including profiling for direct marketing purposes). If you make such an objection, we will cease to process your personal data for this purpose.

You have the right to object to our processing of your personal data for scientific or historical research purposes or statistical purposes on grounds relating to your particular situation, unless the processing is necessary for the performance of a task carried out for reasons of public interest.

To the extent that the legal basis for our processing of your personal data is consent, and such processing is carried out by automated means, you have the right to receive your personal data from us in a structured, commonly used and machine-readable format. However, this right does not apply where it would adversely affect the rights and freedoms of others.

If you consider that our processing of your personal information infringes data protection laws, you have a legal right to lodge a complaint with a supervisory authority responsible for data protection.

To the extent that the legal basis for our processing of your personal information is consent, you have the right to withdraw that consent at any time. Withdrawal will not affect the lawfulness of processing before the withdrawal.

You may exercise any of your rights in relation to your personal data by written notice to us.

Amendments

We may update this notice from time to time by publishing a new version on our website.

You should check this page occasionally to ensure you are happy with any changes to this policy.

We may notify you of changes to this policy by email or through the private notification system on our website.

Policy Date and Status

This policy has been updated to take account of the UK GDPR.

Ammendment - 25 May 2018 [Removal of TAWK] application from website - no longer needed]

Ammendment - 30 September 2020 [Various stylistic updates to ordered lists]

Ammendnet - 1 Jan 2021 [To accommodate Brexit]

Ammendment - 30 March 2021 [Various updates for new Forms Platform]

Date: 30 March 2021