NRFT Privacy Policy May 2018

The NRTF is committed to protecting your privacy and security. This policy explains how and why we use your personal data, to ensure you remain informed and in control of your information.
From 25 May 2018, NRTF will ask its supporters to “opt-in” for marketing communications. This is due to a change to law which governs how we can communicate with you and a new regulation on personal data (the General Data Protection Regulation) coming into force in May 2018. Therefore, we are introducing a new approach that relies on you giving us your consent about how we can contact you. This means you’ll have the choice as to whether you want to receive these messages and be able to select how you want to receive them (email, phone, SMS or post).

You can decide not to receive communications or change how we contact you at any time. If you wish to do so, please contact us by emailing admin@nrtf.org.uk
We will never sell your personal data and will only ever share it with organisations we work with where necessary and if its privacy and security are guaranteed.

About Us

Your personal data (i.e. any information which identifies you, or which can be identified as relating to you personally) will be collected and used by the National Rural Touring Forum (charity no. 1062366 in England) 

The National Rural Touring Forum represents several, mainly rural touring, schemes and rural arts development agencies, principally across England, that aim to help local people to promote high quality arts events and experiences in rural and other community venues. 

The National Rural Touring Forum exists to work strategically with partners to develop work and deliver high quality art experiences that strengthen rural and other communities.


What Information We Collect

Personal data you provide

We collect data you provide to us. This includes information you give when joining or registering, placing an order or communicating with us. For example:

• personal details (name, date of birth, email, address, telephone etc.) when you join as a member or supporter;
• financial information we keep is for invoicing only. We do not keep payment information such as credit/debit card or direct debit details.
• If you decide to donate to NRTF then we will keep records of when and how much you give. We do keep information on donations and gift aid.
• Your scheme or company information with regard to touring
• If you have made comments on the forum
• If you have been part of an event or scheme
• If you have been in receipt of a bursary 
• Information on any contract you sign with NRTF


Information created by your involvement with NRTF
Your activities and involvement with NRTF will result in personal data being created. This could include details of how you’ve worked with us or helped us by volunteering or being involved in a project or event.

Information from third parties
We sometimes receive personal data about individuals from third parties. For example, if we are partnering with another organisation (e.g. you provide your information to another company we’re collaborating with on a project).
We may collect information from social media where you have given us permission to do so, or if you post on one of our social media pages.

Sensitive personal data
We do not normally collect or store sensitive personal data (such as information relating to health, beliefs or political affiliation). This is only the case if you have requested access or dietary needs at one if our events. This is private information an only shared with contracted NRTF event managers on a need to know basis.

Accidents or incidents
If an accident or incident occurs at one of our events or involving one of our staff (including volunteers) then we’ll keep a record of this (which may include personal data and sensitive personal data).

Staff and Contractors
If you are contracted by NRTF or employed, even as a volunteer then we may collect extra information about you (e.g. references, criminal records checks, details of emergency contacts, medical conditions etc.). This information will be retained for legal reasons, to protect NRTF (including in the event of an insurance or legal claim) and for safeguarding purposes.


How We Use Your Information

We only ever use your personal data with your consent, or where it is necessary to:

• enter into, or perform, a contract with you;
• comply with a legal duty
• protect your vital interests
• for our own lawful interests, provided your rights don’t override the these.

In any event, we’ll only use your information for the purpose or purposes it was collected for (or else for closely related purposes):

Marketing
We use personal data to communicate with people, to promote the NRTF and to help with fundraising. This includes keeping you up to date with our news, events, opportunities, updates, campaigns and fundraising information.

Administration
We use personal data for administrative purposes
This includes:
• membership registration (e.g. direct debits or gift-aid instructions);
• event sign ups
• award nominators
• submissions for performing opportunities such as RTDI and New Directions
• maintaining databases of promoters, performers, partners, members and supporters;
• helping us respect your choices and preferences (e.g. if you ask not to receive emails, we’ll keep a record of this).

Internal research and analysis
We carry out research and analysis on our membership, to determine the success of, and changes in the sector. We do this to better understand behaviour and responses and identify patterns and trends. This helps inform our approach towards advocacy and fundraising with an ambition for a stronger and more effective network. Understanding our supporters, their interests and what they care about also helps us provide a better service.


Disclosing and Sharing Data

We will never sell your personal data. We may share personal data with subcontractors or suppliers who provide us with services. For example, if we employ an organisation to do our social media, your name and email will be shared with this company. However, these activities will be carried out under a contract which imposes strict requirements to keep your information confidential and secure and for the agreed specific purpose.
We will not share data with third parties, unless they are contracted to undertake dedicated NRTF business in which case a GDPR and confidentiality agreement will be in place to protect data.


Communications

From 25 May 2018 we will ask our databases to “opt-in” for general and mass email communications. This includes newsletters, discussion boards and marketing. You have the choice as to whether you want to receive these messages.
You can decide not to receive communications or change how we contact you at any time. If you wish to do so, please contact admin@nrtf.org.uk

When you receive a communication, we may collect information about how you respond to or interact with that communication, and this may affect how we communicate with you in future.


Research & Profiling

This section explains how and why we use personal data to build profiles which enable us to understand our members, improve our relationship with them, and provide a better service.


Analysis and grouping
We gather research information via general surveys and funded research projects. Via this we analyse Rural Touring members, audiences, suppliers and performers to determine common characteristics and preferences. We do this by assessing various types of information including statistical data or demographic information (e.g. age or location). 
By grouping people together based on common characteristics, we can better advocate and educate on the rural Touring sector.

Anonymised data
We may aggregate and anonymise personal data so that it can no longer be linked to any person. This information can be used for a variety of purposes, such as recruiting new audiences and performers, or to identify demographics and diversity in the sector.


Young People

We want young people to be an important part of the Rural Touring experience. We take great care to protect and respect the rights of individuals in relation to their personal data, especially in the case of children.  If we hold data on someone under 18, we’ll only use his or her personal data with parental consent.

Parental permission

Sometimes there are opportunities to share photos, videos, stories and pictures, which may include young people. If someone is under 18 then we need permission from the parent or guardian to use it. Please ensure permission is sought when sending in or publishing photographs of young people.
If an image of a young person is posted by a 3rd party (i.e. not NRTF) on social media or in a discussion we will assume permission has been granted to share it.


How We Protect Your Data

We use a variety of physical and technical measures to keep your data safe and to prevent unauthorised access to, or use, or disclosure of your personal information. 
Electronic data and databases are stored on secure computer systems and we control who has access to information (using both physical and electronic means). Our staff and contractors receive a set of detailed data protection procedures which personnel are required to follow when handling personal data.

Payment security
Payments to NRTF accounts are generally made by a 3rd party systems such as PayPal or box Office facilities. This means we do not have access to or store financial information.
We keep bank details, when an invoice has been sent or received. This is stored on our bank account as creditors and payees. We also store digital and paper invoices. The NRTF Director, Finance Manager and appointed Accountants are the only people who have access to these details, which are securely stored and monitored.
Bankers - Barclays Bank plc, 1-3 Broad Street, Hereford, HR4 9BH
Independent Examiner - Mrs M Hutchings, Apsleys, 21 Bampton Street, Tiverton, Devon, EX16 6AA


Storage

Where we store information
The NRTF’s operations are based in the UK and we store our data within the European Union. Some organisations which provide services to us may transfer personal data outside of the EEA, but we’ll only allow them to do if your data is adequately protected.
For example, some of our systems use Microsoft products, Dropbox and Google Docs. As a US company, it may be that using their products result in personal data being transferred to or accessible from the US. However, we’ll allow this as we are certain personal data will still be adequately protected (as Microsoft is certified under the USA’s Privacy Shield scheme).

How long we store information
We will only use and store information for so long as it is required for the purposes it was collected for. How long information will be stored for depends on the information in question and what it is being used for. For example, if you ask us not to send you marketing emails, we will stop storing your emails for marketing purposes (though we’ll keep a record of your preference not to be emailed).
We continually review what information we hold and delete what is no longer required. We never store payment card information.

Reviews
We review who and where data is stored on an annual basis. This covers who has access to what (i.e. contracted employees and project partners). We check information that is stored in cloud systems such as Google Drive and Dropbox is on secure password protected computers and use for specific and contracted purposes that do not exploit or breach your data protection rights.


Your Legal Rights

We want to ensure you remain in control of your personal data. Part of this is making sure you understand your legal rights, which are as follows:

• the right to confirmation as to whether we have your personal data and, if we do, to obtain a copy of the personal information we hold (this is known as subject access request)
• the right to have your data erased (though this will not apply where it is necessary for us to continue to use the data for a lawful reason)
• the right to have inaccurate data rectified
• the right to object to your data being used for marketing or profiling
• where technically feasible, you have the right to personal data you have provided to us which we process automatically based on your consent or the performance of a contract. This information will be provided in a common electronic format.

Please keep in mind that there are exceptions to the rights above and, though we will always try to respond to your satisfaction, there may be situations where we are unable to do so.


Data Breach Procedures

NRTF is obliged under the Data Protection Act to have in place an institutional framework designed to ensure the security of all personal data during its lifecycle, including clear lines of responsibility. If needed you can request a copy of NRTF Data Breach & Privacy Policy.

Definition / Types of Breach    
An incident includes but is not restricted to, the following:
• Loss or theft of confidential or sensitive data or equipment on which such data is stored (e.g. loss of  laptop, USB stick, iPad/tablet device, or paper record)
• Equipment theft or failure
• Unauthorised use of, access to or modification of data or information systems
• Attempts (failed or successful) to gain unauthorised access to information or IT system(s)
• Unauthorised disclosure of sensitive / confidential data
• Website defacement
• Hacking attack
• Unforeseen circumstances such as a fire or flood
• Human error
• ‘Blagging’ offences where information is obtained by deceiving the organization who holds it


Cookies and Links

Cookies
Our website uses local storage (such as cookies) to provide you with the best possible experience and to allow you to make use of certain functionality. Further information can be found in our Cookies Policy at 

Links to other sites
Our website contains hyperlinks to many other websites. We are not responsible for the content or functionality of any of those external websites (but please let us know if a link is not working).
We suggest you read the privacy policy of any website before providing any personal information. http://www.ruraltouring.org/privacy


Changes to This Privacy Policy

We’ll amend this Privacy Policy from time to time to ensure it remains up-to-date and accurately reflects how and why we use your personal data. The current version of our Privacy Policy will always be posted on our website. 
This Privacy Policy was last updated on May 2018

back