Privacy Policy

This privacy policy sets out how the Forum uses and protects any personal information given to the Forum, including that provided when you use this website.


The Forum is committed to ensuring that your privacy is protected. Should we ask you to provide certain information by which you can be identified, then you can be assured that it will only be used in accordance with this privacy policy.


The Forum may change this policy from time to time by updating this page. You should check this page from time to time to ensure that you are happy with any changes. This policy is effective from June 2018.


The Forum (Northallerton) Ltd


Personal Data Privacy Notice- June 2018


The Forum (Northallerton) Ltd (“we”) promise to respect the confidentiality of any personal data you share with us, and to keep it safe.  We will always take every effort to protect your privacy


We pride ourselves on our honesty and openness and will always be clear how, when and why we collect and process your information. We promise we will never do anything with your details that you wouldn’t reasonably expect.


Developing a better understanding of our customers, and volunteers is crucial, and your personal data allows us to manage our relationship with you.


We also need to maintain records of our staff, suppliers, Trustees and Members of the Forum, through our status as a Charitable Company Limited by Guarantee.  We use this information for business purposes and to meet the requirements of the various regulations affecting those relationships.


We collect information in the following ways:


When you give it to us DIRECTLY

There are many ways you may give us your information. For example, when you purchase tickets, hire a room or communicate with us either by phone, in writing, including email or in person, when you join as a Trustee or Member, begin volunteering, commence as a supplier or a member of the staff team. We are responsible for your data at all times.


When you give it to us INDIRECTLY

Your information may be shared with us by independent organisations, for example by organisations hiring the Forum, or by our suppliers. These independent third parties will only share your information when you have consented, or in some cases where there is a statutory requirement to share data (eg HMRC). You should check their Privacy Notice when you provide your information to understand fully how they will process your data.


Via Social Media

Depending on your settings or the privacy notices for social media and messaging services like Facebook, WhatsApp, LinkedIn or Twitter, you might give us permission to access information from those accounts or services.


Cookies


In respect of our website, we use “cookies” to help us make our site, and the way you use it, better. We do not store any personal data in the cookies that we use.


Cookies mean that a website will remember you. They’re small text files that sites transfer to your computer (or phone or tablet). They make interacting with a website faster and easier – for example by automatically filling your name and address in text fields.


In addition, the type of device you’re using to access our website and the settings on that device may provide us with information about your device, including what type of device it is, what specific device you have, what operating system you’re using, what your device settings are. Your device manufacturer or operating system provider will have more details about what information your device makes available to us.


The type and quantity of information we collect and how we use it depends on why you are providing it. You should be able to control what cookies are placed on your device through your browser settings. Go to www.aboutcookies.org to find out more about cookies, including how to see what cookies have been set and how to manage and delete them.


We may use Google Analytics to analyse the use of our websites by generating statistical and other information.


Details captured during your visit to our websites will include, but are not limited to, traffic data, location data, weblogs and other communication data and the resources you access. However, all data collected is anonymous and will not identify you as an individual.


Google, not The Forum, stores this activity information. You can view Google’s privacy notice here.


To opt out of being tracked by Google Analytics across all websites visit their website here.


What personal information we collect and how we use it

We will only ever capture the minimum amount of information that we need to manage our relationship with you. and we promise to keep your information secure. The personal data we will usually collect is:


    In the case of customers including hirers, your name and contact details

    Details of the enquiry, event or service, including ticket sales

    In the case of volunteers, your interests, that may assist in matching you to roles, and the information , including your personal details, that we need to manage our relationship with you

    For staff, the information we need to manage our relationship with you, including information required for our monitoring of equalities matters and for roles requiring a DBS check, the information required to complete that check

    For job applicants the information necessary to consider your application

    For Trustees and Members, the information we require to comply with the regulations linked to our status as a Charitable Company Limited by Guarantee

    For suppliers, the contact information required to manage our relationship with you

    Where we are paying you by bank transfer we will collect the bank details necessary to make a payment.

    Where you are paying us by credit or debit card we will take the necessary details to complete the transaction through our Box Office system. Other than for the purpose of completing that transaction through the system we will not separately record or store this detail.


Where it is appropriate, we may also ask for additional information


How we will use your data

We will use your personal data for the legitimate interest of conducting core business activities, these will include:


    For those purchasing tickets over the internet, by telephone, or in advance at the box office, we will hold sufficient data to contact you in respect of any issues arising on the performance booked, such as a need to cancel or rearrange an event

    Customers will be asked separately if they wish to be contacted by email for marketing purposes and to learn about future events.

    Within this context, the type of event attended in the past may be used to provide focussed marketing on future events that may be of interest

    Information from hirers will be used to manage the booking, including subsequent invoicing.

    Card data will not be stored for re-use, and records will be maintained solely to manage booking records, and account for sales

    Communicating organisational messages and information to staff, trustees, volunteers and Members

    Communicating with suppliers

    For HR/Employment records for staff

    Maintaining records at Companies House and the Charity Commission

    Maintaining banking records, including the banking mandates

    Maintaining the list of Members, including the public record of Members

    Keeping a record of your relationship with us

    Understanding how we can improve our services, products or information

    In any other way we may describe when you provide the information

    For any other purposes with your consent


Sensitive information

We do not collect any personal information on users of our services or volunteers classified as ‘sensitive’ under the General Data Protection Regulations (“GDPR”) which are introduced into UK law from 25th May 2018.


Employees

We will collect all personal information required to comply with employment legislation, including where necessary sensitive information. This may include medical information and where additionally appropriate we will perform a criminal record search. To prevent discrimination and to ensure diversity, we shall request information from the employee on religion, sexuality and ethnicity.


Trustees

We will collect personal information required to comply with company or charity legislation and record keeping, including where necessary sensitive information.


CCTV

In order to prevent and detect crime, and to ensure the safety of our service users, volunteers and staff, we operate CCTV systems at the Forum. These cameras record footage in real-time and are operated and controlled by our own staff. We would only save footage and share this information when requested to do so as required by law, police investigation, or if pertinent to judicial or governmental investigation.


Recording Telephone Calls

We do not record telephone calls.


Data Sharing

1) Our service/host providers

In the course of our legitimate business activities, there may be a need for us to share, or give access to, your personal data to third parties that provide us with services or host our applications/software that you may access, for instance:


    Banking organisations – those that provide our banking/payment services

    Cardstream, Creditcall and Yespay – the providers of card handling services for our point of sale, telephone booking and internet sales facilities

    E Hosting – the provider of our website hosting service

    First Data Management Systems – who provide card merchant services

    Google – who provide the IT services we use for the storage of files on Google Drive

    Home Fix Computers - our IT management and support provider

    HMRC – for tax and employment details

    MailChimp – our communication mailing software service provider

    Maraid – the provider of our website development and support, which includes facilities for individuals to sign up to our newsletters

    Microsoft – who provide the IT software we use for business purposes including E Mail services and the storage of our files

    Sage Systems – who provide our accounting software

    Savoy Systems – the provider of our Box Office software system, which maintains patron records and manages the payment process for card payments.

    TP Jones and Co LLP – the providers of our staff payroll services


We will ensure that data processing agreements, compliant to GDPR, are in place before sharing with, or giving access to, your data with any of our service/host providers.


2) Sharing with third parties

We will never sell your personal data to anyone else.


We will only ever share your personal data in other circumstances, not listed above, if we have your explicit and informed consent at the time of collection. However, we may need to disclose your details if required to the police, other agencies, for example HMRC, regulatory bodies or our legal advisors.


How we keep your information safe and who has access to it

We ensure that there are appropriate physical and technical controls in place to protect your personal details. For example, confidential paper records are securely stored, our computerised records are accessed only via secure user login’s which are password controlled, our network is protected by appropriate security software and routinely monitored. Confidential paper waste is shredded at our premises before disposal.


We undertake regular reviews of who has access to information that we hold to ensure that your personal information is only accessible by appropriate staff, Trustees or designated volunteers, and our service/host providers. Where personal data is a consideration, we carry out checks on the companies we use before we work with them and ensure documentation  is in place that sets out our expectations and requirements, especially regarding how they manage the personal data they may have access to as part of providing those services. These will be reviewed in the light of the GDPR regulations to ensure they are compliant with these new requirements.


We have a duty to report certain types of personal data breaches to the relevant supervisory authority, and where feasible, we will do this within 72 hours of becoming aware of the breach. If a breach is detected and likely to result in a high risk of adversely affecting you, we will inform you without undue delay.


Where we store your information

As a small organisation, we use third party providers to host our records including IT files and E Mail records, and as some of these are multinational organisations it is not possible for us to guarantee that all data is processed solely in the UK or EU or the European Economic Area, and hence covered directly by the GDPR regulations.  We will use our best endeavours, for these multinational organisations, to make sure they provide an adequate level of protection in accordance with UK data protection law. By submitting your personal information to us you understand your personal data may be stored and processed at a location outside the European Economic Area.


We have identified three specific multi-national organisations who provide data processing services for us – Microsoft, Google and Mailchimp.  In each case we have reviewed the arrangements made by these organisations for data privacy and for GDPR compliance in particular.  In each case these organisations are part of an arrangement called the EU – US Privacy Shield.  This arrangement ensures data is transferred lawfully between the EU/EEA and the US in line with this Privacy Shield Certification.


How long we retain your information and how we keep it up to date

We aim to keep your information only for as long as we need it to allow us to provide you with your service associated with the Forum,


There are statutory timescales on how long we should keep your information, for example, gift aid transactions must be retained indefinitely, employment records for 6 years after an employee leaves, financial records must be kept for 7 years, information associated with Health & Safety for three years after an event. Companies House and Charity Commission records indefinitely. We shall delete your information according to these statutory limits, or according to guidance issued by the Information Commissioner.


In respect of the customer history records of your relationship with us, we are currently working with our Box Office system supplier on how we might manage records of customers who have not purchased a ticket in advance for a period of time, and have not asked us to keep in touch for marketing purposes. Until such a process is in place the system records the history of transactions from early 2013 when the system was implemented.


Individuals subscribed to our marketing emails or other channels are responsible for keeping their own personal data and preferences up to date. In addition, where necessary, we aim to keep your information accurate and up-to-date.


Your rights

The General Data Protection Regulations gives you certain rights and these are listed below for your convenience, further clarification of your rights is available on the Information Commissioners website


    You have a right to be informed when your personal data is being collected, what is collected and how it will be used or shared.

    You have a right of access to your personal data: the right of access allows you to be aware of and verify the lawfulness of the processing of your personal data. Patrons have access to their personal data via the self-service system on our Oscar Box Office System. You can also request a copy of the information which we hold on you. This information will be provided free of charge, unless the request is found to be manifestly unfounded or excessive when a reasonable fee will be charged. The application should be made in writing, by letter or email, and addressed to the Forum Manager, contact details shown below, enclosing two proofs of identification.


Applicants should be aware that where requests are manifestly unfounded or excessive, in particular because they are repetitive, The Forum can:

- charge a reasonable fee taking into account the administrative costs of providing the information; or

- refuse to respond.


    You have a right in certain circumstances to have inaccurate personal data rectified, blocked (restrict processing), erased (right to be forgotten), or destroyed.

    You have a right in certain circumstances to object to the processing of your personal data for such reasons as direct marketing, automated decision making, profiling; although we can confirm we make no decisions on you using an automated process.

    You have a right in certain circumstances to data portability.


In certain situations, these rights may not apply, for example if you have purchased a ticket for a future event we may need to communicate with you about that event, in which case you will not be able to unsubscribe from these communications.


We collect and process your personal data through legitimate interests or because you have provided it to us to enable us to deliver a service to you. We will only process your personal data as you would reasonably expect us to. You can opt out of our general customer or volunteer mailings at any time.


Finally, if you are unhappy with how we have processed your information, you have the right to lodge a complaint with the Office of the Information Commissioner, contact details below.


Changes to this privacy notice

We may change this Privacy Notice from time to time. If we make any significant changes in the way we treat your personal information we will make this clear on our website www.forumnorthallerton.org.uk or by notifying you directly.


Our contact details

The Forum Manager


The Forum

Bullamoor Road

Northallerton

North Yorkshire

DL6 1LP


Tel: 01609 776230

Email:manager@forumnorthallerton.org.uk


Complaints

If you are unhappy with how we have processed your personal information, please firstly contact the Forum Manager, details above. If you are still unhappy you may contact the following:


Information Commissioner’s Office

Wycliffe House

Water Lane

Wilmslow

Cheshire, SK9 5AF


Helpline: 0303 123 1113 (local rate) or ++44 1625 545 745

Menu