Keeping your personal information safe
Submerge will not sell your data to any third parties, but we may sometimes share your information with selected partners who hold the same values as us and have evidenced strict standards for collecting and storing data securely.
Submerge is a Data Controller, as identified through GDPR legislation. The Data Protection Supervisor for Submerge is Mike Pony and he can be contacted by emailing [email protected]
Data – what do we collect?
Submerge and its subsidiary companies collect individual’s data in a number of different ways, for a number of different purposes – for example we will:
• Ask for contact details when we are booking audiences or participants into events, workshops or training. This will be a name, phone number, email address and address.
• Ask for monitoring information from audiences, participants and volunteers, which typically includes information about date of birth, sexuality, gender or ethnicity.
• Ask audiences, participants, interns and volunteers to complete evaluation to support the development of our events, workshops and training. This would typically include feedback about the activity and/or tracking changes to wellbeing, activity levels etc as a result of taking part in the activity.
• Ask individuals, groups or organisations who are financial supporters to give us information that allows us to administrate donations. This would typically include information such as a name, contact details, address, email, telephone number and payment details.
• Ask for contact details from audiences, participants and community members to keep them informed about our events, programmes and opportunities or fundraising initiatives. This would typically be an email address.
• Ask for consent to collect cookies from the website to allow Submerge to use google analytics.
Why do we collect this data?
Submerge collects this data for a number of specific reasons, which are as follows:
• We ask for contact details so that we can contact you if an event is cancelled or changes in some way.
• We ask for monitoring information in order to ensure that we are reaching the target groups for our projects and services.
• We ask for evaluation and feedback on what we do, so that we can improve our work and make a case for funding.
• We ask for financial information if you have asked to make a donation to us so that we can carry out our charitable aims.
• We ask for your contact details so that we can occasionally contact you via email with news about our projects and services or with suggestions of ways in which you could become involved with our work.
• We analyse information from audiences, participants and community members to ensure that all of Submerge’s communications are tailor-made to their needs, interests and requests.
• We use google analytics to help us understand who is engaging with our website and in what way, in order to improve its functionality.
Privacy and the Law
The Law on Data Protection is derived from various pieces of legislation including the Data Protection Act and the General Data Protection Regulation or GDPR, to which all organisations based in the UK must be compliant from May 2018. The GDPR states that personal data can only be ‘processed’ (i.e. collected, stored and analysed) if there is a legal ground to do so. The GDPR provides six legal grounds under which personal information can be legally processed. Five out of the six grounds for processing that are most relevant to Submerge’s use of your data are:
1) Consent: where you have given us clear consent for us to process your personal data for a specific purpose – i.e. you have signed up to our mailing list.
2) Contract: where processing your data is necessary for us to complete a contract that we have entered with you – i.e. to send you tickets that you have ordered for an event.
3) Legal Obligation: where processing your data is necessary for us to comply with the law – i.e. to complete a DBS check in order to employ you to work with vulnerable people.
4) Vital interests: where processing your data might be necessary to protect your safety or your life – i.e. to follow Submerge’s safeguarding policy by alerting the relevant authority to follow up a serious safeguarding concern.
5) Legitimate interests: where we are sending you information about one of our events and services that we are confident you want to hear about and which is a necessary part of delivering our charitable objectives.
Submerge will always ensure we have specific and time-bound consent to hold your data, we will be clear about why we are processing or analysing it and we will treat the information you give us with respect. The company will never rent, swap or sell your personal information to other organisations for them to use in their own marketing activities and we will always be able to give you a clear and straight forward answer about what data we hold, how we store it, what we will use it for and what the legal grounds for doing so are.
Submerge will always ask for your consent before we communicate with you and this will be specific and time-based – i.e. we will only hold it for a stated period of time. You will also be able to withdraw your consent at any time by emailing Submerge’s Data Protection Supervisor on [email protected]
What is Legitimate Interest
This legal ground for processing means that organisations can process your personal information if they 1) Have a genuine and legitimate reason for doing so and 2) That use does not harm any of your rights and interests as an individual.
We believe that Submerge’s community understand and support what we are trying to achieve and want to hear about our work. Unless you tell us not to, we think you are happy for us to process your personal information so we can let you know what we are up to and how to get involved. We will always consider your right to privacy and will only send you emails that are relevant to your interests.
Existing audiences on Submerges mailing list have already completed a ‘soft opt-in’ to receiving emails from us through subscribing to our mailing list, and we believe that they will want to continue to hear about our work. We also believe that we treat their personal data with respect and care and that the emails we share do not infringe on their personal rights to privacy. We always offer our audiences a simple and easily accessible ‘unsubscribe’ button on each email so they can opt-out of this service at any time.
New audiences will be asked to opt-in to receiving communications from us for the next five years and the sign-up form on Submerge’s website will be GDPR compliant.
How long will we hold your data for?
If you have opted in to receive information about Submerge’s work we will ask for your consent to hold your data for 5 years. This is because this is the period of time in which we plan cycles of our work, with each of our services running to 5-year business plans. We know from our existing data that our audiences are loyal and stay with us over long periods of time and feel confident that this time period is appropriate for those accessing our work. There are some exceptions to this rule such as health and safety records which we are required by law to keep for 7 years but as a general rule, we will seek your permission to keep your data after 5 years.
Changing Your Mind
Engaging with Submerge is always your choice. If you don’t think we have got the level of communication quite right for you, you can ask us to remove you from our database permanently by emailing [email protected] and we will act on your wishes immediately.
Submerge are a Data Controller – this means that we will collect data from audience members (for example monitoring information) and analyse it to understand how well the project is working (for example how many of an audience group come from a target post-coded area). This analysis of monitoring surveys is completed and the results of the analysis are typically written as a % point, such as 80% of audiences attending Submerge’s events report that they live in a specific post coded area. Once this analysis is completed, all of the monitoring surveys are shredded and all links to individuals’ data are removed. The percentage line is then submitted to a small number of third parties – which are usually funding bodies, as evidence of each projects performance against the funder’s preset targets. In this way, Submerge collects data from individuals but analyses it quickly and only retains key points from the analysis that cannot infringe on the rights of individuals.
GDRP legislation specifies that each company differentiates between Data Processors and Data Controllers. Submerge has a number of named Data Processors who are responsible for distributing, receiving back and storing data which is collected in the form of contact details, monitoring surveys or questionnaires from audience members and participants attending each of the company’s projects. The guidelines for the Data Processors include using password protected computers with encrypted files, storing questionnaires safely in locked filing cabinets until they can be processed and analysed and not sharing the data that the company holds with any third parties.
Submerge’s board are Data Controllers. The Data Controllers hold the responsibility to provide written advice and guidance to the Data Processors to ensure that they are using systems that will protect your data and your privacy, and that this can be evidenced if any of the companies are investigated or audited.
Cookies and Web Privacy
Every time you log on to our website your IP (Internet Protocol) address registers on our servers. Your IP address reveals no information other than the number assigned to you. We will not use this technology to get any personal data against your knowledge or free will (i.e. automatically recording e-mail addresses of visitors). Nor do we use it for any purpose other than to help us monitor traffic on our website, or (in case of criminal activity or misuse of our information) to cooperate with law enforcement.
We use a number of different cookies on our site. If you do not know what cookies are, or how to control or delete them, then we recommend you visit http://www.aboutcookies.org for detailed guidance.
1) First Party Cookies
These are cookies that are set by the websites concerned directly.
2) Google Analytics
Submerge uses Google Analytics to collect information about visitor patterns to the website. Google Analytics stores information about what pages are visited, how long each visitor spends on the site, how they got here and which pages are visited. This Analytics data is not tied to personally identifiable information – your personal information such as your name and address is not stored and therefore cannot be used to identify who you are. You can find out more about Google’s position on privacy as regards its analytics service.
3) Third Party Cookies
These are cookies set by external websites whose services are used on the Submerge website. Cookies of this type are the sharing buttons across the site, which allow visitors to share content from the Submerge website onto social networks such as Facebook or Twitter.
Third Party Cookies are currently set by Twitter, Facebook, Google+, Instagram and Pinterest if you share content from the Submerge website to these platforms. In order to implement these buttons, and connect them to the relevant social networks, Submerge uses scripts from domains outside of our website. You should be aware that these sites are likely to be collecting information about what you are doing all on the internet, including when you access the Submerge website. If you are concerned about your privacy, you should check the respective policies of each of these sites to see how exactly they use your information and to find out how to opt out, or delete, such information.
The majority of the emails that Submerge sends are not tracked at all. However occasionally, we will send out an email with news about what is coming up and these will track whether the user has opened and clicked on the email. We do not use this information at a personal level, rather we use it to understand ‘open and click’ rates on our emails to try and improve them. If you want to be sure that none of your email activity is tracked, then you should opt out of our emails which you can do via the unsubscribe link at the bottom of every email that is sent.
All donations to Submerge on this site are secure. No one can access your credit card details via the internet.
Protocol in the event of a Data Breach
In the event of a significant data breach, Submerge will notify the ICO within 72 hours, notify any individuals affected and contact the board of directors. A ‘significant breach’ would be an incident where individuals’ data was released into the public domain and there was a serious risk to their privacy.
Documentation – The use of photographs, audio and video data
All digital photographs, audio and video files which document our work up to May 25 2018 will be held in our historical archive, which we will continue to hold as we believe that it is of legitimate interest to the arts and performance community and to the continued delivery of our objectives. Information in the public domain prior to the 25 May is also exempt from GDPR legislation – this includes all photographs, audio files and films that are held on the Submerge websites.
After May 25 2018, Submerge will seek consent to collect and hold digital photographs, audio and video files. This consent will be specific, time based and the data will only be collected and processed when the collective has a Legitimate Interest for doing so
Right to be Forgotten
Finally, Submerge will be happy to provide you with all the data that we hold on you and to delete it from our records if requested. If you wish to see or delete the data that we hold on you, we will need to see an original piece of primary identification such as a passport or driving license before we will be able to release the information. Once you have made a request we will respond within 30 days as required by the GDPR legislation. If you have a request please, contact us on [email protected]