Privacy Policy

Introduction

The York Unlocked organisation collects a limited amount of data from supporters and customers to enable services to be provided and news and events information to be shared.

This policy sets out why we collect personal information about individuals and how we use that information.  It explains the legal basis for this and the rights you have over the way your information is used.

Please be assured that when you provide your personal data, we will keep your information confidential, will only ask for enough information to enable us to provide the service you requested and we will only do exactly what we said we would do with it. At all times, we adhere to the core principles of the Data Protection Act (DPA) 2018 and UK GDPR that the data that we collect is “Adequate, Relevant and Limited” for the purposes that we collect it. If your information is either inaccurate and you would like us to amend it or change how we use it, then please let us know and we will do so as soon as is practicable.

We never share your data with others, nor do we store it or use it outside of the United Kingdom, and at an appropriate time we will confidentially dispose of your data after fulfilling the purpose that we originally collected it for.

We may have to change the privacy policy at intervals; however, we expect to review it every 2 years.  If you have queries about this policy or your personal information, then please contact the Data Protection Contact (see below).

Contacting the Data Protection Contacts

York Unlocked has a Data Protection Contact for the purposes of the EU General Data Protection Regulation.

The Data Protection Contact is Simon Bramfitt who can be contacted via info@york-unlocked.org.uk

Data Protection Principles

York Unlocked fully supports ‘the spirit and the letter’ of data protection as follows:

Data Collection Is “Adequate, Relevant and Limited”. At each point of data collection, it is our policy to advise you (the data subject) of what information we are collecting and why, what we intend to do with it, how we hold it and for how long, and how you can amend it, change its use or gain access to it as necessary.

  • Used For Specific Processing Purposes.  Personal data is only used for the express purposes that were stated to you at the point that they supplied it.
  • Processed Lawfully, Fairly and Transparently.  We operate a clear and transparent approach to obtaining and processing data (without any hidden objective or motive) whilst being in compliance with the law at all times.
  • Stored For No Longer Than Necessary and Securely. All personal data is held for the minimum amount of time to enable the stated processing purposes to be performed.  Electronic and hard copies of personal data are only available to authorised employees to perform these tasks.  All personal data is held securely requiring key access and/or electronic password access using industry standard software.  Computers systems comply with our ICT security standards. Backups of essential personal data will be completed at regular intervals with a copy held securely at a separate location.
  • Right to Access Or Amend Your Personal Data. You have the right, on written request (and without charge), to receive an electronic copy of the information we hold about you.  You also have the right to demand that any inaccurate data be corrected and to apply any processing restrictions on it.  Any of these rights can be exercised by contacting the Data Protection Contact (see above).
  • The Right to Be Forgotten. A data subject has the right ‘to be forgotten’ at any time.  This means that you have the right to have your information securely destroyed at any time unless another superior legal or contractual obligation takes precedence.  If the data subject doesn’t request to be forgotten during the term advised at the time of initially supplying information then the retention expiry date will eventually be reached.  On this retention expiry date information will be routinely deleted. Printed copies of any information will be confidentially shredded.

Our Legal Basis for Collecting and Processing Personal Data

The type and amount of information we collect depends on why you are providing it. Data Protection sets out a number of different reasons for an organisation to legitimately collect and process data, we use the following methods:

  • Explicit Consent - Where personal data is collected (e.g. when you sign up to receive a newsletter) in a non-contractual context, we provide clear information enabling you to sign up by responding to an email confirming your agreement, then collecting your personal data in a familiar way.
  • Contractual – To enable us to make bookings we require your information to maintain contact to enable us to provide a service.  We collect this in a contractual form, providing clear information in a prominent position in booking processes and terms and conditions.   Your agreement to this is recognised by your online booking confirmation. This is also accompanied by an explicit consent ‘tick box’ next to a data collection statement, to make it clear what you are agreeing to.

What, How and Where We Collect Personal Data

We collect personal data when you provide it to us to subscribe to information services or make bookings.

This is usually to enable us to maintain contact with you, so is typically in the form of name, address, telephone or email and if you are booking fee-based services this will include your payment information (e.g. credit and debit card details).  We would also then retain this information to fulfil tax and legal requirements.

We collect personal data:

  • Online when you visit our website, or a 3rd party booking provider website (e.g. eventbright.com) to make a booking
  • By telephone by calling to enquire.
  • By donating to us, or writing to us concerning a donation.
  • To facilitate entrance into our exhibition.
  • Booking a ticket.
  • If you volunteer to help us, either as an individual or as a representative of a sponsoring organisation or building owner, so that we can arrange support and maintain contact.

Who Has Access To Your Information

Only trained staff members or volunteers process your personal information if the Centre is contacted and enquiries and bookings are taken directly.

In today’s growing online accommodation industry, many bookings are made via third parties (e.g. eventbright.com). In these circumstances, the booking agent usually holds the primary relationship with you and York Unlocked is a secondary processor of personal data.  In this circumstance your booking information is securely forwarded by the third party to York Unlocked who manages access.  These bookings are received securely and processed with exactly the same care as if the booking was taken directly as outlined in this policy.

How We Keep Your Information Safe

Staff members are trained to be compliant with Data Protection guidelines by adopting the following procedures:

  • We only confirm confidential personal data to data subjects after completing verification checks.  We do not provide information to family members of the data subject without the data subject’s explicit (i.e. in writing) and verifiable consent.
  • Staff members are very aware that fraud and deception methods are used in order to gain access to personal data and under certain circumstances may choose to send information directly to the contact that we hold on file.
  • Personal data is only e-mailed if a secure network (e.g encryption) is in place.
  • Our online booking systems are professional industry standard software systems that use encryption solutions to protect your personal information and identity.
  • Our staff members are trained to securely and respectfully process your data and keep it confidential at all times.  All staff have confidentiality clauses in their contracts and would be subject to disciplinary procedures if any personal data was divulged whatsoever.
  • If face-to-face, a staff member may suggest you continue your conversation in a private room (if discussing information of a sensitive nature) if in a public space. 
  • All personal data is kept securely, either locked away if paper based, or if computerised, behind industry standard password protected systems. We do not leave personal data on desks or in unlocked offices unattended.

Keeping Your Information Up To Date

We appreciate it if you let us know if your contact details change.  Please contact the department that you originally supplied your personal data to, or if experiencing any difficulty, the Data Protections contacts.

How Long We Keep Your Information

Our approach is to hold your information for as little time as possible, however for contact and taxation reasons this is usually for as long as the relevant activity requires it. For example, for donations we have a statutory obligation to retain information for 6 years for tax purposes, however we only retain personal data for bookings for a year.

Making A Complaint

If you are unhappy with the way in which we have processed or dealt with your information then please contact your Data Protection Contact who will seek to rectify your complaint immediately.  You can also complain to the Information Commissioner’s Office on 0303 123 1113.