PRIVACY & DATA USAGE POLICY
Effective Date: 22nd June 2024
DEFINITION
“We”, “us”, “our” and “ours” are used in this Policy to denote philipholyman.com.
- INTRODUCTION
We are committed to protecting your personal information (often referred to as personal data). It’s your information, it’s personal, and we respect that. It is very important for us that we can maintain the trust and confidence of those who interact with us.
This policy gives you detailed information about the types of personal data we collect, when and why we collect it, as well as how we handle it and keep it secure.
If you have questions regarding your personal data and/or its use, please don’t hesitate to contact us using the details below. Depending on your enquiry, we may ask you to provide proof of your identity.
More information about us, including our contact details
We are known as the “data controller” of any personal data you share with us. A controller determines the purposes and means of processing personal data.
Our correspondence address is:
Philip Holyman c/o Little Earthquake
Oakdale Centre
Umberslade Road
Selly Oak
Birmingham
B29 7RZ
You can also email us at hellopip [at] philipholyman [dot] com, or send us a message using the contact form on our website located here.
- DATA PROTECTION REGULATION
The General Data Protection Regulation (GDPR) applies in the UK and across the EU from May 2018. The regulation defines “personal data” as any information by which an individual can be identified. It goes on to state how that data should be handled. This policy also extends to personal data that is provided anonymously and/or is pseudonymised.
When we collect your personal data, GDPR requires that we:
- Tell you who we are, why we are collecting the data, for how long we will hold the data, and who receives the data — this policy informs you of all these things;
- Get clear consent from you before collecting the data and maintain a record of that consent;
- Let you have access to the data we hold about you at your request, and allow you to take that data with you;
- Have the ability to amend the data we hold about you at your request;
- Have the ability to change the way we use your data at your request;
- Have the ability to delete your data at your request (sometimes called ‘the right to be forgotten’);
- Let you know if data breaches occur.
In addition, GDPR requires that your personal data shall be:
- Processed lawfully, fairly and in a transparent manner;
- Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes — further processing for archiving purposes in the public interest, scientific/historical research, or statistical purposes shall not be considered to be incompatible with the initial purposes;
- Adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed;
- Accurate and, where necessary, kept up to date — every reasonable step must be taken to ensure that inaccurate personal data is rectified or erased without delay;
- Kept in a form which permits identification of data subjects for no longer than necessary;
- Processed in a manner that ensures appropriate security of personal data, including protection against unauthorised or unlawful processing, and against accidental loss, destruction or damage, using appropriate organisational and technical measures.
The data controller (in this case, We) shall be responsible for, and be able to demonstrate, compliance with these principles.
For more information about GDPR, visit: www.eugdpr.org
- WHEN AND HOW WE COLLECT YOUR PERSONAL DATA
Personal data we collect directly from you
Generally, we only collect your personal data when you choose to interact with us directly. At such times we may collect the data in a number of ways, including:
- When you visit our website at www.philipholyman.com;
- When you interact with us on social media and other online platforms;
- When you sign up to our mailing list to receive our regular newsletter, information and promotions about our work, and details about how you can support us;
- When you send comments and messages to us via the contact forms on our website;
- When you submit comments on our website blog posts;
- When you purchase tickets for an event where we are running the box office ourselves. This may be by using a third-party ticketing service such as Eventbrite;
- When you contact us by email;
- When you contact us by post;
- When you speak to us over the telephone or communicate with us via text message;
- When you apply for a position with us or send us unsolicited CVs;
- When you apply to take part in one of our participatory activities;
- When you enter competitions that we run;
- When you fill out feedback forms about our work;
- When you make financial donations in support of our work — this may be by using third-party donation and payment services such as Donorbox, Stripe, Paypal and ApplePay;
- When you make in-kind donations in support of our work;
- When you attend one of our events or take part in a participatory activity and we are documenting it with photographs or by filming it.
Personal data we collect from third parties
As well as obtaining personal data directly from you, we may obtain information about you independently. Times when we do this include:
- When you purchase tickets for our events through a third-party venue/promoter via their online, telephone, app or in-person box office systems and they get your consent for you to be contacted by us;
- When another organisation thinks that you will like our work and they get your consent for you to be contacted by us;
- When we screen our database against recognised data hygiene files such as the National Change of Address file in order to rectify inaccurate data;
- When we collect information found in places such as Companies House and information that has been published in other publicly available sources, including articles and newspapers;
- When your personal settings or the privacy policies for the social media accounts and messaging services you use give us permission to access information from those accounts or services.
Within one month of your personal data being provided to us by a third party or collected from a publicly accessible source, we will contact you directly and tell you who shared it with us or from where we collected it. We will ask if you’re still happy for us to hold your personal data and if you aren’t, we will delete it securely with immediate effect.
- THE TYPES OF PERSONAL DATA WE COLLECT
The types of personal data we collect are listed below. Although it is not compulsory for you to provide all of the information listed, we may not be able to provide you with the full range of services that we have to offer, should you choose not to do so.
Personal data that can be used to identify you specifically
This may include:
- Prefix/preferred title;
- First name and last name;
- Email address;
- Contact telephone number;
- Contact address;
- Delivery address;
- Billing address;
- Payment card details — please note that we do not store any Credit Card or other payment information directly: this will be done by a specific payment or donation service such as Stripe, PayPal, ApplePay and DonorBox;
- Date of birth;
- Age;
- Your image, including photographs and film.
If you are a student, we may also collect:
- Name of school/college/university;
- Area of school/college/university;
- Course name;
- Course faculty;
- Course level;
- Course end date.
Online usage data (including cookies)
When you visit our website, interact with us on social media and other online platforms, or click on links that we have posted, there are certain industry standards we follow that collect specific types of anonymous and/or pseudonymised data about you. This data cannot be used to identify you personally.
When you interact with us online, we may obtain your automatically populated Internet Protocol Address (more commonly known as an IP Address). This is a unique number which allows a computer or device to browse the internet. Your IP Address gets linked to all online activity you carry out, and a log file records the websites you visit (including the individual pages on a website), the date, time and duration of your visit, the referring website (if provided), your Internet browser type and version, unique device identifiers and other diagnostic data.
IP Addresses, in and of themselves, do not collect, save or store any personally identifiable information about you and are only used for pseudonymised tracking. However, if you’re signed up with an Internet Service Provider (ISP) — which is the way most of us get our Internet service — then your ISP can easily link your IP Address with your contact information. We can’t access this information through your ISP, however.
On our website, we use cookies. A cookie is a piece of information in the form of a very small text file that is placed on your hard drive. This tracks, saves and stores information about your interactions and usage of the website. This allows us, through our website’s server, to personalise your experience (such as remembering that you’ve visited before and loading any preferences you’ve set) and to make the site run more efficiently. Cookies do not collect, save or store any personally identifiable information.
Our website also uses tracking software provided by Google Analytics that utilises these cookies in order to monitor website visitors so we can better understand how they use it. Again, the tracking software does not collect, save or store any personally identifiable information. You can read Google’s privacy policy here.
Our website might tell other websites to issue cookies on our behalf (or vice versa) if we use referral programs, sponsored links or adverts. Such cookies are only used for conversion and referral tracking and typically expire after 30 days, though some may take longer. Again, these cookies do not collect, save or store any personally identifiable information.
Beyond the use of cookies specifically used for referral programs, sponsored links or adverts, we cannot be responsible for any personal data that third parties may gain about you when visiting their websites. We advise you to read the privacy policy for each website you visit.
Where applicable, our website uses a cookie control system. This enables you to allow or disallow the use of cookies on your computer/device during your first visit to the website. Blocking cookies may impact the personalised experience and speed you get when accessing the website. You are advised that if you wish to deny the use of cookies, you should also take the necessary steps within your web browser’s security settings to block all cookies.
Our website and the social media platforms we use may include social sharing buttons which help users to share publicly accessible web content directly from one website/platform to other websites/platforms. This means that any information you post publicly could subsequently be shared by other users in other places on the Internet. Users who click on social sharing buttons should be aware that the social media platform linked to the share button may track your share request through your social media account.
Our website and social media accounts may shorten lengthy web addresses (and this is often done automatically by social networks). Services that shorten web addresses (such as bit.ly) may track the use of these shortened links and collect anonymous and pseudonymised data. This data includes the IP Address and physical location of devices accessing the shortened link, the time and date of each access, the referring websites or services, and information about the link being shared on other third-party services such as Twitter and Facebook.
In order to show you targeted advertising on social media and other third-party websites you use, we may share your pseudonymised data with third-party advertisers such as Facebook and Google. Only pseudonymised personal data and no personally identifiable information is shared during this process.
Monitoring forms and anonymous data
If you are applying for a position with us, applying to take part in one of our participatory activities, or attending one of our events, we may also ask you to complete an anonymous monitoring form. Completing an anonymous monitoring form isn’t compulsory and there will always be ‘prefer not to disclose’ or similar options on the form. Your monitoring form will be detached immediately from any other information that could identify you specifically (such as your name and contact information) as soon as we receive it.
The information you provide on an anonymous monitoring form will not be used in any decision-making process in the case of recruitment and participation selection. We will ensure that no applicant receives less favourable treatment either directly or indirectly, on the grounds of age, race, disability, gender, marital status, class, religion or faith, sexual orientation or socio-economic background. The information you provide will enable us to develop appropriate policies and strategies in respect of diversity and equal opportunities.
Through the anonymous monitoring form, we may collect information on:
- How you would describe your gender;
- Your age;
- Your marital or civil partnership status;
- How you would describe your sexual orientation;
- Your nationality;
- How you would describe your disability (as defined by the Disability Discrimination Act);
- How you would describe your ethnic origin;
- How you would describe your religion or belief.
References
If we are considering employing you in any capacity, we may solicit a reference about you from the referees you nominate on your application form.
Disclosure and Barring Service (DBS) checks
A DBS check helps employers make safer recruitment decisions and prevents unsuitable people from working with vulnerable groups, including young people. For more information, visit the UK Government’s DBS information page here.
If we offer you work, there are certain roles for which we would be legally obliged to run a DBS check about you. If you hold a current DBS certificate, we will ask to see it and will record the certificate number, along with your current name, address and date of birth. We will never take a photocopy or photograph of your certificate.
Young people’s privacy
Parent or guardian consent must be provided when we collect personal data from anyone under the age of 16. We do not knowingly collect personal data from anyone under the age of 13.
An exception to this is when we are working on a specific project involving young people and we need to collect and store data in order to carry out the project. In such circumstances each young person’s parent or guardian will be informed of the data we need and the purposes for collecting it, before we ask for clear consent on behalf of the young person. Due care is given to the security of the young person’s data and it is immediately and securely deleted on the completion of the project.
Parent or guardian consent will also be required for us to use photographs of a young person in the documentation of our work. We will never publish a photograph of a young person which is captioned with their name.
If you are a parent or guardian of someone under the age of 16 and you are aware that your child has provided us with personal data, please contact us. If we become aware that we have collected personal data from a young person without verification of parental/guardian consent, we take immediate steps to delete that data securely.
- WHY WE COLLECT YOUR PERSONAL DATA AND HOW WE USE IT
It is necessary for us to collect personal data in order for us to fulfil important aspects of our day-to-day business and to provide the particular services you’ve requested in a personalised and conscientious manner.
More specifically, where we have your clear consent, we collect your personal data so that we can:
- Send you information and promotions about our work, including our regular newsletters;
- Send you details about the ways you can support us, including through financial and in-kind donations;
- Send you patron care and support notifications, including order confirmations, reminders of upcoming events you’ve booked for, or letting you know about event changes that may affect your experience;
- Reply to your direct correspondence, including comments on blog posts, social media platforms and feedback forms;
- Administer and facilitate any special requirements you may have when interacting with us;
- Fulfil your ticket requests, including delivery;
- Fulfil your donation requests;
- Process payments from you — please note that we do not store any Credit Card or other payment information once a transaction has been completed;
- Process payments to you, including invoices, refunds and donations;
- Monitor and analyse how you interact with us in person and online so we can understand our audiences’ needs better, and increase the quality, reach and impact of our work;
- Administer recruitment processes for both employment and participatory activities;
- Use the information you provide to develop appropriate policies and strategies in respect of diversity and equal opportunities;
- Run competitions, inform you about the competition results and administer prize giving;
- Contact you to let you know if third parties shared your personal data with us and to check that you’re still happy for us to hold it — you will always have given clear consent to the third party sharing your details with us, but we want to make sure you’re still happy for that to happen;
- Share your details with other specific third parties if you have given us clear consent to do so — these third parties will contact you to let you know how they collected your personal data and to check that you’re still happy for them to hold it, and you will always be able to opt out of their communications by contacting them directly;
- Document our work through photographs and film, and use this documentation to evaluate, promote and market our work.
Where we have justifiable reason (including a legal obligation and legitimate interest), we may use your personal data to:
- Contact you if you are the parent or guardian of a young person taking part in one of our projects in order to tell you about what the work entails and to get clear consent from you for your child to take part;
- Solicit references about you from your nominated referees if we are considering employing you in any capacity;
- Run a DBS check about you if we are employing you to work with vulnerable groups, including young people;
- Keep our database accurate and relevant — this may include merging your personal data if it has been collected at different places and times, removing duplicate information, and checking against public records such as the National Change of Address file;
- Undertake consumer research — we may contact you to ask you to participate either online, by telephone, or in person — you are under no obligation to participate in this research and should you provide any further personal data, we will inform you about how this data will be used;
- Classifying our patrons into groups or segments, using personal data you have provided and publicly available information — these segments help us to understand our patrons better and ensure we’re sending relevant messages to each group;
- Learn about your interests and preferences so that we can contact you with information that is relevant to you, including our marketing communications and adverts — this may involve using your details to show you targeted advertising on social media and other third-party websites you use — only pseudonymised personal data, and no personally identifiable information is shared during this process — please see the ‘When and how we collect your personal data’ section for more information.
- Measure and understand how our audiences respond to a variety of marketing activity so we can ensure it remains effective, well-targeted, and relevant;
- Help us run the test version of our website that we use internally to pilot new features and ensure the smooth running of our online services;
- Detect and reduce fraud and credit risk.
- SHARING YOUR PERSONAL DATA WITH THIRD PARTIES
Marketing purposes
We will never share, sell, rent or trade your personal information to any third parties for marketing purposes without your prior consent.
There may be times when we ask for your clear consent to share personal information with specific third parties who have collaborated with us or whose work we think you will like. These third parties will contact you to let you know how they collected your personal data and to check that you’re still happy for them to hold it. You will always be able to opt out of their communications by contacting them directly.
In order to show you targeted advertising on social media and other third-party websites you use, we may share your pseudonymised personal data with third-party advertisers. No personally identifiable information is shared during this process. Please see the ‘when and how we collect your personal data’ section for more information.
Data processors
Some of our third-party service providers may have access to your personal data in order to facilitate or perform services on our behalf. Good examples of this are payment and mailing list processing.
These service providers are often referred to as “data processors” as they are responsible for processing personal data on behalf of a data controller (in this case, us). Sometimes it is necessary to provide these data processors with personal data that can identify you personally. All of the data processors we use have policies stating that they will not use your personal data for anything other than the clearly defined purpose relating to the service they are providing for us.
The data processors we use that we share this information with are:
- Krystal: they host our main website servers, domain names and also create regular backups of our website. The servers are all UK based and protected by top level security. Visit Krystal at: krystal.co.uk;
- Substack: they process our mailing list data and help us build our newsletters. Your mailing list subscription preferences are synced with Substack so that you receive newsletters when we send them to subscribers. They are based in the USA, but hold a privacy policy that is in line with GDPR as part of their binding corporate rules (see the ‘Transferring your data outside the European Economic Area’ section for more information). Visit Substack at: https://substack.com;
- Eventbrite: when box office facilities aren’t provided by a venue we are visiting, we use Eventbrite to run box office for our events. They are based in the USA, but hold a privacy policy that is in line with GDPR as part of their binding corporate rules (see the ‘Transferring your data outside the European Economic Area’ section for more information). Visit Eventbrite at: eventbrite.co.uk;
- Quickbooks: we use Quickbooks to manage our financial obligations and payroll. They are based in the USA, but hold a privacy policy that is in line with GDPR as part of their binding corporate rules (see the ‘Transferring your data outside the European Economic Area’ section for more information). Visit Quickbooks at: quickbooks.intuit.com;
- Donorbox: we use Donorbox to collect one-off and regular financial donations through online donation forms and donation buttons (read their privacy policy here);
- Stripe: we use Stripe as one of the options that donors can use to make one-off and regular financial donations through Donorbox. Stripe processes the payment details for the donation (read their privacy policy here);
- Paypal: we use Paypal as one of the options that donors can use to make one-off and regular financial donations through Donorbox. PayPal processes the payment details for the donation (read their privacy policy here);
- ApplePay: we use ApplePay as one of the options that donors can use to make one-off and regular financial donations through Donorbox. ApplePay processes the payment details for the donation (read their privacy policy here);
- Wordfence: we use the Wordfence plugin on our main website to provide a security firewall and run preventative malware scans on our website’s database. In order to do that, it processes your IP Address, the referring website (if provided), your Internet browser type and version, and any unique device identifiers (these are all anonymised and pseudonymised). Wordfence’s servers are based in the USA, but they hold a privacy policy that is in line with GDPR as part of their binding corporate rules (see the ‘Transferring your data outside the European Economic Area’ section for more information). Visit Wordfence at: wordfence.com;
- Akismet: we use the Akismet plugin on our main website to stop spam being posted to the website. In order to do that, it processes your IP Address, the referring website (if provided), your Internet browser type and version, and any unique device identifiers (these are all anonymised and pseudonymised), as well as the information you post directly (such as your blog post comments). They are based in the USA, but hold a privacy policy that is in line with GDPR as part of their binding corporate rules (see the ‘Transferring your data outside the European Economic Area’ section for more information). Visit Akimsmet at: akismet.com;
- Google: we use Google Analytics to monitor website visitors so we can better understand how they use it. Google Analytics uses cookies to do this and does not collect, save or store any personally identifiable information. Google is based in the USA, but holds a privacy policy that is in line with GDPR as part of their binding corporate rules (see the ‘Transferring your data outside the European Economic Area’ section for more information). Visit Google at: google.com.
If we run a competition, we sometimes use a third party to administer it. In order for them to do so, we will need to share with them the personal data you provide. We will make this clear at the point when you choose to enter the competition.
The other data processors we use have access to anonymous and pseudonymised personal data only. This includes data processors who help us to analyse how our website and social media profiles are used, and to serve targeted advertisements. No personally identifiable information is shared during this process. Please see the ‘When and how we collect your personal data’ section for more information.
Legal obligations
There may be times when we are legally obliged to share your personal data. Such circumstances include:
- If required to do so by the ‘know your donor’ principles under charity law;
- Via a court order;
- When requested by the police or a regulatory or government authority investigating illegal activities;
- To protect and defend our rights (including against legal liability) or property;
- To prevent or investigate possible wrongdoing in connection with our services;
- To protect the personal safety of users of our services or the public.
- HOW WE HANDLE AND PROTECT YOUR DATA
We strive to handle all of your personal data in an honest, transparent and conscientious manner. We are also committed to protecting your personal data from improper use.
Data security
We ensure that appropriate organisational and technical measures are taken against unauthorised or unlawful processing of your personal data, and against accidental loss, destruction or damage.
This means that we have taken the time to implement the right physical and technical security, and have designed and organised our data security policies and procedures according to the nature of the personal data we hold and the harm that may result from a security breach.
We are clear about who is responsible for ensuring data security in our organisation and we back this up with staff training.
We are ready to respond to any breach of security swiftly and effectively.
How long we hold your data
We will review the personal data we hold on a regular basis and will only keep information for as long as is reasonably necessary for the purposes set out in this policy and to fulfil our legal obligations. The retention period of your personal data will vary according to the purpose for which the data has been collected.
When your personal data is no longer required it will be securely deleted. As soon as we become aware that any personal data is out-of-date and inaccurate, we will rectify or securely delete it.
If you ask us to stop sending direct marketing communications to you, we will keep the minimum amount of information (such as your name, address or email address) to ensure we adhere with such requests.
Transferring your data
The personal data you provide to us may be transferred to countries outside the European Economic Area (EEA). By way of example, this may happen if any of the computer servers used to host our website are located in a country outside of the EEA. If we transfer your personal information outside of the EEA in this way, we will take all reasonably necessary steps to ensure that your data is treated securely and in accordance with this policy.
Web links and external sites
We are not responsible for the privacy policies, notices, practices or content of other organisations or websites, even if those websites are accessed using links or other prompts from us (including on our website and social media profiles). Although we only look to include quality, safe and relevant external links, we cannot be held liable for any damages, loss or implications caused by clicking on those links. We advise you to take all necessary precautions before clicking on any external links as you do so at your own risk.
Please remember that when you click on any external links, you’re moving onto another site where their terms, conditions and policies will apply and which will differ from ours. You should read the privacy policy and other relevant notices of any websites you visit.
Publicly posted information, including social media posts
When interacting with us online (either on our website or through external social media platforms), users are also advised to do so with due care and caution in regard to their own personal privacy. The information that you voluntarily post online is published publicly and you should be aware of the fact that publishing personally identifiable information on the Internet potentially puts you at a higher risk of identity theft. You can find more information about identity theft here: www.identitytheft.org.uk.
While we take technical steps to prevent the automated harvesting of email addresses, we cannot guard against manual collection by third parties of these email addresses or any other information you publish.
Our website and the social media platforms we use may include social sharing buttons which help users to share publicly accessible web content directly from one website/platform to other websites/platforms. This means that any information you post publicly could subsequently be shared by other users in other places on the Internet.
We encourage users wishing to discuss sensitive details to contact us through primary communication channels such as by telephone, email or contact forms rather than through publicly visible posts.
Interaction through external social media platforms on which we participate are subject to the terms and conditions as well as the privacy policies held with each social media platform respectively. You are advised to read the privacy policies and other relevant notices for these platforms.
Risk of data breach
While we strive to use commercially acceptable means to protect your personal data, no data transmission over the Internet or method of storage is 100% secure. We therefore cannot guarantee the security of any personal data which you disclose to us and so wish to draw your attention to the fact that you do so at your own risk.
In the extremely unlikely event of a data breach, we will attempt to notify all users immediately, outline the nature of the breach, the risks that the breach poses, and the precautions we have taken.
- YOUR CHOICES
At any time you have the right to:
- Ask to see the personal data we hold about you, and to take that data with you;
- Ask to amend the data we hold about you;
- Ask us to change how we use your personal data, including for marketing purposes;
- Ask us to delete the personal data we hold about you.
To do so, please send a description of what you would like us to do with your personal data, together with proof of your identity, to the attention of Philip Holyman by email: hellopip [at] philipholyman [dot] com
Every email we send to you will include details on how to change your email communication preferences or unsubscribe from future email communications.
You can instruct your browser to block all cookies or to indicate when a cookie is being sent. Blocking cookies may impact the personalised experience and speed you get when accessing our website.
If you are attending an event or taking part in a participatory activity which we are photographing or filming for documentation purposes, we will display signs telling you that this is happening. You have the right not to appear in any photographs or footage we capture and we have systems in place to respect that. The event signage will tell you who to speak to if you don’t want to appear in our documentation.
Should you wish to do so, you have the right to lodge a complaint with The Information Commissioner’s Office. Contact them via their website: www.ico.org.uk
- UPDATES TO THIS POLICY & FURTHER INFORMATION
This Privacy and Data Usage Policy was updated on 22nd June 2024. It may be updated in the future to take into account changes we make to the services we provide, or to reflect changes to regulation or legislation.
Updates to this policy will be posted on this page — please check back from time to time. Whenever we update the policy, we will also update the “effective date” at the top. We may also inform you of any changes where we hold an appropriate email address for you and/or display a prominent notice on our website prior to the change becoming effective.
Further information on data protection regulations and laws can be found on the following websites:
The Information Commissioner’s Office: www.ico.org.uk
The General Data Protection Regulation: www.eugdpr.org
The Fundraising Regulator: www.fundraisingregulator.org.uk