Home
Art of Placemaking
Our Work
About
Art of Talent
News & Views
Contact
Art of Agency

Art of Protest Policies

Data Protection and Confidentiality Policy

Introduction

This Data Protection Policy sets out how Art of Protest Projects (the "Company") manages personal data in compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA 2018). The protection of personal data is a priority for the Company, and we are committed to ensuring that all personal data is handled with the highest levels of confidentiality and security.

Scope
This policy applies to:All employees, contractors, and agents of the Company.All personal data processed by the Company, including that of employees, customers, suppliers, and other third parties.All processing activities involving personal data, whether in electronic or manual form.

DefinitionsPersonal Data: Any information relating to an identified or identifiable natural person ("data subject").Processing: Any operation or set of operations performed on personal data, such as collection, storage, use, disclosure, or destruction.Data Controller: The individual or organisation that determines the purposes and means of processing personal data.Data Processor: Any individual or organisation that processes personal data on behalf of the data controller.Special Category Data: Sensitive personal data that includes details about race, ethnicity, political opinions, religious beliefs, health, sexual orientation, etc.

Principles of Data Protection
The Company adheres to the following principles set out by the UK GDPR:

Lawfulness, Fairness, and Transparency: Personal data must be processed lawfully, fairly, and in a transparent manner.Purpose Limitation: Data must be collected for specified, explicit, and legitimate purposes and not processed further in a way that is incompatible with those purposes.Data Minimisation: Only data that is necessary for the purposes of processing will be collected and processed.Accuracy: Personal data must be accurate and kept up to date. Inaccurate data will be rectified or erased without delay.Storage Limitation: Data should not be kept longer than necessary for the purposes for which it is processed.Integrity and Confidentiality: Personal data must be processed in a way that ensures appropriate security, including protection against unauthorised or unlawful processing, accidental loss, destruction, or damage.

Lawful Bases for Processing
The Company will only process personal data where at least one of the following lawful bases applies:The data subject has given consent for one or more specific purposes.The processing is necessary for the performance of a contract with the data subject.The processing is necessary to comply with a legal obligation.The processing is necessary to protect the vital interests of the data subject or another individual.The processing is necessary for the performance of a task carried out in the public interest.The processing is necessary for the legitimate interests pursued by the Company or a third party, except where such interests are overridden by the data subject’s rights.

Data Subject RightsThe Company recognises the rights of data subjects under the UK GDPR, including:Right to Access: Data subjects can request a copy of their personal data held by the Company.Right to Rectification: Data subjects can request that incorrect or incomplete personal data be corrected.Right to Erasure: In certain circumstances, data subjects can request the deletion of their personal data ("right to be forgotten").Right to Restriction of Processing: Data subjects can request the limitation of processing of their personal data.Right to Data Portability: Data subjects can request that their personal data be transferred to another organisation in a commonly used format.Right to Object: Data subjects can object to the processing of their personal data in certain circumstances.Rights related to Automated Decision-Making and Profiling: Data subjects have the right not to be subject to a decision based solely on automated processing.

Data SecurityThe Company will implement appropriate technical and organisational measures to ensure the security of personal data, including:Regular and appropriate data protection training for employees.Access controls to personal data, ensuring only authorised personnel have access.Regular review of our information security policies and procedures.In the event of a personal data breach, the Company will follow the procedures set out under UK GDPR and the DPA 2018, including:Data Breaches Investigating and taking steps to mitigate the breach. Notifying the Information Commissioner’s Office (ICO) within 72 hours if the breach is likely to result in a risk to the rights and freedoms of individuals.Informing affected data subjects without undue delay if the breach is likely to result in a high risk to their rights and freedoms.Documenting all breaches, even those that do not require reporting to the ICO.

Data Retention and DisposalThe Company will retain personal data only for as long as necessary to fulfil the purposes for which it was collected. When the data is no longer required, it will be securely deleted or destroyed.

Confidentiality Staff and volunteers due to safeguarding may have access to special category personal data about pupils and their families which must be kept confidential at all times and only shared when legally permissible to do so and in the interest of the child. Records should only be shared with those who have a legitimate professional need to see them. There are some circumstances in which a member of staff may be expected to share information about a pupil, for example when abuse is alleged or suspected. In such cases, individuals have a responsibility to pass information on without delay, but only to those with designated safeguarding responsibilities or to statutory services. Staff and volunteers should never use confidential or personal information about a pupil or her/his family for their own, or others advantage (including that of partners, friends, relatives or other organisations). Information must never be used to intimidate, humiliate, or embarrass the child. Confidential information should never be used casually in conversation or shared with any person other than on a need-to-know basis. In circumstances where the identity of a child does not need to be disclosed the information should be used anonymously.If a child – or their parent / carer – makes a disclosure regarding abuse or neglect, the member of staff should follow the setting’s procedures. The adult should not promise confidentiality to a child or parent, but should give reassurance that the information will be treated sensitively. If a member of staff is in any doubt about whether to share information or keep it confidential, he or she should seek guidance from the Designated Safeguarding Lead. Any media or legal enquiries should be passed to senior management. Data Transfers
The Company will ensure that personal data transferred outside the UK is only done so where adequate protections are in place, in line with the UK GDPR. Transfers of personal data outside the European Economic Area (EEA) will only occur where:The transfer is to a country deemed to provide an adequate level of protection by the UK government.

Appropriate safeguards are in place, such as standard contractual clauses, binding corporate rules, or other mechanisms permitted by the UK GDPR.The data subject has explicitly consented to the transfer.Accountability and GovernanceThe Company will:Maintain appropriate records of processing activities to demonstrate compliance with the UK GDPR.Conduct Data Protection Impact Assessments (DPIAs) where the processing is likely to result in a high risk to individuals' rights and freedoms.Appoint a Data Protection Officer (DPO) if necessary, to oversee compliance with data protection laws and ensure the protection of personal data.

Third-Party ProcessorsWhere the Company engages third-party processors to handle personal data on its behalf, the Company will ensure that such processors comply with the UK GDPR and DPA 2018. Data processing agreements will be in place to govern the relationship with any third-party processors.

Employee ResponsibilitiesAll employees and contractors of the Company are responsible for:Familiarising themselves with this policy and ensuring compliance.Reporting any data breaches or concerns to the Data Protection Officer or relevant personnel.Ensuring that any personal data they handle is processed in accordance with this policy.Training and AwarenessThe Company will provide regular training and awareness to all employees on their responsibilities under this policy and the UK GDPR. This will include induction training and periodic refresher courses.

ComplaintsIf any data subject has a complaint regarding the handling of their personal data, they are encouraged to contact the Company (info.aopprojects@gmail.com). If the issue is not resolved, they have the right to lodge a complaint with the Information Commissioner’s Office (ICO).

 Review and UpdatesThis policy will be reviewed regularly and updated as necessary to ensure compliance with the UK GDPR and DPA 2018, and any other applicable laws.

Sensitive DataDue to the nature of our business, Art of Protest Projects does not routinely collect or process any special category data, as defined under the UK GDPR. Special category data includes sensitive information such as racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic or biometric data, health information, and data concerning a person's sex life or sexual orientation.Our business activities do not require the collection of such data, and as a result, we do not hold or process any information that falls into these sensitive categories. We ensure that any personal data we do collect is strictly limited to what is necessary for the provision of our services and is processed in compliance with UK GDPR principles.

Sensitive Data Storage and Processing: In the event of a requirement to store and share information involving sensitive data, such as information related to safeguarding, health conditions or any other special category data, this data will be securely stored in restricted access systems. Access will be strictly limited to authorised personnel only, and appropriate encryption and other security measures will be applied to ensure its confidentiality and protection.Safer RecruitmentThe Company is committed to safer recruitment practices. As part of our recruitment process, we will collect and process personal data about candidates in compliance with UK GDPR and the Data Protection Act 2018.Any sensitive information gathered as part of background checks, including criminal record checks (where legally permitted), will be securely stored and only accessed by authorised personnel involved in the recruitment process.All data collected for recruitment purposes will be retained only as long as necessary to fulfil legal or regulatory requirements and will be securely disposed of thereafter.Links to relevant policies Health and safety Safeguarding Children and Young People Equality, Diversity and Inclusion Safeguarding Adult Policy Anti-bullying Positive behaviour and restraint policy  Managing allegations against staff and volunteersComplaints procedure WhistleblowingCode of conductIncident and RIDDORSafer recruitment Approval and ImplementationThis Data Protection Policy has been approved by the undersigned and will be reviewed at least annually. Name
Signature
Approval Date
Review Date
Version1.0