Questions and answers

• Do I have to share data?

  The answer is “yes” if you are an Arts Council England National Portfolio Organisation. Arts Council England (ACE) has made it a condition of funding that all National Portfolio Organisations (NPOs) enter into mutually agreed data sharing agreements with other relevant ACE funded organisations by 31st March 2016. For more information on the funding requirement, refer to your funding agreement, or talk to your ACE relationship manager.
  

  If you are not an ACE NPO, there is no compulsion for you to share data, but we hope that organisations will recognise the common benefits of embracing collaborative approaches to developing audiences that are served by sharing data appropriately.

  
  

• What data do I have to share?

  Precisely what data is shared is a matter for agreement between you and any partner organisations. Visiting companies are not required to ask for personal data that would allow for direct marketing, even though ACE's funding agreement clearly allows them to ask for this to be part of the data sharing agreement.

  Some companies may well agree that asking for customers’ personal information is not necessary if they can get a useful insight into their audiences from non-personal data resources such as Audience Finder or Show Stats.
  

  Data sharing agreements, and the nature of any data that is to be shared between organisations, should be designed to meet a clear, commonly defined, and mutually beneficial purpose. To understand what data you might need to share, refer to the self-assessment checklist here.

• Won’t our audiences get bombarded with unwanted spam?

  We recommend that data sharing agreements govern the use of customers’ data in an agreed and mutually beneficial fashion. Our guidance suggests that agreements should operate on a “dual key” principle, where partners are advised in advance of the use of data by either party to contact customers, and both parties must consent to the use and the timing of the marketing action. In this way, audiences and arts organisations stand to benefit from the effect of improved communications.
  

• Who owns a customers’ data/how do I know who owns a customers' data?

  The Data Protection Act does not deal with “ownership” of personal data. Instead, it deals with “data controllers” (i.e. legal entities that decide the purposes for which, and for the manner in which, personal data is processed) and "data processors". Data controllers are responsible for complying with regulations. The organisation that initially collects personal data, and decided upon its uses, is likely to be the “data controller” for that personal data (unless it is collecting the information under the instruction of another organisation) and is responsible for ensuring that it is processed compliantly. If it chooses to share that information with another organisation for contact purposes, it must ensure that it has the relevant permissions to do so. That new organisation will then become the data controller responsible for the copy of the data it holds.
  

  It is for the initial data controller to decide and ensure whether it can share personal data in compliance with the regulations. Any data sharing should be governed by a data sharing agreement or contract, specifying what data is being shared, why it is being shared and ensuring that it is only used by the new organisation for the purposes specified in that agreement. The initial data controller has an obligation to ensure that it does not share personal information with other parties without proper justification for doing so, that it informs individuals about that sharing and obtains the necessary consent to do so.

  For more information, please see the ICO’s data sharing code of practice.

• Do touring companies have to register as Data Controllers if they receive data shared with them?

  Yes - but only until 25th May 2018. If a touring company receives customers’ personal information that has been shared with them, so that they can then use this information to contact the customers, under the Data Protection Act, they need to register with the ICO as a Data Controller.

  Under the DPA, any organisations that process personal information need to register with the ICO, unless they are exempt. To find out more, about registration and how to register, visit the ICO’s website.

  Touring companies that receive data which doesn’t contain personal information (for example in the form of research or reporting insight such as via Show Stats), or anonymised data records, do not need to register with the ICO.

  However, from 25^th May 2018, under GDPR, organisations will no longer have to register as data controllers with the ICO. Data controllers will still be required to pay the ICO a data protection fee – but the amount of the sum to be paid, and the means of doing so, are yet to be confirmed by the ICO.

• Do I have to get customers to opt-in or opt-out of our mailing lists?

  The regulations and good practice in complying with them invariably require giving people the option to “opt-in”. The basic principles of the regulations provide that individuals must clearly understand who wishes to process their personal information, for what purpose and with what results, and that they should clearly and unambiguously consent to such use. Under GDPR, for consent to be valid it requires the individual to indicate their consent by “making some statement or by a clear affirmative action” to signify their agreement to the processing of the data relating to them. Therefore, the option to “Opt-in” in response to a clearly articulated notification statement is the clearest and least ambiguous means of demonstrating a clear "affirmative" action. Click here for more information on notification statements.

  There are some very specific circumstances related particularly to online transactions regulated by PECR, where the ICO has indicated that, with very specific conditions attached, an “opt-out”, or "soft opt-in", may be legitimately used to obtain compliant permission. For more information on these circumstances read the guidance here. Otherwise, “opt-in” is usually required.

• How long am I allowed to keep a customer’s data?

  Good practice, and indeed good customer service, prescribe that it is only necessary to compile the basics of customer records once, the first time a customer makes a transaction with your organisation. During the process, they should receive the appropriate notifications and have the opportunity to give the necessary permissions. Thereafter, all customers should be asked if they have purchased tickets before and their existing record looked up to avoid duplication.

  For this reason, even though GDPR requires that data should be kept no longer than is necessary, there remains a legitimate reason to keep the record of all customers on file, as long as there is a chance that they may return to your organisation and be recognised. Data Controllers are obliged to ensure that the data they hold remains relevant by periodically “cleaning” the data to identify and suppress from future communications any obsolete data for individuals whose attendance has lapsed, and who may subsequently have moved address or are deceased.

• Where can I find out more about GDPR and data protection regulations?

  From the Information Commissioner’s Office website.

• Can we contact individuals from whom permission was gained in a non compliant manner?

  If, in reviewing your past regime for obtaining the necessary permissions from customers, it became clear that the present best practice guidance, or the requirements under GDPR has not always been followed, can you still continue to contact those individuals?

  Up until the 25^th May 2018, if you are certain that your organisation has a legitimate basis for contacting individuals under the DPA or PECR, you may contact them to further clarify their wishes in such a way as to obtain consents that comply with the requirements of GDPR. However, you cannot contact any individuals that have either expressed a wish not to be contacted by you, or that you have no legitimate basis for contacting under the former DPA legislation or PECR.

  After 25^th May 2018, if you rely on “consent” as the basis for contact, you can no longer contact anyone from whom you have not gained “consent” in a manner which is compliant with GDPR.

• Can I just use the “third party” option to obtain permission to give visiting companies names?

  No. Under GDPR it is a requirement to specifically name organisations that data will be shared with for contact purposes. It is not acceptable to simply describe third parties that the Data Controller wishes to share data with simply “organisations which we think you will be interested in”, “with other arts and entertainment organisations”, or even “with visiting companies that visit this venue”. Third party organisations must be named for data sharing. Moreover, for electronic communications, the law requires that consent from individuals, to use their details to send electronic direct marketing, must be specific about who will be sending the marketing and what method they will be using to send it. This means that when a venue obtains such consent from an individual on behalf of a touring company, for it to be valid it must explain what it is sharing (e.g. email addresses, telephone numbers), for what purpose and who it is sharing those details with. For these reasons, the “soft opt-in” option does not apply for data sharing. Specific “opt-in” consent must be obtained for named third party organisations.

  
  

• Is there a way of sharing data with a visiting company that avoids the problems with GDPR and PECR?

  Yes. For direct marketing, asking the data controlling venue to collaborate by co-ordinating specific campaigns (postal, email or SMS) on behalf of visiting companies may be the single most effective way of using audience data for marketing.

  This also enables the venue and touring company to side-step the legal challenges of obtaining compliant permissions for the touring company to share the customers’ data, while being sure of respecting the customers’ wishes.

  Note that, to remain compliant with PECR regulations, venues may only contact individuals by email on behalf of touring companies in this way in order to promote events by the touring company taking place at that particular venue, and not for its events taking place elsewhere.

• Can I contact people on my marketing list about our education, membership or fundraising activities?

  Where consent is your basis for contact, you can’t do this if you haven’t specifically obtained permission to do so. GDPR requires a higher standard for consent than under the previous legislation. This means providing audiences with greater control over, and clearer information about, the intended uses of personal information, communication channels, and who data will be shared with. Practically, this means that some options for collecting consent that were formerly acceptable under the old laws are no longer valid under GDPR.

  Prior to GDPR is was acceptable to use the wording in notifications, "keep you informed about events and other developments" such that this would encompass permission to contact about education and outreach work, membership schemes or fundraising. The ICO now advises that these are all specific activities that should be separately consented. It is up to the data controller whether you state all the relevant intended uses in a single phrase and get consent for all in one go, or whether you choose to provide a more granular opportunity to consent (or not) to each use individually. Bear in mind, however, that if you bundle the uses together, then if the customer objects only to one use, that they only have the option to reject all. Good practice and good audience relationship building suggest that giving audiences the more flexible, granular choice to accept or reject specific uses individually is likely to yield the best outcomes for both audiences and organizations alike.

• Can I contact people on my marketing list to invite them to complete a survey?

  This is usually acceptable. Where individuals have provided their data in order to receive a product or service it can reasonably be considered not to be incompatible with that purpose to ask them what they thought of that product or service, or the company providing them with that good or service. So, as long as the survey inquires into these areas, this should be legitimate. However, good practice would suggest that if the organisation knows from the outset that an individual’s contact details may be used to ask them to do a survey, then this should be explained at the point of collection, and in notification statements. If an individual is asked to do a survey, it should also be explained to them in the invitation, who the survey is being run for and what will be done with their responses (will they be anonymised etc.).

• What are Data Sharing Requirements for National Portfolio Organisations?

  All information for National Portfolio Organisations on your requirements regarding the sharing on data can be found here:

  http://www.artscouncil.org.uk/media/uploads/Data_sharing_and_ACE_N_P_O_Jan_2016.pdf

  And also here:

  http://www.artscouncil.org.uk/funding/information-funded-organisations/national-portfolio-organisations-major-partner-museums-and-museu/

• How can my ticketing system be configured to help me share data in compliance with GDPR?

  We commissioned Andrew Thomas of The Ticketing Institute to review how various leading ticketing systems are developing their products to help users sell tickets in compliance with GDPR generally, and also with a view to understanding features of the various systems that might be configured to help users share data in compliance with the regulations. You can see Andrew’s overview of the various systems’ preparedness for GDPR here.

Got a question?