Data Protection Policy

1. Purpose of this Policy

The purpose of this policy is to ensure the charity complies with UK GDPR and the Data Protection Act 2018, protects the rights of individuals, and handles personal data responsibly. It applies to all personal data processed by the charity in any format.

2. Scope

This policy applies to:

  1. Employees and volunteers

  2. Trustees

  3. Freelancers and contractors

It covers all personal data processed in relation to participants, artists, donors, audiences, partners, and anyone else whose data the charity handles.

3. Key Definitions

  • a) Personal Data: Any information that identifies a living person (e.g., names, emails,

  • photos, payment details).

  • b) Special Category Data: Sensitive data such as health information, ethnicity, or

  • accessibility needs.

  • c) Processing: Any action involving data—collecting, storing, sharing, deleting, etc.

  • d) Data Subject: The individual whose data is being processed.

  • e) Data Controller: The charity, which decides how and why data is processed.

  • f) Data Processor: Any third party processing data on the charity’s behalf (e.g., ticketing platforms).

4. Data Protection Principles

The charity commits to processing personal data in line with the six UK GDPR principles.

Personal data must be:

  • a) Lawful, fair, and transparent

  • b) Collected for specific, explicit purposes

  • c) Adequate, relevant, and limited

  • d) Accurate and kept up to date

  • e) Stored only as long as necessary

  • f) Processed securely

5. Lawful Bases for Processing

The charity will only process data when a lawful basis applies, including:

  • a) Consent (e.g., joining a mailing list)

  • b) Contract (e.g., artist agreements)

  • c) Legal obligation (e.g., HMRC requirements)

  • d) Legitimate interests (e.g., managing events or programmes)

Special category data requires an additional condition, such as explicit consent or safeguarding necessity.

6. How the Charity Uses Personal Data (see Appendix 1)

The charity may process personal data for:

  • a) Managing artistic programmes, workshops, and events

  • b) Communicating with participants, partners, and donors

  • c) Fundraising and marketing (with consent where required)

  • d) Volunteer and staff administration

  • e) Monitoring diversity and accessibility (with appropriate safeguards)

7. Data Minimisation and Retention

The charity will:

  • a) Collect only the data needed for a specific purpose

  • b) Keep data only for as long as necessary

  • c) Follow a retention schedule (e.g., financial records kept for 6 years)

  • d) Delete or anonymise data when no longer required

8. Data Security

The charity will take appropriate technical and organisational measures to protect data, including:

  • a) Password protection and multifactor authentication

  • b) Secure cloud storage (e.g., Microsoft 365)

  • c) Restricted access based on role

  • d) Encryption of devices where possible

  • e) Avoiding the use of personal email for charity business

  • f) Secure disposal of digital and paper records

9. Working with Third Parties

The charity will ensure that any thirdparty processors:

  • a) Provide sufficient guarantees of GDPR compliance

  • b) Sign a data processing agreement

  • c) Use data only for the charity’s specified purposes

10. Data Subject Rights

Individuals have the right to:

  • a) Access their data

  • b) Rectify inaccurate data

  • c) Request erasure (“right to be forgotten”)

  • d) Restrict or object to processing

  • e) Data portability

  • f) Withdraw consent at any time

Requests should be directed to the Executive Director. See Appendix 2 for Subject Access Request.

11. Data Breaches

A data breach includes loss, theft, unauthorised access, or accidental disclosure of personal data. The charity will:

  • a) Report serious breaches to the ICO within 72 hours

  • b) Inform affected individuals where there is a high risk

  • c) Record all breaches in a breach log

  • d) Take steps to prevent recurrence

12. Photography, Video, and Creative Content

The charity will:

  • a) Obtain consent where required

  • b) Provide clear notices at events

  • c) Respect the rights of children and vulnerable adults

  • d) Store media securely

  • e) Remove images upon request where legally appropriate

13. Children and Vulnerable Adults

Where the charity works with children or vulnerable adults:

  • a) Parental/guardian consent will be obtained where required

  • b) Extra care will be taken with sensitive data

  • c) Staff and volunteers must follow safeguarding procedures

14. Responsibilities

  • a) Trustees: Overall accountability for compliance

  • b) Data Protection Lead: Daytoday oversight

  • c) Staff and volunteers: Follow this policy and report concerns

  • d) Contractors: Comply with contractual data protection obligations

15. Training and Awareness

All staff, volunteers, and trustees will receive appropriate data protection training, refreshed at least every two years or when legislation changes.

16. Policy Review

This policy will be reviewed annually by the trustees or sooner if:

  • a) Legislation changes

  • b) New systems or processes are introduced

  • c) A significant data incident occurs

Appendix1 – Data Mapping

This register documents all categories of personal data processed by the charity, why they are processed, the lawful basis, who they are shared with, how long they are kept, and how they are secured.

1. Participants, Workshop Attendees & Programme Beneficiaries

Participant administration

  • Names, contact details, attendance records, accessibility needs.

  • Purpose: Managing workshops, events, and programmes.

  • Lawful basis: Legitimate interests; consent for accessibility data.

  • Special category data: Accessibility/health (explicit consent).

  • Sharing: Event partners where necessary.

  • Retention: 3 years after last contact.

  • Security: Cloud storage with MFA; restricted access.

Safeguarding information

  • Notes, incident reports, parental contacts.

  • Purpose: Safeguarding children and vulnerable adults. Lawful basis: Legal obligation;

vital interests. Retention: 6 years after incident. Security: Encrypted storage; access limited to safeguarding leads.

2. Artists, Freelancers & Contractors

Contract management

  • Names, addresses, bank details, contracts.

  • Purpose: Commissioning, payments, project delivery.

  • Lawful basis: Contract.

  • Sharing: HMRC, accountants, funders (anonymised where possible)

  • Retention: 6 years after contract end.

  • Security: Secure finance systems; encrypted storage.

Artist profiles

  • Biographies, photos, creative materials.

  • Purpose: Marketing, event promotion.

  • Lawful basis: Consent or legitimate interests.

  • Retention: Until consent withdrawn or project ends.

  • Security: Controlled access to media folders.

3. Donors, Supporters & Mailing List Subscribers

Mailing list management

  • Names, emails, communication preferences.

  • Purpose: Sending newsletters and updates.

  • Lawful basis: Consent.

  • Sharing: Email marketing provider (e.g., Mailchimp).

  • Retention: Until consent withdrawn.

  • Security: Password protected mailing platform.

Donor records

  • Contact details, donation history, Gift Aid declarations.

  • Purpose: Fundraising, Gift Aid claims.

  • Lawful basis: Legal obligation (Gift Aid); legitimate interests.

  • Retention: 6 years for Gift Aid.

  • Security: Restricted finance folders; secure CRM.

4. Audiences & Ticket Buyers

Ticketing data

  • Names, emails, payment confirmations.

  • Purpose: Event administration and audience communication.

  • Lawful basis: Contract; legitimate interests for event updates.

  • Sharing: Ticketing platforms (e.g., Eventbrite).

  • Retention: 3 years. Security: Secure third party ticketing systems.

Audience surveys

  • Demographic info, feedback, postcode data.

  • Purpose: Evaluation, reporting to funders.

  • Lawful basis: Consent or legitimate interests.

  • Retention: 3 years.

  • Security: Anonymised where possible; stored in cloud systems.

5. Staff & Volunteers

HR and volunteer records

  • Contact details, references, DBS checks, emergency contacts.

  • Purpose: Recruitment, administration, safeguarding.

  • Lawful basis: Contract; legal obligation.

  • Special category data: DBS and safeguarding data (legal obligation).

  • Retention: 6 years after role ends.

  • Security: Restricted HR folders; encrypted storage.

Payroll and finance

  • Bank details, tax information, NI numbers.

  • Purpose: Paying staff and reporting to HMRC.

  • Lawful basis: Legal obligation; contract.

  • Retention: 6 years.

  • Security: Finance system with MFA; limited access.

6. Photography, Video & Creative Media

Event photography

  • Photos and videos of participants, artists, and audiences.

  • Purpose: Marketing, documentation, reporting to funders.

  • Lawful basis: Consent where required; legitimate interests for public events.

  • Retention: Until consent withdrawn or project ends.

  • Security: Controlled access to media drives.

Creative project materials

  • Artwork, recordings, interviews.

  • Purpose: Artistic production and archiving.

  • Lawful basis: Consent; contract.

  • Retention: Project dependent.

  • Security: Secure cloud storage.

7. Website & Digital Platforms

Website analytics

  • IP addresses, browsing behaviour, cookies.

  • Purpose: Improving website performance.

  • Lawful basis: Consent (for nonessential cookies); legitimate interests.

  • Sharing: Analytics providers (e.g., Google Analytics).

  • Retention: 24 months

  • Security: Pseudonymised analytics data.

Online forms

  • Contact form submissions, project applications.

  • Purpose: Responding to enquiries, programme administration.

  • Lawful basis: Legitimate interests; contract.

  • Retention: 1–3 years depending on purpose.

  • Security: Encrypted form submissions.

8. Financial & Administrative Records

Financial transactions

  • Invoices, receipts, bank statements.

  • Purpose: Accounting, auditing, reporting.

  • Lawful basis: Legal obligation.

  • Retention: 6 years.

  • Security: Secure finance systems; restricted access.

Governance records

  • Trustee details, meeting minutes.

  • Purpose: Charity governance and compliance.

  • Lawful basis: Legal obligation; legitimate interests.

  • Retention: Permanent for minutes; 6 years for other records.

  • Security: Restricted trustee folders.

9. Data Processors Used by the Charity

  • Cloud storage providers — e.g., Microsoft 365.

  • Ticketing platforms — e.g., Acuity.

  • Mailing list services — e.g., Mailchimp.

  • Accountancy and payroll — e.g., Xero.

  • CRM systems — e.g., Acuity

10. Security Measures Across All Processing

  • Multifactor authentication

  • Role based access controls

  • Encryption of devices

  • Regular password updates

  • Secure disposal of data

Appendix 2 – Subject Access Request

1. Purpose of This Procedure

This procedure ensures that the charity responds to Subject Access Requests:

  • Lawfully

  • Within statutory time limits

  • Transparently

  • In a way that protects the rights of individuals and the security of data

2. What Is a Subject Access Request?

A Subject Access Request (SAR) is a request from an individual asking for:

  • Confirmation that the charity processes their personal data

  • Access to that data

  • Supplementary information about how their data is used

A SAR can be made:

  • In writing

  • By email

  • Verbally

  • Through social media messages

The requester does not need to use the phrase “subject access request.”

3. Receiving a SAR

All staff, volunteers, and trustees must:

  • Recognise a SAR when it is made

  • Forward it immediately to the Data Protection Lead (Executive Director)

A SAR should be sent to: Email: [your email] Subject: “Subject Access Request”

4. Verifying Identity

Before releasing any data, the charity will verify the requester’s identity.

Acceptable verification may include:

  • Photo ID (passport, driving licence)

  • Proof of address

  • Additional questions to confirm identity

If identity cannot be verified, the charity will request further information.

5. Timeframe for Responding

The charity will respond:

  • Within one month of receiving the request

  • This can be extended by up to two months for complex or multiple requests

If an extension is needed, the requester will be informed within the first month.

6. Assessing the Request

The Data Protection Lead will:

  • Clarify the scope if needed

  • Confirm what data is held

  • Identify where the data is stored (email, CRM, cloud storage, paper files, etc.)

  • Check whether any exemptions apply

If the request is unclear, the charity may ask the requester to narrow the scope.

7. Locating and Collecting Data

The Data Protection Lead will coordinate with:

  • Staff

  • Volunteers

  • Trustees

  • Contractors (if relevant)

Data sources may include:

  • Email accounts

  • Cloud storage (e.g., Microsoft 365)

  • Ticketing systems

  • Mailing list platforms

  • Paper files

  • Project folders

  • Finance systems

All relevant data will be gathered securely.

8. Reviewing the Data

Before releasing data, the charity will:

  • Remove or redact information relating to other individuals

  • Protect confidential information

  • Apply exemptions where legally appropriate

Common exemptions include:

  • Legal professional privilege

  • Management forecasting

  • Safeguarding concerns

9. Providing the Response

The charity will provide:

  • A copy of the requester’s personal data

  • In a commonly used format (e.g., PDF, Word, or email text)

  • Along with required supplementary information, including:

    • Purposes of processing

    • Categories of data

    • Recipients of data

    • Retention periods

    • Rights to rectification, erasure, restriction, and complaint

    • Source of the data (if not collected directly)

Data will be sent securely, e.g.:

  • Encrypted email

  • Password protected files

  • Secure filesharing links

10. Refusing a Request

  • A SAR may be refused if:

  • It is manifestly unfounded

  • It is manifestly excessive

  • It would disclose another person’s data that cannot be redacted

  • It falls under a legal exemption

If refused, the charity will:

  • Explain the reason

  • Inform the requester of their right to complain to the ICO

11. Fees

SARs are normally free of charge. A reasonable fee may be charged only if:

  • The request is manifestly excessive

  • Additional copies of data are requested

12. Record Keeping

The charity will keep a log of:

  • Date SAR received

  • Identity verification steps

  • Actions taken

  • Data sources checked

  • Date response sent

  • Any exemptions applied

This supports accountability and compliance.

13. Roles and Responsibilities

  • Data Protection Lead: Oversees SAR handling, ensures compliance

  • Staff and volunteers: Forward SARs immediately, assist with data retrieval

  • Trustees: Provide oversight and ensure adequate resources

14. Review of This Procedure

This procedure will be reviewed annually or sooner if:

  • Legislation changes

  • The charity’s data practices change

  • A SAR incident highlights a need for improvement

Updated 13th June 2026

The Creation Works Data Protection Policy – Version 2026

The Creation Works CIO | Registered Charity No. 1209557|

Registered office – 13a Moorland Rd, Par, Cornwall, PL24 2PA

© 2026 Southpaw Company  

Commercial in confidence – not for onward distribution without the written consent of Southpaw Company