Skip links

  1. Skip to content
  2. Skip to main menu
  3. Skip to search
Support our work

Privacy policy

Artsadmin is committed to best practice in the handling of personal and sensitive data and careful compliance with requirements of UK GDPR (General Data Protection Regulations), which came into force on 31 January 2020. 

We take your privacy seriously and will only use your personal information to administer your transactions with us (online and offline) and to provide information about the events, resources and services you have requested. All data is collected and is currently processed in accordance with the Data Protection Act (1998) and UK GDPR. Please read our Data Protection Policy below for more details. 

Artsadmin’s Data Protection Officer is Theo Hooley (they/them). You can contact them with any questions related to our policy:

Artsadmin is registered in the UK no. 2979487. Registered charity no. 1044645.

Artsadmin’s data protection policy


  1. Introduction
  2. Definitions
  3. Areas of work
  4. The personal data that we process and store
  5. How we collect, process, protect and dispose of data
  6. Third Parties
  7. Roles and responsibilities
  8. Subject access request forms
  9. The right to be forgotten
  10. Updates and further information


Our priority is to avoid causing harm to individuals by:

  • Keeping all information securely, and only in the right hands (i.e. on a strictly “need-to-know” basis)
  • Holding accurate information only as long as we need it

We aim to be open and transparent in the way we use personal data to give individuals as much choice as possible, within reason, over what data is held and how it is used.


Here is how we define the terms we use around data protection:

  • Data – information held on computer in digital form or similarly held on other electronic device(s) such as mobile phones, tablets etc, and/or is otherwise held manually, as hard-copy (including by not limited to, photographs, video material, hand written notes, etc.)
  • Data Controller – the organisation, i.e. Artsadmin, responsible for how and why personal data are used, or are to be processed
  • Data Processor – any person (other than an employee of the data controller) who processes the data on behalf of the data controller
  • Data Protection – legal control over access to and use of data stored in computers. It is about protecting people from the consequences of their data being misused, mishandled or mismanaged
  • Data Subject – an individual about whom personal data is held
  • Personal Data – information about a living individual who is identifiable from the data held on them by a Data Controller
  • Subject Access – the right of an individual to have a copy of the information a data controller holds about them.
  • Processing – any use of personal data, including obtaining, storing, using, disclosing or destroying it. This includes:
    • organisation, adaptation or alteration of the information or data;
    • retrieval, consultation or use of the information or data;
    • disclosure of the information or data by transmission, dissemination or otherwise making available;
    • alignment, combination, blocking, erasure or destruction of the information or data.

Areas of work

This data protection policy covers all Artsadmin’s activities, particularly relating to HR, marketing, fundraising and networking activities, and contact-tracing. We define these activities as:

  • HR – the recruitment and management of information about applicants, casual staff and employees.
  • Grant and award giving – artists applying for opportunities like AiR or Another Route
  • Marketing – activities that seek to match one of our products or services with a customer or client, at the right price, in the right place, at the right time.
    • B2B marketing – Business to Business marketing is the online and offline activities that help us to identify people and organisations that will book our artists’ work, hire our spaces, etc.
    • Networking – making and developing relationships with key professionals in order to further the reach of Artsadmin’s activity. This may include face-to-face (conferences, events, seminars, etc), telephone, email and other methods.
    • B2C Marketing – Business to consumer marketing is the online and offline activities that attract customers and audiences to attend events, performances and exhibitions, and purchase food/drink – including but not limited to: social media, website, video, brochures, email newsletters, listings, posters, fliers and word of mouth.
  • Fundraising  – the process of gathering voluntary contributions of money or other resources, by requesting donations from individuals, businesses, crowdfunding charitable foundations, or governmental agencies.
  • Contact-tracing – for the health and safety reasons, we may collect personal data of building visitors at Toynbee Studios and we will ask for their consent. We will only use their personal data for the purposes of notifying them of known cases of Covid-19 at Toynbee Studios and would keep this data securely for 21 days. This personal data is only shared with staff for the purposes of notifying people.

This data protection policy is primarily concerned with our audiences, such as ticket buyers, visitors to Toynbee Studios and workshop attendees, which we call our B2C relationships. Here is how we define our B2B and B2C relationships:


Professionals: promoters, presenters, partners, staff
Artists: produced artists, supported artists, mentored artists, performers at Toynbee Studios
Hirers: clients and tenants who use our spaces at Toynbee Studios
Suppliers: the third party companies and people we buy services from, e.g. production managers, printers, cleaners, consultants

These communications include but are not limited to:

  • Printed communications
  • Digital: Touring email, targeted promoter emails, Artsadmin Anchor, project pages on website
  • In person: professional networking, conferences and events.


Audiences: public audiences that buy tickets or attend free events (and their guests)
Customers: Canteen customers
Visitors: attending meetings, rehearsals; visitors/participants to events held by hirers; social media followers and email list subscribers.

These communications include but are not limited to:

  • Print: What’s On (Toynbee Studios), event fliers
  • Digital: Artsadmin’s monthly newsletter, Artsadmin Anchor newsletter, event pages on website
  • In person: Front of House, box office, customer service (Artsadmin Canteen and studios)
  • CCTV footage and images of people  

The personal data that we process and store

This is the kind of personal data we may store about an individual, such as employees, ticket buyers, applicants and artists we work with:

  • Name, address, email and phone contact details
  • Communication contact preferences
  • Ethnicity
  • Heritage
  • Nationality
  • Age
  • Socioeconomic status
  • Sexual orientation
  • Details of any disability
  • Sex (only for HMRC and Arts Council England)
  • National Insurance Number
  • Tax Code
  • Employment references
  • Employment history
  • Employment contract
  • Personal ID (Passport)
  • Pay rate
  • Absence details – annual leave, sickness, maternity/paternity leave, compassionate leave, lateness
  • Details of accidents and incidents at work
  • Education and qualifications
  • Training
  • Disciplinary action
  • Termination of employment
  • CCTV footage and images of people  

How we collect, process, protect and dispose of data

How we collect data

  • We collect data via email, CVs and our online application portal for recruitment or applications to open schemes for bursaries, commissions, awards, grants and other opportunities for artists.
  • We collect data for online marketing, if you have opted in, through email newsletter subscription via Mailchimp form on our website, our online ticket booking system, ticket booking transactions over the phone or sign-up sheets at box office, or via or personal request.  A link to our privacy statement will be visible at data collection point (for example when you opt in to receive a newsletter or buy a ticket for one of our events) and include opt-ins for receiving future communications from Artsadmin and/or a third party (artist, company).
  • We collect data for artists and organisations we work with via our CRM (Customer Relationship Database), which uses Drupal. We also store personal data on artists support and projects on the following password-protected third party platforms: Adobe, Atlassian (Trello), the Audience Agency, Buffer, Calendly, CAF, Canva, Culture Counts, Dropbox, Easyfundraising, Evernote, Google, Grantium, Hootsuite, HSF health plan, Intuit (Mailchimp), IRIS (myepaywindow), Issuu, Linktree, LinkedIn, MacOS, Mastodon, Meta, Myepaywindow, Office365, the Payroll company, Royal London, Skedda, Slack, SmugMug (Flickr), Soundcloud, Spektrix, SurveyMonkey, Twitter, Quickbooks, Whereby, WordPress, Vimeo, Zoom.
  • We collect data on social media. Depending on your settings or the privacy policies for social media and messaging services like Facebook, Instagram, YouTube, LinkedIn, Mastodon, Soundcloud or Twitter, you may give us permission to access information from those accounts or services.
  • We collect data for fundraising if an individual has opted in when they sign up to our newsletter via our website, when donating via CAF, Easyfundraising or Spektrix, face-to-face or by personal request.
  • We collect data for events bookers via Spektrix. 
  • We collect data for our engagement work. The data of individuals under 18 years old will only be kept after signed consent from parent, legal carer or guardian. Employees working one to one with individuals under 18 year olds or vulnerable adults require a DBS. When working in partnership with an institution such as a school, we work in line with the institution’s individual DBS policy in addition to our own policy of not allowing staff without DBS to work one to one with children or vulnerable adults at any time. When working in criminal justice settings such as prisons or youth offending institutes we are strictly forbidden to collect any personal data as this would be a security and confidentiality breach.
  • We collect employees’ data via email, post, paper employment forms such as contracts, passport, emergency contact form and payroll information. This is shared with a trusted outsourced payroll company in password protected documents for the purpose of paying people. 
  • We may encrypt sensitive data (documents and mobile devices) to ensure it safely stored or shared.
  • We collect CCTV images and footage of people at Toynbee Studios for their safety and security using CCTV cameras.  


A cookie is a small data file that is downloaded on to ‘terminal equipment’ (like a computer or smartphone or other device) when you access a website. It allows the website to recognise that user’s device and store some information about the user’s preferences or past actions.

You can change your browser settings to remove, block or withdraw your consent for cookies at any time. But in some cases this may impact on your ability to use our website. Browsers recognise different types of cookies and allow you to treat them differentially, as desired.

There are two main types of cookies, first and third party: First Party Cookies are those set by the website you are viewing. Third party cookies are set by other sites; for example if a video has been embedded from YouTube, YouTube may set a cookie of its own.

Cookies can also last for different durations. Session cookies last until you leave the site, others may last for days or months so the site can recognise you and your preferences on subsequent visits.

We use a number of different cookies on the Artsadmin website (, these are:

  • necessary cookies that are essential in helping users to move around the website and use its features such as events bookings;
  • performance cookies, that collect information about how users use the site, such as which pages are the most visited. These cookies collect anonymous information only and we only use any information to improve the site.
  • We use Google Analytics on the site that uses cookies to collect this sort of information. You can read Google’s privacy policy here. And you can opt out of being tracked by Google Analytics on all sites.

Cookies set by

_ga2 yearsGoogle Analytics statistics – used to distinguish users
_gid24 hoursGoogle Analytics statistics – used to distinguish users
_gat1 minuteGoogle Analytics statistics
cookie_notice_accepted6 monthsSaves your acceptance of storing cookies. Does not exist if you do not accept the storage of cookies.

Cookies set by

Used during the checkout process when you shop, donate or purchase tickets. Does not exist if you do not create a shop account or make a purchase with us.

ASPXAUTHSessionShop checkout process
CookieDetectionSessionShop checkout process
QueueNumberSessionShop checkout process
SessionIdSessionShop checkout process
StartedOldCheckoutSessionShop checkout process
_ga2 yearsGoogle Analytics statistics – used to distinguish users
_gid24 hoursGoogle Analytics statistics – used to distinguish users
_gat1 minuteGoogle Analytics statistics
__cfduid1 monthShop checkout process
SpektrixClientName1 yearShop checkout process
ReturningCustomerOver 2 yearsShop checkout process

Third parties

We use a number of third party service providers on this website, some of which may set cookies on your computer when you use the facility. Each provider has their own privacy policy:

How we process and protect personal data

  • We store personal data on recruitment or applications to open schemes for bursaries, commissions, awards, grants and other opportunities for artists on our secure application portal.
  • We store and process personal data for B2C audiences and fundraising, such as email addresses, postal addresses, phone numbers and interaction history, on Mailchimp, our CRM database, our box office system, and our online donation software.
  • We store our employee’s emergency contacts, pension and health cash plan securely on our servers, and process payroll information for HMRC.
  • We store non-anonymised Equal Opportunities information on our permanent staff securely on our CRM, accessible by the Executive Director and Front of House and HR Coordinator only. We use this data in our reporting to Arts Council England and other funders.
  • Any personal data relating to finance is held in our accounting software, protected digital files on our server and secure paper filing.
  • We analyse data and share anonymised data with third parties and trusted partners for reporting purposes, for example our reporting to Arts Council England and other funders.
  • Staff and freelancers who use their own devices for work purposes and connect to our server are informed of our Data Protection Policy. We assess the security of these devices, use encryption where necessary, and we give staff training on how to ensure they are secure.
  • Our IT software and systems are regularly monitored and updated to ensure maximum virus protection and security. Staff are trained to identify suspicious emails or attachments, particularly from any hitherto unknown or otherwise untrusted sources, and to notify our DPO and staff responsible for IT about any potential risks.
  • In the course of carrying out our business, we may need to transfer your personal data to a country in the EU. The European Commission has found the UK to be adequate (June 2021), which means that most data can continue to flow from the EU and the EEA without the need for additional safeguards.  
  • We may need to transfer your personal data outside the UK or European Economic Area (EEA) including to any group company or to another person with whom we have a business relationship (for example, if an artist’s project is touring internationally, we may need to share the contact details of the project team). We will only do this if there are adequate protections in place and will put in place appropriate procedures with the trusted third parties to ensure that your personal data receives an adequate level of protection and is treated by those third parties in a way that is consistent with and which respects the UK law on data protection. 
  • Both live and retained CCTV footage is kept securely and is only accessible by the nominated data processors within our business, for the intended purpose of maintaining building, property and occupant safety. Any nominated persons accessing the CCTV system and footage is aware of their responsibilities as it relates to GDPR and DPA guidelines. 

How we dispose of data

We will keep your information only for as long as is reasonably necessary for the purposes set out in this privacy notice and to fulfil our legal obligations. We will not keep more information than we need. The retention period will vary according to the purpose, for example:  

  • We delete all unsuccessful applications for jobs for 6 months after the application deadline.
  • We delete all unsuccessful applications for artists’ grants and support, such as Artsadmin’s Artist Bursary Award and Unlimited, within 18 months after the application deadline.
  • We ensure that any individual artist we advise has given us consent to store their data on our CRM database.
  • We delete unsolicited CVs sent to us by email or by post.
  • Inactive or bounced email addresses are removed from Mailchimp through automated data cleansing at least once a month.
  • Every email we send to individuals via Mailchimp includes details on how to change your communications preferences or unsubscribe from future communications. You can unsubscribe or adjust your settings to opt in to the communications they want to receive.
  • We keep minimal contacts on freelancers with whom we have a business relationship with as long as is reasonably necessary.
  • We keep employee records and payroll information in line with our statutory and legal obligations (6 years, plus the current financial year).
  • Under normal circumstances, CCTV footage is retained for up to 1 month and then permanently deleted. We may be required to retain footage for longer and only under very special circumstances that comply with our security and privacy operating policies, such as in cases of criminal activity. 

Staff are trained in best practices of securely disposing of printed personal or sensitive data. We shred or safely dispose of printed materials. Content is erased from USBs, CDs, hard-drives and other forms of electronic data storage media, and the storage device is physically destroyed.

Personal data breaches

A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. A breach could be accidental and deliberate.

  • We have data breach detection, investigation and internal reporting procedures in place to ensure any breaches of personal data are dealt with and resolved as quickly as possible.
  • Artsadmin will report to the ICO about certain types of personal data breaches within 72 hours of becoming aware of the breach, where feasible. A summative report will in due course also be sent to The Charity Commissioners for their information once any investigation has been conducted.
  • If the breach is likely to result in a high risk of adversely affecting individuals’ rights and freedoms, we will also inform those individuals without undue delay.
  • We keep a record of any personal data breaches.
  • We have cyber security insurance to protect us if a breach should occur.

Third Parties 

Collaboration is one of Artsadmin’s core values. We collaborate with artists and organisations on a regular basis and we will only share your data when you have given consent or opted in.

Artsadmin’s policy is to check that all our third party suppliers who have access to personal data operate in line with UK GDPR. We have agreements and contracts in places with artists, partners and service providers to ensure that data is secure. Artsadmin is not responsible for the privacy notices and practices of third parties.

Artsadmin may include information about events and projects by third parties (such as organisations we collaborate with, have toured work to or have presented work by) in our marketing promotion via email newsletters and on social media.

Roles and responsibilities

Artsadmin’s Board of Trustees recognises its overall legal responsibility for data compliance.

Day-to-day responsibility for Data Protection is delegated to a nominated Data Protection Officer, currently Theo Hooley. The main responsibilities of the Data Protection Officer are:

  • Ensuring that Data Protection training takes place for all staff as part of their induction and that all existing staff receive training;
  • Briefing the Board on Data Protection responsibilities as required;
  • Reviewing Data Protection and related policies and processes annually unless otherwise stated;
  • Advising staff on Data Protection issues;
  • Keep Artsadmin’s notification with the Information Commissioners Office up to date;
  • Handling any Subject Access requests;
  • Approving unusual or controversial disclosures of Personal Data;
  • Working with the Communications Manager to ensure that our Data Protection policies and processes are visible on our website and communicated to our audiences;
  • Approving contracts with Data Processors.

All managers of departments/teams and functional areas have the following responsibilities:

  • Assisting the Data Protection Officer in identifying aspects of their area of work that have Data Protection implications so that guidance can be provided as necessary;
  • Ensuring that their operational procedures take full account of Data Protection requirements;
  • Including Data Protection and confidentiality in staff induction and training (for temporary staff and volunteers as well as permanent staff).

All staff are responsible for understanding and complying with the procedures that Artsadmin has adopted in order to ensure Data Protection compliance. This is also the case for freelancers contracted to work for Artsadmin on a project or longer-term basis, with access to data and information stored on our servers.

Subject Access Request Forms

Subject access request refers to the right that individuals have to see a copy of the information an organisation holds about them. You can read more about Subject Access on the Information Commissioner’s Office’s (ICO) website.

If you want to know the information that Artsadmin holds about you, you can find out more about how to do that on the ICO website.

Please submit to with the email subject line “Subject Access Request”.

In line with GDPR:

  • Artsadmin will respond within 40 days of the date on which the request is received.
  • We can refuse or charge for requests that are manifestly unfounded or excessive.
  • If we refuse a request, we will explain to the individual why, without undue delay and at the latest, within one month, and that they have the right to complain to the supervisory authority and to a judicial remedy.
  • We will charge up to £10 to administer Subject Access Request Forms to cover any overheads such as staff time, printing and postage.
  • We will need to verify your identity before the request will be considered and acted upon. We require level 2 identity proofing for any subject access requests – such as a passport and driving license as well as an utility bill.

For more information on right of access, please refer to the ICO.

The Right to be Forgotten

Individuals have the right for their personal data to be erased; it is also known as ‘the right to be forgotten’. Individuals can make a request for erasure verbally or in writing. Artsadmin will have one month to respond to a request.

We will implement The Right To Be Forgotten if the data subject requests it and will provide evidence of deletion where possible. For more information on the right to be forgotten, please refer to the ICO

Updates to this policy and further information

This policy was last updated on 14 February 2023. We review our policy annually and any updates are posted on this page. We may inform you about any changes that are relevant to you.

Artsadmin has the following related policies and documents, which you can request to see:

  • PCI Compliance Security Awareness Programme
  • Tech Security and Usage Policy
  • Digital Policy

You can find further information on data protection regulations and laws here: