Data Protection Policy
GENERAL OVERVIEW
THE DATA PROTECTION REGULATION (“GDPR”) CAME INTO FORCE IN 1998 AS A PROVISION FOR REGULATING THE PROCESSING OF INFORMATION RELATING TO INDIVIDUALS, INCLUDING THE OBTAINING, HOLDING, USE OR DISCLOSURE OF THIS INFORMATION.
This policy is for the Black Cultural Archives (“BCA”) and is intended to provide information about how we use (or "process") personal data about individuals. It works in conjunction with BCA’s Privacy Policy, which includes further information about how we process personal information.
The principles of the GDPR
Article 5 of the GDPR requires that personal data shall be:
a) “processed lawfully, fairly and in a transparent manner in relation to individuals;
b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;
c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals; and
f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.”
Article 5(2) requires that:
“the controller shall be responsible for, and be able to demonstrate, compliance with the principles.”
Responsibility for data protection
In accordance with the GDPR, BCA has notified the Information Commissioner's Office (“ICO”) of its processing activities. Our ICO registration number is Z3469748 and its registered address is Black Cultural Archives, 1 Windrush Square, Brixton, London, SW2 1EF. BCA has appointed the Archivist as Data Protection Officer ("DPO") who will endeavor to ensure that all personal data is processed in compliance with this policy and the GDPR.
Types of personal data processed by BCA
Personal information means any information about an individual from which that person can be identified. It does not include data where the identity has been removed, i.e. anonymous data.
We may collect, use, store and transfer different kinds of personal information about you which we have grouped together as follows:
· Identity Data includes first name, maiden name, last name, username or similar identifier, marital status, title, date of birth and gender.
· Contact Data includes billing address, delivery address, email address and telephone numbers.
· Financial Data includes bank account and payment card details
· Transaction Data includes details about payments to and from you and other details of products and services you have purchased from us.
· Technical Data includes internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access our website.
· Profile Data includes your username and password, purchases or orders made by you, your interests, preferences, feedback and survey responses.
· Usage Data includes information about how you use our website, products and services.
· Marketing and Communications Data includes your preferences in receiving marketing from us and our third parties and your communication preferences. This also includes us making a note of conversations we have had with you in person and/or communications you sent to Black Cultural Archives. This helps us to manage our relationship with you and ensures you only receive communications from us that are relevant and timely.
When you subscribed (‘opted in’) or made a purchase from us expressing an interest in our work, we will contact you by email to share regular updates about our work and upcoming events. You have the option to unsubscribe at any time via (add link). You can request details on all personal information we hold at any time. We will not share your personal information with any other organisation.
We also collect, use and share Aggregated Data such as statistical or demographic data for any purpose. Aggregated Data may be derived from your personal information but is not considered personal data in law as this data does not directly or indirectly reveal your identity. For example, we may aggregate your Usage Data to calculate the percentage of users accessing a specific website feature. However, if we combine or connect Aggregated Data with your personal data so that it can directly or indirectly identify you, we treat the combined data as personal data which will be used in accordance with this privacy policy.
Any Special Categories of Personal Data we collect about you (this includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health and genetic and biometric data) are anonymised. We do not collect any information about criminal convictions and offences.
Purposes for which we will use your personal information
We have set out below, in a table format, a description of all the ways we plan to use your personal information, and which of the legal bases we rely on to do so. We have also identified what our legitimate interests are where appropriate.
Please note that we may process your personal information for more than one lawful ground depending on the specific purpose for which we are using your information. Please contact us if you need details about the specific legal ground we are relying on to process your personal data where more than one ground has been set out in the table below:
Purpose/Activity
Type of data
Lawful basis for processing including basis of legitimate interest
To register you as a new customer
(a) Identity
(b) Contact
Performance of a contract with you
To process and deliver your ticket purchase including:
(a) Manage payments, fees and charges
(b) Collect and recover money owed to us
(a) Identity
(b) Contact
(c) Financial
(d) Transaction
(e) Marketing and Communications
(a) Performance of a contract with you
(b) Necessary for our legitimate interests (to recover debts due to us)
To manage our relationship with you which will include:
(a) Notifying you about changes to our terms or privacy policy
(b) Asking you to leave a review or take a survey
(a) Identity
(b) Contact
(c) Profile
(d) Marketing and Communications
(a) Performance of a contract with you
(b) Necessary to comply with a legal obligation
(c) Necessary for our legitimate interests (to keep our records updated and to study how customers use our products/services)
To enable you to partake in a prize draw or complete a survey
(a) Identity
(b) Contact
(c) Profile
(d) Usage
(e) Marketing and Communications
(a) Performance of a contract with you
(b) Necessary for our legitimate interests (to study how customers use our products/services, to develop them and grow our business)
To administer and protect our business and this website (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data)
(a) Identity
(b) Contact
(c) Technical
(a) Necessary for our legitimate interests (for running our business, provision of administration and IT services, network security, to prevent fraud and in the context of a business reorganisation or group restructuring exercise)
(b) Necessary to comply with a legal obligation
To deliver relevant website content and advertisements to you and measure or understand the effectiveness of the advertising we serve to you
(a) Identity
(b) Contact
(c) Profile
(d) Usage
(e) Marketing and Communications
(f) Technical
Necessary for our legitimate interests (to study how customers use our products/services, to develop them, to grow our business and to inform our marketing strategy)
To use data analytics to improve our website, products/services, marketing and communications with you, customer relationships and experiences
(a) Technical
(b) Usage
Necessary for our legitimate interests (to define types of customers for our products and services, to keep our website updated and relevant, to develop our business and to inform our marketing strategy)
To make suggestions and recommendations to you about goods or services that may be of interest to you
(a) Identity
(b) Contact
(c) Technical
(d) Usage
(e) Profile
Necessary for our legitimate interests (to develop our products/services and grow our business)
To process donations and to keep in touch regarding donations and activities
(a) Identity
(b) Contact
(c) Financial
(d) Transaction
(a) Performance of a contract with you
(b) Necessary to comply with a legal obligation
(c) Necessary for our legitimate interests (to maintain engagement with donors and cultivate relationships with potential donors, to ensure we continue to receive donations)
To process archive enquiries
(a) Identity
(a) Performance of a contract with you
To register you as a reader in our reading room
(a) Identity
(b) Contact
Necessary for our legitimate interests (to ensure our collections are handled correctly and to ensure security)
To inform you about archive activities
(a) Identity
(b) Contact
Explicit consent to join our mailing list
To process and deliver your reprographics purchase including:
(a) Manage payments, fees and charges
(b) Collect and recover money owed to us
(a) Identity
(b) Contact
(c) Financial
(d) Transaction
(a) Performance of a contract with you
(b) Necessary for our legitimate interests (to recover debts due to us)
Rights of access to personal data (“subject access request”)
Individuals have the right under the GDPR to access personal data about them held by BCA,
subject to certain exemptions and limitations set out in the GDPR. Any individual wishing to
access their personal data should put their request in writing to the DPO. We will endeavour to respond to any such written requests (known as "subject access requests") as soon as is reasonably practicable and in any event within statutory time-limits. BCA may charge an administration fee of up to £10 for providing this information.
You should be aware that certain data is exempt from the right of access under the GDPR. This
may include information that identifies other individuals, information which BCA
reasonably believes is likely to cause damage or distress, or information which is subject to
legal professional privilege.
Data accuracy and security
BCA will endeavour to ensure that all personal data held in relation to an individual is
as up to date and accurate as possible. Individuals must notify the DPO of any changes to
information held about them.
An individual has the right to request that inaccurate information about them is erased or
corrected (subject to certain exemptions and limitations under the GDPR) and may do so by
contacting the DPO in writing.
BCA will take appropriate technical and organisational steps to ensure the security of
personal data about individuals.
All staff will be made aware of this Data Protection Policy, and their duties under this and the GDPR.
Queries and complaints
If an individual believes that the BCA has not complied with this policy or acted otherwise
than in accordance with the GDPR, they can utilise our complaints procedure and if they
do so, they should also notify the DPO.
Any comments or queries on this policy should be directed to the DPO in writing to: The
Archivist, Black Cultural Archives, 1 Windrush Square, Brixton, London, SW2 1EF.
Download BCA's Privacy Policy