Our Privacy Notice

The University of Nottingham, University Park, Nottingham, NG7 2RD, is committed to protecting your personal data and informing you of your rights in relation to that data.

The University of Nottingham is registered as a Data Controller under the Data Protection Act 2018 (registration No. Z5654762).

One of our responsibilities as a data controller is to be transparent in our processing of your personal data and to tell you about the different ways in which we collect and use your personal data. The University will process your personal data in accordance with the UK General Data Protection Regulation (UK GDPR, GDPR) and the Data Protection Act 2018 (DPA) and this privacy notice is issued in accordance with the GDPR Articles 13 and 14.

Lakeside Arts is part of the University of Nottingham and for the purposes of this Privacy Policy, “we” means Lakeside Arts, University of Nottingham.

This policy explains:

• why we collect your personal data;
• the legal basis for processing your personal data under GDPR;
• what personal data we collect and where we get this information from;
• how long we keep your personal data for;
• who we share your personal data with;
• how we keep your personal data secure;
• your rights as a data subject and how you can check and update any of your personal data.

We may update our Privacy Notice at any time and we encourage you to check back here regularly to review any changes.

Show more details

The University has an appointed Data Protection Officer. Their postal address is: 

Data Protection Officer,
B16, Lenton Hurst,
University of Nottingham,
University Park,
Nottingham
NG7 2RD

 

They can be emailed at dpo@nottingham.ac.uk.

One of our responsibilities as a data controller is to be transparent in our processing of your personal data and therefore tell you about the different ways in which we collect and use your personal data. We also want to maintain the trust and confidence of every one of our audience members and supporters, as well as each visitor who uses the Lakeside Arts website.

WHY WE COLLECT YOUR PERSONAL DATA

We define personal data as information relating to a live, identifiable individual. We may need to gather and use information about you for a number of reasons. Here are the main ones: 

• To provide a service you have requested (e.g. booking tickets).
• Contact you if we need to obtain or provide additional information (e.g. changes to events).
• Provide you with information on upcoming events, exhibitions and/or opportunities to donate to Lakeside Arts, so long as you have consented to these communications (e.g. emailing about upcoming events).
• To improve our programming and customer service by better understanding our audience’s needs (e.g. retaining customer service issues to ensure mistakes aren’t repeated).

The law also requires us to acquire and keep certain information. Occasionally this information is anonymised so you can't be identified.

THE LEGAL BASIS FOR PROCESSING YOUR PERSONAL DATA UNDER GDPR

Under the General Data Protection Regulation, we must establish a legal basis for processing your personal data and communicate this to you. All data processed under the terms of this notice is classified as non-sensitive personal data, as such we typically rely on three legal basis for processing your personal data, which vary depending on what we’re using it for. These are:

1. To perform or take steps to enter into a contract;
2. Your consent;
3. Legitimate interests pursued by the University (except where such interests are overridden by your interests, rights or freedoms).

Show more details

Specifically, we use your information in the following ways:

To carry out our business and to provide a service or carry out a contract with you:

• To fulfil ticket, merchandise, donation and membership requests.
• Process payments. Please note that Lakeside Arts does not store any Credit Card or other payment information once the transaction has been completed. We will ensure that this is carried out securely and in accordance with the Payment Card Industry Data Security Standard (PCI-DSS).
• Provide the best possible customer services and to help us with internal administration.
• Undertake due diligence in accordance with our Gift Acceptance Policy
• Contact you with important information relating to your booking or purchase, such as confirming your order, reminding you of an upcoming performance you’ve booked for or letting you know about changes or building works that may affect your visit.

Where we have your consent:

• Send you updates about what’s on, ticket offers and news.
• Contact you about a specific genre or topic that you’ve requested to hear more on such as exhibitions, family events or other projects.
• Share your details with other arts organisations (e.g. Fabric) whose work you will have booked for through Lakeside Arts. You will always be able to opt out of their communications by contacting them directly.

Where we have justifiable reason (including legal obligation and legitimate interest):

• Learn about your interests and preferences so that we can contact you with information that is relevant to you.
• Help us target our marketing communications and adverts so that they’re more relevant to you.
• For classifying our audience into groups or segments, using booking, publicly available, and purchased geo-demographic/behavioural profile information. These segments help us to understand our audience better and ensure we’re sending relevant messages to each group.
• Measure and understand how our audiences respond to a variety of marketing activity so we can ensure our activity is well targeted, relevant and effective.
• Undertake consumer research: we may contact you to ask you to participate in consumer research either via an online or telephone survey or in person. You are under no obligation to participate in research and, should you provide any further information, Lakeside Arts will inform you how any further information will be used.
• Analyse and continually improve the services we offer including our artistic output, our website and our other products.
• To keep our database accurate and relevant.
• Detect and reduce fraud and credit risk.

In all of the above cases we will always keep your rights and interests at the forefront to ensure they are not overridden by our own.

Processing Special Category personal data

Data protection law recognises that certain categories of personal information are more sensitive, such as health information, race, religious beliefs and political opinions. We collect and use some Special Category data for two reasons:

1. To ensure that we able to deliver events safely (e.g. collecting and processing data relating to pre-existing medical conditions for workshops for 18s and under so we are informed and able to act appropriately when a child or young person is under our supervision).
2. To monitor and report on the types of people engaging with our artistic programme and ensure that we are serving a broad section of society with our work (e.g. monitoring the ethnic diversity of those engaging and comparing those statistics with regional census data).

We will always obtain explicit consent to process when obtaining this information.

WHAT PERSONAL DATA WE COLLECT AND WHERE WE GET THIS FROM

Generally, we collect your information when you decide to interact with us. This could include purchasing tickets online, over the phone or in person or it could be when you sign up to receive emails from us. Whenever we do so we will always explain why we are requesting this information, and under what circumstances and how your information will be processed.

Show more details

We collect information in a number of ways which are listed below:

• When you create an account at www.lakesidearts.org.uk. Your account allows you do the following:
  • Buy tickets for events
  • Make a donation
  • Register for special and genre interest lists (e.g. dance productions, exhibition openings, talks and lectures)
• Contact us by phone to book tickets.
• Book tickets in person at the box office.
• Contact us by post or email (e.g. application or donation forms).
• Complete a survey or form during or following a visit to Lakeside.

The type of information we collect depends on where and when it is gathered and in what context.

When you create an account with us, register on our website, purchase tickets online, in person or by phone, or make a donation we need to collect information from you in order to provide the service you are requesting. We may collect:

• Prefix and name
• Gender
• Email address
• Age (for workshops for 18s and under only)
• Contact phone number(s)
• Payment card details (we will not hold payment information for any longer than it takes to process your transaction)
• Information required to preocess a donation (including any Gift Aid claims)
• Delivery address(s)
• Billing address

When visiting our website we may collect the following information:

• Automatically populated IP address: a public IP address is a unique number which allows a computer, group of computers or other internet connected device to browse the internet. The log file records the time and date of your visit, the pages that were requested, the referring website (if provided) and your internet browser version. This information is collected to help diagnose and manage the website, to audit the geographical make-up of users, and to establish how they have arrived at the website.
• Cookies: for further information about Cookies and how we use them, please read our Cookie Policy.

Information we obtain independently from you:

Third Party Organisations

We may combine information you have given to us with this additional information available from external sources. This will only be done when you give permission to the relevant third party organizations to share the data they hold on you, or if the data is already publicly available.

Data Hygiene

From time to time we may screen our database against a recognised data hygiene file (such as a National Change of Address file) and cleanse our file or correct inaccurate data. We may also update inaccurate data if the information is available.

Social Media

Depending on your settings or the privacy policies for social media and messaging services like Facebook, WhatsApp or Twitter, you may give us permission to access information from those accounts or services.

Information available publicly

We may include information found in places such as Companies House and information that has been published in articles/ newspapers.

HOW LONG WE KEEP YOUR PERSONAL DATA FOR

We will only retain your personal data for as long as is reasonably necessary to fulfil the purposes set out in this privacy notice, including for the purposes of satisfying any legal, accounting, or reporting requirements. We will not keep more information than we need. The retention period will vary according to the purpose, for example if purchasing a ticket only, we will typically keep your data for up to six years from the date of your last transaction whereas if you have pledged a legacy to us, we will hold your details until notified by your executors. Our records retention schedule is available online.

If you ask us to stop sending direct marketing communications to you, we will keep the minimum amount of information (e.g. name, address or email address) to ensure we adhere with such requests.

WHO WE SHARE YOUR PERSONAL DATA WITH

Internal recipients

We may share your personal data, including your sensitive personal data, between colleagues and departments  who have received appropriate training and legitimately need access to that information in order to carry out their normal duties to support and facilitate your relationship with us.

External recipients

Personal data collected when you purchased tickets or signed up to receive communications from us is securely stored in our Spektrix database, which is hosted externally by Spektrix Ltd in a secure data warehouse. On occasion, Spektrix Ltd will have access to your data when assisting with the maintenance and development of our systems, however only on our instruction.

We will never share, sell, rent or trade your personal information to any third parties for marketing purposes without your prior consent.

Some of our service providers may have access to your data in order to perform services on our behalf – payment processing and email marketing are good examples of this. We use Elavon’s Opayo Gateway to process credit and debit card transactions. This requires us to provide personal and payment data to Elavon Financial Services DAC in order for them to process payments. Spektrix integrates via an Application Programming Interface (API) with dotdigital EMEA Limited’s dotdigital email marketing platform. When we send you a promotional, pre/post-visit or survey email, it will have come from dotdigital. This requires us to transfer, via the API, your name, email address and another other relevant information we hold (for example, the name of the event you have booked for) to dotdigtal when sending emails. We control which emails are sent and the content of those emails.

We enter into an agreement with anyone who provides a service for us to ensure that they meet our standards for data security. They will not use your data for anything other than the clearly defined purpose relating to the service that they are providing.

Show more details

We may share your details with:

• Service providers who work on our behalf for the performance of any contract we enter into with them or you (e.g. payment processing, printers and mailing houses, marketing agencies, database services, website hosting or email delivery service).
• Named third party organisations if you ticked the relevant opt-in box when you purchased tickets. In these instances, we may supply your personal information to that specific organisation only.
• Third party data services, for example Morris Hargreaves McIntyre, who help us to segment and understand our audience by providing additional information so that we can send the most relevant and targeted communications possible.
• Where required to do so (for example, if required to do so by the ‘know your donor’ principles under charity law or a court order), or when requested by the police or a regulatory or government authority investigating illegal activities, or when requested by NHS Test and Trace.

Transfers of and access to your data outside of Europe

We do not regularly transfer personal data to companies based outside of Europe. However, Spektrix Ltd may transfer or provide access to personal data to its affiliate Spektrix Inc in the United States of America in order to provide technical support services. Spektrix makes this data transfer in accordance with UK GDPR, GDPR and DPA (via the operation of EU and UK approved standard contractual clauses).

Elavon and dotdigital operate globally and as such reserve the right to store and process personal data in any countries outside of the United Kingdom and European Economic Area that are subject to different standards of data protection. Both Elavon and dotdigital take appropriate steps ensure that transfers of personal data are in accordance with UK GDPR, GDPR and DPA and is carefully managed to protect your privacy rights and interests and transfers are limited to countries that are recognised as providing an adequate level of legal protection or where we can be satisfied that alternative arrangements are in place to protect your privacy rights.

HOW WE KEEP YOUR PERSONAL DATA SECURE

We are committed to protecting the personal information you entrust to us. We adopt robust and appropriate technologies and policies, so the information we have about you is protected from unauthorised access and improper use.

Show more details

Like us, Spektrix is committed to delivering robust security and privacy procedures to ensure we maintain the confidentiality, integrity and availability of data stored in their system. Specifically Spektrix:

• Use industry-standard encryption to protect personal data and communications during data transmissions. 
• Do not store payment information.
• Have strict policies in place on accepting management or support requests.
• Conform with the PCI-DSS standard for the handling of cardholder data and are audited annually as a PCI Level 1 provider.
• Provide unique user accounts and login details for all users, with the system allowing differing levels of access, ensuring users only have access to the areas of the system required.
• Have various measures in place to ensure operational security, with annual audits and security testing.

YOUR RIGHTS AS A DATA SUBJECT

You have the following rights in relation to your personal data processed by us:

Show more details

Right to be informed

We will ensure you have sufficient information to ensure that you're happy about how and why we're handling your personal data, and that you know how to enforce your rights. We provide information in the form of privacy notices. You can read all of our privacy notices online.

Right of access / right to data portability

You have a right to see all the information we hold about you. Where data is held electronically in a structured form, such as in a database, you have a right to receive that data in a common electronic format that allows you to supply that data to a third party – this is called "data portability". To make a request for your own information please see our Data Protection website.

Right of rectification

If we're holding data about you that is incorrect, you have the right to have it corrected. If you have any concern about the accuracy of your personal data, please let us know using the below contact details.

Right to erasure

You can ask that we delete your data and where this is appropriate we will take reasonable steps to do so. If you would like us to remove the personal information we hold about you, please contact us using the below contact details.

Right to restrict processing

If you think there's a problem with the accuracy of the data we hold about you, or we're using data about you unlawfully, you can request that any current processing is suspended until a resolution is agreed. Please email any related request to our box office team using the below contact details.

Right to object

You have a right to opt out of direct marketing. You have a right to object to how we use your data if we do so on the basis of "legitimate interests" or "in the performance of a task in the public interest" or "exercise of official authority" (a privacy notice will clearly state to you if this is the case). Unless we can show a compelling case why our use of data is justified, we have to stop using your data in the way that you've objected to. If you wish to object to us processing your data, please let us know using the below contact details.

CHECKING AND UPDATING YOUR PERSONAL DATA

You should find it easy to access and amend the personal information that we hold on you, or request that we stop contacting you. It’s your data and we want to make sure you feel in control of it.

If you have an online account with us, you can amend your personal details and email contact preferences at any time. Simply sign in on the website and access your account, or, if you prefer, you can contact us by phoning, emailing, or writing using our contact details below. Every email we send to you will include details on how to change your communications preferences or unsubscribe from future communications.

By email: lakeside-box-office@nottingham.ac.uk
By phone: +44 (0)115 846 7777
By post: Lakeside Arts, University Park, Nottingham, NG7 2RD