Last modified:  7 February 2019

This policy applies to the Torbay Culture Ambassadors programme only, which is managed by an external consortium on behalf of Torbay Culture and TDA.

The processing of personal data by the consortium of freelancers involving Anna Gilroy, Laura Carus and Holly Patton (hereafter known as the ‘consortium’) is regulated by the laws and rules of the United Kingdom and European Union (Data Privacy and GDPR regulation). This policy explains how the consortium complies with these laws and include the steps that the consortium must take in processing personal data and some rights that consortium and other data subjects have under data privacy laws.

1. Introduction

1.1 This policy is in written in conjunction with the consortium’s Cyber Security Policy.

1.2 This policy has been approved by the freelancers. Any questions of concerns should in the first instance be raised with Holly Patton (

1.3 If you consider that this policy has not been followed then you should raise the matter with Holly Patton.

1.4 This policy does not form any part of an employees contract of employment and may be updated at any time.

1.5 Any breach of this policy will be taken seriously.

2. Definitions

2.1 Data is information which is stored electronically, on a computer, or in certain paper-based filing systems. This will include volunteer’s names, contact details and attendance records.

2.2 The Data Controllers within the consortium is Holly Patton and she will determine the purposes for which, and the manner in which, any personal data is processed. They have a responsibility to establish practices and policies in line with Data Privacy Laws.

2.3 Data Processors include Laura Carus, Anna Gilroy and Holly Patton. It could also include any person or organisation who processes personal data on behalf of a data controller. This include suppliers, sub-contractors or clients who handle personal data on our behalf (currently the consortium utilises Mailchimp, Google Drive and Eventbrite).

2.4 Data Protection Officer will be appointed if consortium are managing a large project with largescale data processing. “Large-scale” is a subjective term determined by:

  • The number of data subjects;

  • The volume of data and/or the range of data processing;

  • The length or duration of the data processing;

  • The geographical reach of the data processing.

2.5 Data Subjects for the purpose of this policy are all living individuals about whom we hold personal data. A data subject need not be a UK national or resident. All data subjects have legal rights in relation to their personal data.

2.6 Data Users include other freelancers and subcontractors whose work involves using or otherwise processing personal data. Data users have a duty to protect the information they handle by following our data protection and security policies (including this one) at all times.

2.7 Processing is any activity that involves use or retention of the data. It includes obtaining, recording or holding the data. It also includes organising, amending, retrieving, using, disclosing, erasing, destroying or transferring it to third parties.

2.8 Sensitive Personal Data includes information about a person's racial or ethnic origin, political opinions, religious or similar beliefs, trade union membership, physical or mental health or sexual life or about the commission of, or proceedings for, any offence committed or alleged to have been committed by that person, the disposal of such proceedings or the sentence of any sentence of any court in such proceedings. Sensitive personal data can only be processed under strict conditions and will usually require the express consent of the person concerned. The consortium will not be processing sensitive data as part of the Torbay Culture – Volunteer Coordination (Ambassadors) Project.

3. Personal Data

3.1 Personal Data is data relating to a living individual from which that individual can be identified, either from that data alone or from other information that is is, or is reasonably likely to come into the consortium’s possession. Examples of personal data include:

  • Name

  • Date of Birth

  • Identity Card Numbers (Passport etc)

  • HR Files about employees

  • Details of consumers

  • Individual contacts with suppliers and/or clients

  • Contacts held in address books

  • Data collected relating to time/place and/or manner of use of the consortium websites (including those operated by the consortium) by individuals

4. What personal data do we collect and why?

4.1 We collect data relating to:

  • Volunteer Organisations

  • Clients (including potential and previous)

  • Suppliers

  • Volunteers including CV, phone numbers, email address, locations and address.

4.2 The consortium holds and processes Associate/sub-contractors’ (individuals’) Personal Data for the following purposes:

  • The administration and management of its associates/sub-contractors

  • Payment of its associates/sub-contractors

  • Notification of potential employment/contracts

  • For the purpose of compliance with applicable laws/regulations and rules.

4.4 The consortium holds and processes Client Personal Data for the following purposes:

  • To facilitate the delivery of our contracts and projects

  • For dealing with client enquiries

  • The supply of marketing and promotional material (only at the user’s request)

  • For the purpose of any retrospective queries.

4.3 The consortium holds and processes Suppliers’ Personal Data for the following purposes:

  • The administrations and management of our contracts and projects

  • For payments

  • For dealing with any retrospective queries.

4.4 The consortium holds and processes Volunteers’ personal data for the following purposes:

  • The administration and management of its volunteers

  • Protecting the legitimate interests of the consortium (including investigating act or defaults)

  • For notification of potential opportunities volunteering and/or employment (at their request)

  • For the purpose of compliance with applicable laws, regulations and rules.

4.5 The consortium may share the personal data that is collects with its affiliates and third parties operating on its behalf. The consortium will only share personal information with companies/third parties that are required to protect data in accordance with relevant laws, regulations and rules and are subject to any appropriate security measures and directions from the consortium.

5. How do we process personal data?

The consortium processes all personal data with the data protection principles below. All associates, consortium members and other data processors must follow these principles if they process personal data:

  • Processing must have consent and be lawful. The data protection subject must be told who the data controller is, who the data controllers representative is and the purpose that the data is being processed/collected and the identities of anyone whom the data may be disclosed or transferred. For personal data to be processed lawfully certain conditions have to be met. These may include, among other things:

    • Requirement that the data subject has consented to the processing

    • The processing is necessary for the legitimate interest of the data controller or the party to whom the data is disclosed

    • Or that the processing is necessary for the performance of a contract to which the data subject is a party.

All data processed as part of the Torbay Culture-Volunteer Co-ordination (Ambassadors) Project will be consented by the subject. Consent must be:

  • Active: consent is freely given, specific, and unambiguous;

  • Active consent is also positive, meaning we have not presumed consent from a pre-ticked box, inactivity, or not selecting any option;

  • Privacy must be presented as granular multiple choices, and not a single in or-out option for multiple elements. For example, if we have determined that we need consent for the data you are collecting, then it cannot be automatic opt-in during a registration process;

  • Unbundled: users cannot be forced to grant consent for one thing in order to receive another;

  • Named: the user must be made aware of all specific third parties who will be receiving their data and why they will be receiving it;

  • No imbalance in the relationship: consent must not create an unfair relationship between the user and the data processor, such as requiring excessive data collection in an employer-employee relationship;

  • Verifiable and documented: we must be able to prove who gave their consent, how consent was given, what information they were given, what they agreed to, when they consented, and whether or not the user has withdrawn their consent.

If not grounded in consent, our data processing must be done within a legal basis. This means that our collection and processing of the data is:

  • Necessary for the performance of a contract or in order to take steps at the request of the data subject prior to entering into a contract;

  • Necessary to comply with a legal obligation;

  • Necessary to protect the person’s vital interests (for example, providing someone with emergency medical help);

  • Necessary for the performance of a task in the public interest or in the exercise of official authority;

  • Necessary for the purposes of the “legitimate interests” pursued by the controller or third party.

Whether grounded in consent or legal basis, we must be able to document proof. That proof must indicate:

  • How consent was given;

  • What information we were given, and what you agreed to;

  • When you consented (ideally a timestamped record); and

  • Whether you gave your consent or not and if you have withdrawn your consent.

  • Processing must be for limited purposes and must be done in an appropriate way. Processing data must generally only be processed for the specific purposes notified by the data subject when the data was collected or for any other purposes specifically permitted by Data Protection Laws.

  • Processing must be adequate, relevant and not excessive for the purposes. Personal data must only be collected to the extent that it is required for the specific purpose. Any non-relevant information should not be collected.

  • Personal data should be accurate and up to date. Information that is incorrect or out of date should be corrected or destroyed.

  • Personal data must not be kept longer than necessary for the purpose. Personal data should be destroyed or erased from our systems when it is no longer required for the reason it was collected. The consortium may retain personal data in order to comply with applicable laws, regulations and rules.

  • Personal data must be kept secure. Appropriate security measures must be taken against unlawful or unauthorised processing of personal data and against accidental loss of or damage to personal data in line with data protection laws. Personal data may be transferred to third party data processors if they agree to comply with all policies and procedures. Any data protection breaches should be reported immediately to Holly Patton.

  • Personal data must not be transferred to people or organisations situated outside the EU unless it will be adequately protected in line with our data protection laws, regulations and rules.

6. Rights of Data Subjects

6.1 All data subjects have rights regarding the processing of their personal data, including:

  • The right to be informed about what we are doing with data through privacy notices;

  • The right of users to access a copy of the data we hold on them;

  • The right to correct any data that we hold;

  • The right to erasure, meaning the right to request that we delete certain kinds of data that we hold;

  • The right to restrict processing, or the right to ask us to stop using their data in certain ways;

  • The right to data portability, or the right to take the data we hold about them to another service provider;

  • The right to object to our uses of their data; and

  • Their rights in relation to automated decision making and profiling, where there are legal implications.

7. Providing information to third parties

7.1 Any associate dealing with enquiries from third parties should be careful about disclosing any personal data held by the consortium and should seek permission from Holly Patton who will:

  • Check the identity of the person making the enquiry

  • Ask the third party to put the request in writing (if not already done so)

  • Where providing information to the third party, they will do so in accordance with the law.

8. Document Retention

8.1 Personal data should be destroyed/erased from our systems when it is no longer required for the specific reason it was processed. The consortium however may retain some personal data to comply with applicable laws, regulations and rules. These laws include:

  • For employee records, during the period of employment and normally up to six years after employment ceases.

  • For application forms and other information relating to unsuccessful job applicants, the period of six months from the date of rejection (unless the applicant has given their express consent for the consortium to retain their details for future job opportunities.

  • For immigration checks on potential employees carried out during the employment application process, during employment and for up to two years after employment ceases

  • For payroll and wage records (including PAYE records), six years from the financial year-end the payments were made;

  • For records relating to any reportable accident, death or injury in connection with work for at least three years from the date of the report.

8.2 For further guidance on document retention and destruction please contact Holly Patton.

9. Monitoring and review of this Policy

9.1 This policy is reviewed regularly by the members of the consortium. We will continue to review the effectiveness of this policy to ensure it is achieving its stated objectives in accordance to Data Protection Laws (specifically GDPR legislation).

Torbay Culture’s own privacy policy can be viewed here.