CASS is committed to protecting your privacy. We want to be transparent when it comes to data, this page shows you what data we collect from you and how we use it. If you have any questions or concerns please email us at firstname.lastname@example.org
This document shows CASS (‘we’) as the data controller and also explains any third parties we use for administration purposes.
We collect data from you when you:
+ Purchase something from us. This could be an entrance ticket, an item from our shop or a sculpture.
+ Support us by making a donation or becoming a member.
+ Sign up to our e-newsletter mailing list.
+ Give your consent for filming/photography onsite or at an event.
+ Complete a form for our records e.g. for use of the mobility scooter, group/school bookings or registering interest for volunteering.
+ Use our website and other online platforms. Examples of these are, Facebook, Instagram, Twitter.
+ Complete a feedback form or survey or if you contact us directly to give feedback via email, telephone or in person.
+ Attend one of our events or workshops.
+ Interact with links on our digital communications.
Different kinds of data we collect
Personal data is any data that can identify you. Some or all of these are collected when you interact with us as detailed above.
Personal data includes but is not limited to: contact details, date of birth, contact preferences, details of past communications, images of you, details of transactions, IP addresses.
Sensitive data is more specific and is only asked for in certain circumstances.
Sensitive data includes but is not limited to: medical information and next of kin, direct debit information, ethnicity, gender.
How this data is processed and why
We are required to process your details whenever you make a
transaction with us. Only trained CASS staff complete these transactions and
do not have access to full payment details.
Online (IP and cookies)
We report on sales and tickets sold to CASS so we can analyze this data. However, this data is aggregated and is not identifiable by the individual. All information is stored on CASS’ private server only accessible by CASS staff.
Marketing and your preferences
We contact our customer base with marketing materials, based on their communication preferences.
Our marketing strategy is based on segmentation provided by the Audience Agency in response to surveys. We occasionally use other information like previous bookings, purchases and location to send relevant events and offers to you.
If you would like to update your preferences you can do so by emailing email@example.com
If you wish to opt-out of receiving all correspondence from us, our emails contain a clear unsubscribe link within the footer.
If you have agreed to sharing data with third parties via social media, this data may influence our digital advertising. For example if you have expressed an interest in Arts and Culture on Facebook and we create a specific campaign to be shown to people on Facebook with this selected interest, Facebook may link you to our advert. Advertising you receive like this is linked to your privacy settings for each individual online platform. Please edit your privacy preferences on the online platform (e.g. Facebook) if you do not want your data to be shared with us or to stop seeing advertising from us.
Storage of data
All our data is stored with your privacy in mind. If we believe there has been a serious breach of data we will notify the Comissioners Officer within 72 hours of becoming aware of this.
For all external companies who process and store data on behalf of CASS we have entered into agreements with these organisations whereby they cannot sell, share or use your data for any other purpose other than those agreed with CASS. We ensure that suppliers who handle financial data on behalf of CASS are PCI DSS compliant.
All staff are trained to handle data respectfully and with security at the forefront of their mind. We ensure only staff required to view each type of data have access to do so. Special category data is only accessible to a small selection of staff for whom it is required.
We digitize paper files onto our private server and destroy paper files wherever possible. Those that have to be kept as physical copies are stored securely.
Your data will only be shared if we have your consent to do so however if we are asked to share information with the police, regulatory bodies or legal advisors we are required to do this by law.
Each piece of data has its own retention period based on the uses of that data.
For digitized records we regularly review information we have stored.
Our central database only holds contacts from the last three years.
Membership records are only kept while the membership is valid or until cancelled.
School and group booking details are kept for the year the booking was made. After this, personal data is removed and only basic non-personal details stored.
Surveys are destroyed once uploaded onto systems (Audience Finder). The system then aggregates the data meaning no individual can be identified.
Comment cards and suggestions are digitally stored for 1 year. Then the personal information is removed and the unidentifiable data is aggregated and used within plans.
We retain accounting and HR records as required by law.
If you are employed by CASS or apply to volunteer with us we collect personal and sensitive data as part of our duty as an employer and to ensure your safety when onsite.
If you would like to amend your data, ask us to stop using processing your data (unless we are required to do so by law), or erase your data please contact us at firstname.lastname@example.org
If you would like to request a copy of the information we hold about you please
email email@example.com. Requests will require time to process therefore please allow 30 days for your information to be supplied. If the request cannot be completed within this time you will be notified by a member of CASS staff.