Who we are
YSP is registered as a charity and is a company limited by guarantee. All data is held by the charity.
Your personal data
We collect 'personal data', which is information that identifies a living person, or which can be identified as relating to a living person.
How we collect your personal data
We collect personal data you provide to us in writing, electronically, over the telephone, and via the website or other social media platforms. This includes information you provide when you make donations, apply for membership of our Friends scheme, purchase tickets, products or services, and ask to be added to our mailing lists. It also includes information you provide when you apply to work with us, volunteer, become a board member or enter into other contractual arrangements with us.
What data we collect
We may collect the following information:
- Personal details (name, gender, date of birth, email, or other social media account information, postal address, telephone etc.
- Family and spouse/partner, or next of kin details
- Financial information (such as credit/debit card or direct debit details, and whether your donations are gift-aided)
- Details of purchasers and recipients of gift memberships and donations
- Details of the ways in which you wish to be contacted by us
Your activities and involvement with YSP will result in personal data being generated. This could include:
- Data supplied for NHS Test and Trace purposes
- Ticket booking
- Your attendance at special events
- Your visits to our website
- Images of you captured by our CCTV systems, photographers or filmmakers
- Your use of our public wifi
- Your car registration details for car park charges and calculating the frequency of your visits to YSP
- Your purchasing history
- How you’ve helped us by volunteering or by donating money
- If you have applied for a job or volunteer role with us
- Data collected from third party providers and social media providers
We do not normally collect or store special categories of personal data. However, there are some situations where we may need to do so. These may include, for example, if we need to know about any access, medical or dietary requirements you, or someone in your care, may have.
Children and Young People
We take great care to protect and respect the rights of individuals in relation to their personal data, especially in the case of those aged 13 or younger. We will not use the personal data of children or young people for marketing purposes. Personal data about children and young people is only accessible by our staff on a strictly need-to-know basis.
Why we collect this data
We use personal data for our legitimate interests and also in other situations when we have your consent. These uses include:
- undertaking visitor research
- to better understand how people choose and/or use our products and services
- to determine the effectiveness of our promotional campaigns and advertising
- to comply with our legal duties
- to protect your vital interests
- meeting our contractual obligations to you
- carry out a task in the public interest
- or our own (or for a third party’s) legitimate interests, provided your rights do not override these interests
We use your personal data for administration purposes. We also use your personal data to provide you with news about our activities and events, and to help with fundraising. You have the choice as to whether you want to receive or continue to receive our marketing messages, and you can change your preferences at any time.
We are participating in NHS Test and Trace, which means (unless you opt out) we may share some of your personal information (full name, contact details and date and time of your visit) with NHS Test and Trace if we are requested to do so.
We also only ever use your data for the purpose or purposes for which it was obtained.
We use website cookies for a number of different reasons as listed below. You can manage these small files yourself and learn more about them from allaboutcookies.org.
- To enable a service to recognise your device so you don’t have to give the same information again
- To recognise that you have already given a username and password so you don’t need to enter it for every web page requested
- To measure how many people are using our services, so they can be made easier to use and so that there is enough capacity to ensure a speedy service
- We use AddThis on our website so that you can share our content across email and social networks. These cookies allow us to anonymously track how many users recommend our web pages on social media
We use Google Analytics to collect information about how people use our website. We do this to make sure it’s meeting its users’ needs and to understand how we could do it better. Google Analytics stores information about what pages you visit, how long you are on the site, how you got here and what you click on. We do not allow Google to use or share our analytics data. This is a list of data stored by Google Analytics cookies:
_utma stores each user’s number of visits, time of the first visit, the previous visit and the current visit
_utmb and _utmc checks how long a visitor stays on the site: when a visit starts and ends
_utmz tracks where a visitor came from (search engine, search keyword, link)
_utmv and _utmd track visitor journeys through the site and classifies them into groups
These cookies each last different amounts of times:
_utma expires two years after your last visit to this site
_utmb expires 30 minutes after your visit, or after 30 minutes of inactivity
_utmc expires at the end of a session (when you close your browser)
_utmz expires six months after it was last set
_utmv (not set) expires immediately
_utmd (not set) expires immediately
How we store this data
In order to prevent unauthorised access or disclosure of your personal data we have put in place suitable physical, electronic and managerial procedures to safeguard and secure the information we collect.
Electronic data and databases are stored on secure computer systems and we control who has access to information (using both physical and electronic means). Staff receive data protection training and we maintain a set of data protection procedures which our staff are required to follow when handling personal data.
We only store your data for as long as we need to, and in order to carry out various services for you. We continually review what information we hold and will delete personal data which is no longer required.
All electronic forms that ask you for your financial data will use the Secure Sockets Layer (SSL) protocol to encrypt the data between your browser and our servers.
If you use a payment card to make an event booking, to buy membership or to shop online, we will pass your payment card details securely to our payment provider. We comply with the payment card industry data security standard (PCI-DSS) published by the PCI Security Standards Council.
We will never sell your personal data.
We may share your personal data with contractors, research agencies or suppliers who provide us with services. For example, we may use a mailing house for the distribution of our What’s On leaflet; we use Eventbrite for ticket sales; we use Direct Debit processors for the handling of payments and email providers for our marketing communications. Information is transferred to data processors securely, and we retain full responsibility for your personal data as the data controller. These activities are carried out under a contract which imposes strict requirements on our suppliers to keep your personal data confidential and secure.
We may share your personal data where required to do so for prevention of crime or for taxation purposes (for example, with the police, HMRC) or where otherwise required to do so by other regulators or by law (e.g. the Charity Commission, Companies House).
We are wholly based in the UK and store data within the European Economic Area. Some organisations which provide data processing services to us do so under contract and may be based outside of the EEA. We will only allow them to do so if your data is adequately protected.
Our websites contain links to other external websites. We are not responsible for the content or functionality of any such websites. Please let us know if a link is not working by contacting firstname.lastname@example.org
YSP is protected by CCTV and you may be recorded when you visit. Our system includes an automatic car registration recognition system. We use CCTV to help with car parking charges, and to provide a safe and secure environment for visitors, for our staff and to prevent or detect crime. The system is managed in accordance with our standard operating procedures and with good practice guidance issued by the Information Commissioner’s Office. CCTV images will only be accessed by authorised security staff and are stored for up to 30 days, unless flagged for review.
We will only retain your personal data for as long as it is required for the purpose for which we collected it.
We want to ensure you remain in control of your personal data and that you understand your legal rights. These are:
- The right to know whether we hold your personal data and, if we do so, to be provided with a copy of this (a “subject access request”) within one month
- The right to have your data erased (though this will not apply where it is necessary for us to continue to use the data for a lawful reason)
- The right to have inaccurate personal data rectified
- The right to object to your personal data being used for marketing or profiling
If you would like further information on your rights or wish to exercise them, please contact us at email@example.com or by writing to Yorkshire Sculpture Park, West Bretton, Wakefield WF4 4LG, United Kingdom. You can read more about your rights in details at ico.org.uk. YSP is registered with the ICO – registration ZA080933
Updates to this policy