Privacy Policy

This privacy policy sets out how Yorkshire Sculpture Park (YSP) uses, stores and protects your data. You can contact us with any queries about this policy by emailing comms@ysp.org.uk or find out more via the Information Commissioner's Office (ICO). YSP is registered with the ICO – number ZA080933.


Who we are

[When we talk about 'we' or 'us' in this privacy policy we mean Yorkshire Sculpture Park ("YSP" or "The Company").

YSP is registered as a charity and is a company limited by guarantee. All data is held by the charity.


Your personal data

We collect 'personal data', which is information that identifies a living person, or which can be identified as relating to a living person.

When we talk about 'you' or 'your' in this privacy policy we mean any living person whose personal data we collect.


How we collect your personal data

We collect personal data you provide to us in writing, electronically, over the telephone, and via the website or other social media platforms. This includes information you provide when you make donations, apply for membership of our Friends scheme, purchase tickets, products or services, and ask to be added to our mailing lists. It also includes information you provide when you apply to work with us, volunteer, become a board member or enter into other contractual arrangements with us.


What data we collect

We may collect the following information:

  • Personal details (name, gender, date of birth, email, or other social media account information, postal address, telephone etc.
  • Family and spouse/partner, or next of kin details
  • Financial information (such as credit/debit card or direct debit details, and whether your donations are gift-aided)
  • Details of purchasers and recipients of gift memberships and donations
  • Details of the ways in which you wish to be contacted by us


Your activities and involvement with YSP will result in personal data being generated. This could include:

  • Data supplied for NHS Test and Trace purposes
  • Ticket booking
  • Your attendance at special events
  • Your visits to our website
  • Images of you captured by our CCTV systems, photographers or filmmakers
  • Your use of our public wifi
  • Your car registration details for car park charges and calculating the frequency of your visits to YSP
  • Your purchasing history
  • How you’ve helped us by volunteering or by donating money
  • If you have applied for a job or volunteer role with us
  • Data collected from third party providers and social media providers

We do not normally collect or store special categories of personal data. However, there are some situations where we may need to do so. These may include, for example, if we need to know about any access, medical or dietary requirements you, or someone in your care, may have.


Children and Young People

We take great care to protect and respect the rights of individuals in relation to their personal data, especially in the case of those aged 13 or younger. We will not use the personal data of children or young people for marketing purposes. Personal data about children and young people is only accessible by our staff on a strictly need-to-know basis.


Why we collect this data

We use personal data for our legitimate interests and also in other situations when we have your consent. These uses include:

  • undertaking visitor research
  • to better understand how people choose and/or use our products and services
  • to determine the effectiveness of our promotional campaigns and advertising
  • to comply with our legal duties
  • to protect your vital interests
  • meeting our contractual obligations to you
  • carry out a task in the public interest
  • or our own (or for a third party’s) legitimate interests, provided your rights do not override these interests

We use your personal data for administration purposes. We also use your personal data to provide you with news about our activities and events, and to help with fundraising. You have the choice as to whether you want to receive or continue to receive our marketing messages, and you can change your preferences at any time.

We are participating in NHS Test and Trace, which means (unless you opt out) we may share some of your personal information (full name, contact details and date and time of your visit) with NHS Test and Trace if we are requested to do so.

We also only ever use your data for the purpose or purposes for which it was obtained.


Cookies

We use website cookies for a number of different reasons as listed below. You can manage these small files yourself and learn more about them from allaboutcookies.org.

  • To enable a service to recognise your device so you don’t have to give the same information again
  • To recognise that you have already given a username and password so you don’t need to enter it for every web page requested
  • To measure how many people are using our services, so they can be made easier to use and so that there is enough capacity to ensure a speedy service
  • We use AddThis on our website so that you can share our content across email and social networks. These cookies allow us to anonymously track how many users recommend our web pages on social media

We use Google Analytics to collect information about how people use our website. We do this to make sure it’s meeting its users’ needs and to understand how we could do it better. Google Analytics stores information about what pages you visit, how long you are on the site, how you got here and what you click on. We do not allow Google to use or share our analytics data. This is a list of data stored by Google Analytics cookies:

_utma stores each user’s number of visits, time of the first visit, the previous visit and the current visit
_utmb and _utmc checks how long a visitor stays on the site: when a visit starts and ends
_utmz tracks where a visitor came from (search engine, search keyword, link)
_utmv and _utmd track visitor journeys through the site and classifies them into groups

These cookies each last different amounts of times:
_utma expires two years after your last visit to this site
_utmb expires 30 minutes after your visit, or after 30 minutes of inactivity
_utmc expires at the end of a session (when you close your browser)
_utmz expires six months after it was last set
_utmv (not set) expires immediately
_utmd (not set) expires immediately


How we store this data

In order to prevent unauthorised access or disclosure of your personal data we have put in place suitable physical, electronic and managerial procedures to safeguard and secure the information we collect.

Electronic data and databases are stored on secure computer systems and we control who has access to information (using both physical and electronic means). Staff receive data protection training and we maintain a set of data protection procedures which our staff are required to follow when handling personal data.

We only store your data for as long as we need to, and in order to carry out various services for you. We continually review what information we hold and will delete personal data which is no longer required.


Online Security

All electronic forms that ask you for your financial data will use the Secure Sockets Layer (SSL) protocol to encrypt the data between your browser and our servers.

If you use a payment card to make an event booking, to buy membership or to shop online, we will pass your payment card details securely to our payment provider. We comply with the payment card industry data security standard (PCI-DSS) published by the PCI Security Standards Council.


Third Parties

We will never sell your personal data.

We may share your personal data with contractors, research agencies or suppliers who provide us with services. For example, we may use a mailing house for the distribution of our What’s On leaflet; we use Eventbrite for ticket sales; we use Direct Debit processors for the handling of payments and email providers for our marketing communications. Information is transferred to data processors securely, and we retain full responsibility for your personal data as the data controller. These activities are carried out under a contract which imposes strict requirements on our suppliers to keep your personal data confidential and secure.

We may share your personal data where required to do so for prevention of crime or for taxation purposes (for example, with the police, HMRC) or where otherwise required to do so by other regulators or by law (e.g. the Charity Commission, Companies House).

We are wholly based in the UK and store data within the European Economic Area. Some organisations which provide data processing services to us do so under contract and may be based outside of the EEA. We will only allow them to do so if your data is adequately protected.

Our websites contain links to other external websites. We are not responsible for the content or functionality of any such websites. Please let us know if a link is not working by contacting comms@ysp.org.uk

If a third-party website requests personal data from you (e.g. in connection with an order for goods or services), the information you provide will not be covered by this privacy policy. We suggest you read the privacy notice of any other website before providing any personal information.


CCTV

YSP is protected by CCTV and you may be recorded when you visit. Our system includes an automatic car registration recognition system. We use CCTV to help with car parking charges, and to provide a safe and secure environment for visitors, for our staff and to prevent or detect crime. The system is managed in accordance with our standard operating procedures and with good practice guidance issued by the Information Commissioner’s Office. CCTV images will only be accessed by authorised security staff and are stored for up to 30 days, unless flagged for review.


Your rights

We will only retain your personal data for as long as it is required for the purpose for which we collected it.

We want to ensure you remain in control of your personal data and that you understand your legal rights. These are:

  • The right to know whether we hold your personal data and, if we do so, to be provided with a copy of this (a “subject access request”) within one month
  • The right to have your data erased (though this will not apply where it is necessary for us to continue to use the data for a lawful reason)
  • The right to have inaccurate personal data rectified
  • The right to object to your personal data being used for marketing or profiling

If you would like further information on your rights or wish to exercise them, please contact us at comms@ysp.org.uk or by writing to Yorkshire Sculpture Park, West Bretton, Wakefield WF4 4LG, United Kingdom. You can read more about your rights in details at ico.org.uk. YSP is registered with the ICO – registration ZA080933


Updates to this policy

This policy was last updated on 23 November 2020. We may amend this privacy policy from time to time to ensure it remains up to date and continues to reflect how and why we use your personal data. The current version of our policy is always available on our website.