The Bar Convent Privacy Policy

Introduction

The Bar Convent Trust collects a limited amount of data from customers and supporters to enable services to be provided and news and events information to be shared.

This Policy sets out why we collect personal information about individuals and how we use that information.  It explains the legal basis for this and the rights you have over the way your information is used.

Please be assured that when you provide your personal data, the Trust will keep your information confidential, will only ask for enough information to enable us to provide the service you requested and we will only do exactly what we said we would do with it. At all times, the Trust adheres to the core principles of the General Data Protection Regulation 2018 (GDPR) that the data that we collect is “Adequate, Relevant and Limited” for the purposes that we collect it. If your information is either inaccurate and you would like us to amend it or change how we use it, then please let us know and we will do so immediately. 

We never share your data with others or use it outside of the United Kingdom, and at an appropriate time we will confidentially dispose of your data after fulfilling the purpose that we originally collected it for.

We may have to change the privacy policy at intervals; however, we expect to review it every 2 years.  If you have queries about this policy or your personal information, then please contact the Trust’s Data Protection Officer (section 2 below).

Contacting The Bar Convent Trust’s Data Protection Officer

The Bar Convent Trust is the Data Controller for the purposes of the EU General Data Protection Regulation. 

The Data Protection Officer of The Bar Convent Trust is James Foster, General Manager of The Bar Convent Trust.

Telephone 01904 464 901 or Email: jfoster@bar-convent.org.uk.

GDPR Principles

The Trust fully supports ‘the spirit and the letter’ of GDPR. In more detail, this is how the Trust has adopted GDPR principles:

  • Data Collection Is “Adequate, Relevant and Limited”.  At each point of data collection, it is the Trust’s policy to advise you (the data subject) of what information we are collecting and why, what we intend to do with it, how we hold it and for how long, and how you can amend it, change its use or gain access to it as necessary.
  • Used For Specific Processing Purposes.  Personal data is only used for the express purposes that were stated to you at the point that they supplied it. 
  • Processed Lawfully, Fairly and Transparently.  The Trust operates a clear and transparent approach to obtaining and processing data (without any hidden objective or motive) whilst being in compliance with the law at all times.
  • Stored For No Longer Than Necessary and Securely.   All personal data is held within the Trust for the minimum amount of time to enable the stated processing purposes to be performed.  Electronic and hard copies of personal data are only available to authorised Trust employees to perform these tasks.  All personal data is held securely requiring key access and/or electronic password access using industry standard software.  Computers systems comply with the Trust’s ICT security standards and consumer payment systems comply with the industry’s PCI DSS compliance standards.  Backups of essential personal data will be completed at regular intervals with a copy retained in fireproof reciprocals or held securely off site. 
  • Right to Access Or Amend Your Personal Data. You have the right, on written request (and without charge), to receive an electronic copy of the information that the Trust holds about you.  You also have the right to demand that any inaccurate data be corrected and to apply any processing restrictions on it.  Any of these rights can be exercised by contacting the Trust’s Data Protection Officer (see above).
  • The Right to Be Forgotten.  A data subject has the right ‘to be forgotten’ at any time.  This means that you have the right to have your information securely destroyed at anytime unless another superior legal or contractual obligation takes precedent.  If the data subject doesn’t request to be forgotten during the term advised at the time of initially supplying information then the retention expiry date will eventually be reached.  On this retention expiry date information will be routinely deleted.  Printed copies of any information will confidentially shredded or if in a larger volume, it will be sent away for confidential disposal (using a commercial secure disposal service) and a certificate of destruction will be retained by the Data Protection Officer (see above) as evidence on file.

Our Legal Bases for Collecting and Processing Personal Data

The type and amount of information we collect depends on why you are providing it.  GDPR sets out a number of different reasons for an organisation to legitimately collect and process data, the Trust uses the following methods:

  • Explicit Consent - Where personal data is collected (e.g. when you sign up to receive a newsletter) in a non contractural context, the Trust prefers to provide clear information enabling you to sign up by ‘ticking’ a box in agreement, then collecting your personal data in a familiar way.
  • Contractural – To enable us to book meeting facilities or accommodation we require your infomation to maintain contact to enable us to make arrangements, process payment and for a period thereafter for tax and legal purposes.  We collect this in a contractural form, providing clear information in a prominent position in booking processes and terms and conditions.   Your agreement to this is recognised by your signature or online booking confirmation. This is also accompanied by an explicit consent ‘tick box’ next to a data collection statement, to make it clear what you are agreeing to.

What, How and Where We Collect Personal Data

We collect personal data when you provide it to us to subscribe to information services or book facilities/accommodation. 

This is usually to enable us to maintain contact with you, so is typically in the form of name, address, telephone or email and if you are booking fee-based services this will include your payment information (e.g. credit and debit card details).  We also retain this information to fulfil tax and legal requirements.

We collect personal data:

  • Online when you visit our website, or a 3rd party accommodation providers website (e.g. booking.com) to book our accommodation or facilities.
  • By telephone by calling to enquire or book accommodation, a meeting room or a group tour.
  • In person, by completing a leaflet tear off slip in reception (e.g. to join our supporters group) or to enquire or book any of our facilities face-to-face.
  • If you subscribe to join our quarterly newletter.  In the newsletter we send updates about The Bar Convent Living Heritage Centre (the Centre), event promotions and pictures and occassionally discounted accommodation special offers.
  • By donating to us, by completing a gift aid envelope or writing to us concerning a donation or legacy.
  • For purchases in our Shop.
  • To facilitiate entrance into our Exhibition.
  • Booking a ticket for an event.
  • Posting content onto our social media sites.
  • If you volunteer to help us, so we can arrange support and maintain contact.
  • On CCTV.  We use CCTV in the Centre for the safety/security of our visitors, staff members, and to protect our building.

Who Has Access To Your Information

Only trained staff members or volunteers process your personal information if the Centre is contacted and enquiries and bookings are taken directly.

In today’s growing online accommodation industry, many bookings are made via third parties (e.g. booking.com or Agoda) who sell accommodation on a commission or fee basis in partnership with an accommodation provider.  In these circumstances, the accommodation seller usually holds the primary relationship with you and the Centre is a secondary processor of personal data.  In this circumstance your booking information is securely forwarded by the third party to Bar Convent Enterprises (a Ltd trading company owned by the Trust for the purposes of conducting commercial business) who manage accommodation.  These bookings are received securely and processed with exactly the same care as if the booking was taken directly as outlined in this policy.  Only room availability data is reciprocally shared with these partners via secure third party software (Siteminder) to enable the accurate allocation of available rooms.

To facilitate the processing of secure donations, third party online payment services are used.  The secure webpage is provided by Dataware in partnership with Sage, Sage forward funds to Worldpay payment services who make the deposit into our account at Barclay’s bank.

How We Keep Your Information Safe

Trust staff members are trained to be compliant with GDPR guidelines by adopting the following procedures:

  • We only confirm confidential personal data to data subjects after completing verification checks.  We do not provide information to family members of the data subject without the data subject’s explicit (i.e. in writing) and verifiable consent
  • Our staff members are very aware that fraud and deception methods are used in order to gain access to personal data and under certain circumstances may choose to send information directly to the contact details that the Trust holds on file.
  • Personal data is only e-mailed if a secure network (e.g encryption) is in place. 
  • Our online booking systems are professional industry standard software systems that use encryption solutions to protect your personal information and identity. 
  • Our staff members are trained to securely and respectfully process your data and keep it confidential at all times.  All staff have confidentiality clauses in their contracts and would be subject to disciplinary procedures if any personal data was divulged whatsoever.
  • If face-to-face, a staff member may suggest you continue your conversation in a private room (if discussing information of a sensitive nature) if in a public space.
  • All personal data is kept securely, either locked away if paper based, or if computerised, behind industry standard password protected systems. We do not leave personal data on desks or in unlocked offices unattended.

Keeping Your Information Up To Date

We appreciate it if you let us know if your contact details change.  Please contact the department that you originally supplied your personal data to, or if experiencing any difficulty, the  Data Protection Officer.

Children’s Information

We are pleased to have supporters of all ages and regularly receive students on educational placements below the age of 16.  Where appropriate we ask for consent from a parent or guardian to collect information about any relevant health or dietary issues which may be important for the well being of a student on placement.

How Long We Keep Your Information

Our approach is to hold your information for as little time as possible, however for contact and taxation reasons this is usually for as long as the relevant activity requires it. For example, for donations we have a statutory obligation to retain information for 6 years for tax purposes, however we only retain personal data for accommodations for a year unless there is a repeat booking during that period.

Making A Complaint

If you are unhappy with the way in which we have processed or dealt with your information then please contact your Data Protection Officer who will seek to rectify your complaint immediately.  You can also complain to the Information Commissioners Office on 0303 123 1113.