V22 London Ltd

V22 needs to keep certain information about its employees, volunteers, members, clients, and studio holders to perform its work, satisfy its obligations to regulatory bodies, and to enable it to monitor performance and achievements.

To comply with the law, information must be collected and used fairly, stored safely and not disclosed to any other person unlawfully. To do this, V22 must comply with the Data Protection Principles which are set out in the Data Protection Act 1998 and General Data Protection Regulations 2018 (GDPR).

This responsibility is not restricted to sensitive data but applies to all data, including contact details and mailing lists.

The Act establishes very high standards for the handling of personal information, thereby protecting individual rights to privacy. The act regulates how personal information is collected, handled, stored and used and applies equally to personal information held both electronically and on paper.

V22 has notified the Information Commission that it holds personal data about individuals and consequently is registered under the Data Protection Act 1998. All persons dealing with personal data must therefore follow the principles of good information handling.

In summary these state that personal data must be:

Obtained and processed fairly and lawfully;
Obtained for a specified and lawful purpose and not processed in any manner incompatible with that purpose; adequate, relevant and not excessive for that purpose;
Accurate and kept up to date;
Not be kept for longer than is necessary;
Processed in accordance with the data subject's rights;
Kept safe from unauthorised access, accidental loss or destruction;
Not be transferred to a country outside the European Economic Area, unless that country has equivalent levels of protection for personal data.

All V22 staff who process or use any personal information must ensure that they follow these principles at all times. Access to information will only be to the extent required by the task being undertaken and will also be restricted to those persons recognised by V22 management as requiring such access to information in the course of their duties and responsibilities. In the event of any breach of information security, no matter how minor, it must immediately be reported to V22 directors to enable appropriate investigation. If necessary, there will be a review of the adequacy of existing information security measures.

In order to ensure that this happens, V22 has adopted this Data Protection Policy. Any member of staff, volunteer or studio holder who consider that this policy has not been followed in respect of their personal data should raise the matter with the Designated Data Controller (DDC) initially. If the matter is not resolved it should be raised as a formal grievance to the directors of V22.

The Data Controller and the Designated Data Controllers:

V22 is the Data Controller under the Act, and the organisation is therefore ultimately responsible for implementation. However, a Designated Data Controller will deal with day to day matters. V22's Designated Data Controller is Nadia Lantuha, and she can be contacted at studios@v22.org.

Notification of Data Held and Processed:

All staff, volunteers, and studio holders have the right to:

Know what information V22 holds and processes about them and why;
Know how to gain access to it;
Know how to keep it up to date;
Know what V22 is doing to comply with its obligations under the Act.

Personal Data Held:

Personal information is defined as any details relating to a living, identifiable individual. Within V22 this applies to employees, volunteers, studio holders, and members of the public such as job applicants, exhibiting artists, and visitors. We need to ensure that information relating to all these people is treated correctly and with the appropriate degree of confidentiality.

V22 hold personal information in respect of its employees, volunteers, studio holders, exhibiting artists, and members of the public. The information held may include an individual's names, postal, e-mail and other addresses, telephone numbers, next of kin details, tenancy information and organisational roles.

For security information, some buildings have CCTV cameras in operation. Access to these cameras is password protected and cameras are only positioned in public areas.

Personal information is kept primarily to enable V22 to function legally as an organisation and perform our agreements with studio holders, partners, and artists.

Sensitive Data:

Special categories of particularly sensitive personal information require higher levels of protection. V22 has not identified that it holds particularly sensitive information otherwise than relating to its former Workspace Creche, historic records of which are kept as per government guidelines.

Processing and Storage of Personal Information digitally:

Our bespoke tenant database and management system represents a migration to a more secure ecosystem of data management and storage.

Migrating our records to this application represents a significant increase in the security of our studio holders' personal data because it is stored off-site on a server secured with two-factor authentication and SSH-only access. Furthermore, the database is secured against remote and unauthorised access using complex access control and limited privileges. Passwords and other sensitive data are encrypted using OpenSSL and the AES-256-CBC cipher. All encrypted values are signed with a message authentication code (MAC) that prevents the decryption of any values that have been compromised.

The system also enforces rigorous security from its users by preventing the re-use of previously compromised passwords and requiring maximum password strength. We further enhance users' security with a no-knowledge practice where you do not have access to their passwords and cannot share them or update them on your users' behalf.

All data transfers between client and server are sent over the secure HTTPS protocol and encrypted with SHA-256 fingerprinting, so even if intercepted the payload is undecipherable without the private key.

Our application codebase uses the absolute latest security practices and technologies and all libraries and packages used are constantly monitored for security vulnerabilities that are patched immediately if discovered. All input is rigorously inspected and sanitised and we use hashed tokens to prevent cross-site request forgeries and scripts and throttling to prevent brute-force attacks. We also have custom-built bot-detection algorithms, role-based access control and adhere to all coding best-practices to secure the site from malicious or accidental intrusion.

All third-party systems with which the app interacts connect using the industry-standard OAuth 2.0 protocol and implement PKCE for next-gen security (PKCE is optional of OAuth 2.0 but is a requirement of the OAuth 2.1 protocol). Those systems in turn, require two-factor authentication (2FA) for all their users.

For back-up information, all staff who process or use any personal information are responsible for ensuring that:

Any personal information which they hold is kept securely; and
Personal information is not disclosed either orally or in writing or otherwise to any unauthorised third party;
Digital information is kept password protected;
Any information which needs to be kept on an external hard drive is itself kept securely as per the guidelines for physical records.

Staff should note that unauthorised disclosure will usually be a disciplinary matter, and may be considered gross misconduct in some cases.

Storage of Personal information - physical records:

Although most physical records are historic, personal information is to be kept:

In a locked filing cabinet; or
In a locked drawer.

Conversations and Meetings:

Personal or confidential information should preferably not be discussed in public areas of any V22 buildings. Visitors should be always be escorted and not be permitted to wander about the premises on their own. Visitors should subsequently be escorted out of the premises when the meeting is over. All staff should be aware of the difficulties of ensuring confidentiality in an open plan area and respect the confidential nature of any information inadvertently overheard. Any notes taken during or after an interview should be of relevance and appropriate. It is recommended that such notes are subsequently filed in a legible and coherent manner and that informal notes are retained for a short period (1 year), in a secure place, before being shredded.

Collecting Information:

Whenever information is collected about people, they should be informed why the information is being collected, who will be able to access it and to what purposes it will be put. The individual concerned must agree that they understand and give permission for the declared processing to take place, or it must be necessary for the functioning of V22's legitimate business.

Publication and Use of V22 Information:

V22 aims to make as much information public as is legally possible. In particular, information about V22 staff and studio holders may be used in the following circumstances:

V22 may publish information about V22 and its studio holders, and their work by means of social media, newsletters, or on the website, but only with written consent.
V22 may confirm to any third party whether or not any person is a member of staff or studio holder at V22 if deemed necessary i.e. in the case of Safeguarding, or in the event that a crime is committed onsite or by a member of staff, a studio holder, or affiliated party.
V22 may provide approved organisations that have the legal right with lists of names and contact details of staff, studio holders, or other relevant organisations, only where they have given their consent.
Photographs of staff, studio holders, artists or their work may be displayed in V22 buildings and placed on the V22 website, but only with their consent.
V22 staff's personal contact information will not be a public document and information such as mobile telephone numbers or home contact details will not be given out, unless prior agreement has been secured with the staff member in question.

Any individual who has good reason for wishing details in these records to remain confidential should contact the Designated Data Controller, Nadia Lantuha at studios@v22.org.

Staff and Studio Holder Responsibilities:

All staff and studio holders are responsible for checking that any information that they provide to V22 in connection with their employment or tenancy/occupation of studios is accurate and up to date. Staff and studio holders have the right to access any personal data that is being kept about them either on computers, servers, or in manual filing systems. Staff should be aware of and follow this policy, and seek further guidance where necessary.

Duty to Disclose Information:

There is a legal duty to disclose certain information about child abuse, which will be disclosed to social services, or other criminal activity, which will be disclosed to the police.

Retention of Data:

V22 will keep some information for longer than others. Because of storage problems, information about studio holders cannot be kept indefinitely, unless there are specific requests to do so. In general, information about studio holders will be kept for a minimum of one year after the end of their occupation of a V22 studio, and their contact details added to our alumni contact records, unless otherwise informed.

V22 will also need to retain information about staff. In general, all information will be kept for six years after a member of staff leaves V22. This will include information necessary in respect of pensions, taxation, potential or current disputes or litigation regarding the employment, and information required for job references.

A statement about Data Protection will be displayed clearly within any public spaces within V22. A copy of the Data Protection Statement is contained in Appendix A.

Appendix A

V22 DATA PROTECTION STATEMENT

Sharing information with others:

Sometimes we have to confirm or share information with other organisations. If we need to do this, we will make it clear to you on the forms you complete giving us the information. We will draw up an agreement with the organisation that we need to share the information with as appropriate. This is so that both sides understand why the information is being passed on, and what use can be made of it. In some cases, a third party organisation may draw up the agreement.

Information quality:

We will make sure that the information about you is accurate and up to date when we collect or use it. You can help us with this by keeping us informed of any changes to the information we hold about you.

Information security:

We will keep information about you secure. We will protect your information against unauthorised change, damage, loss or theft.

Keeping information:

We will hold information about you only for as long as the law says. After this, we will dispose of it securely and properly.

Openness:

We will tell you what kinds of information we hold and what we do with it.

Access and correctness:

Whenever possible, we will let you see the information we hold about you and correct it if it is wrong.

In general:

We will comply with the Data Protection Act 1998/GDPR and any subsequent legislation on information handling and privacy. We will do this through the V22 Data Protection Policy.

We will help you with any questions or problems that you may have with the Data Protection Act 1998, GDPR 2018, the Human Rights Act 1998 or the Freedom of Information Act 2000. If we cannot help you, we will give you advice on where to write to get the information you may need.

Our Commitment:

We will only collect information that is necessary for what we do. We will be fair in the way we collect information about you. We will tell you who we are and what we intend to do with the information about you. Where practicable, we will collect information directly from you. If we collect information about you from someone else, we will make sure you know that we have done this whenever possible.