data protection policy

Download

Date of Issue: 1st January 2026
Next Review Date: 1st January 2027
Approved by: Directors of artspace

1. Introduction

artspace is committed to protecting the privacy and security of all personal information we collect in the course of our business. We take our responsibilities under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 seriously and strive to handle all personal data lawfully, fairly and transparently.

This policy outlines how artspace collects, stores, processes and shares personal information. It applies to all personal data relating to our clients, workshop participants, suppliers and associates.

artspace delivers creative workshops to our clients to support connection, communication and creative problem-solving in the workplace. These creative workshops are not offered as therapy and no clinical or health data is collected.

2. Scope

This policy applies to:

  • All employees, directors, associates, facilitators and contractors working with or on behalf of artspace
  • All personal data processed by artspace in any format (electronic, paper or verbal)

It covers all activities relating to:

  • Enquiries and bookings for workshops
  • Corporate client communications
  • Workshop participant information
  • Supplier and contractor details

3. Data Protection Principles

artspace upholds the following principles as set out in the UK GDPR. Personal data will be:

  1. Processed lawfully, fairly and transparently
  2. Collected for specified, explicit and legitimate purposes
  3. Adequate, relevant and limited to what is necessary for our purposes
  4. Accurate and kept up to date
  5. Retained only for as long as necessary
  6. Processed securely, protecting against unauthorised or unlawful access, loss or damage

4. Lawful Basis for Processing

artspace processes personal data under one or more of the following lawful bases:

  • Contractual necessity: to deliver and manage booked workshops, issue invoices and communicate with clients
  • Legitimate interests: to manage and maintain professional relationships with clients, participants and suppliers
  • Consent: where individuals have opted to receive communications, provided voluntary information or shared creative reflections

We do not process special category data (such as health information) unless explicit consent is given and the data is anonymised.

5. Data We Collect

The types of personal data we may collect include:

Clients:

  • Name, organisation, job title, email address, phone number and invoicing details

Workshop participants:

  • Name, organisation, role, and contact email (if provided directly)
  • Optional creative reflections, which are anonymised if used for feedback or evaluation

Suppliers and contractors:

  • Business name, contact details and payment information

We do not collect, store, or process personal clinical, health or therapy-related data

6. How Data Is Collected

Personal data may be collected through:

  • Online forms or electronic correspondence
  • Direct communications and contracts with clients
  • Workshop sign-up sheets
  • Invoices and payment systems

Data will always be collected directly from the individual wherever possible or via a contact who has obtained
permission to share it.

7. Data Storage and Security

artspace ensures that all personal data is stored securely and accessed only by those who require it.

  • Electronic data is stored on encrypted, password-protected devices and/or secure cloud systems
  • Paper records (if used) are stored in locked cabinets and destroyed securely when no longer needed
  • Access is limited to authorised artspace staff and associates on a need-to-know basis
  • All staff are required to maintain confidentiality and follow this policy at all times

Appropriate technical and organisational measures are in place to prevent unauthorised access, loss, misuse or alteration of personal data.

8. Data Retention

artspace will only retain personal data for as long as necessary to fulfil the purpose for which it was collected,
including any legal, accounting or reporting requirements.

  • Client and booking information: retained for up to 6 years in line with HMRC and accounting obligations
  • Workshop participant lists: retained for 12 months following completion, unless agreed otherwise
  • Mailing list contacts: retained until the individual unsubscribes
  • Supplier and contractor data: retained for the duration of the professional relationship and up to 6 years thereafter

Once the retention period has expired, data will be securely deleted, anonymised or destroyed.

9. Data Sharing

artspace does not sell or trade personal data.

Data may be shared only with:

  • Trusted third-party service providers (such as accounting, invoicing, or cloud storage services) who act as data processors and comply with UK GDPR
  • Legal or regulatory authorities if required by law

Personal data is not transferred outside the UK unless adequate protection measures are in place and in compliance with UK data protection law.

10. Individual Rights

Under UK GDPR, individuals have the following rights regarding their personal data

  • The right to be informed about how data is used
  • The right of access to their personal data
  • The right to rectification of inaccurate data
  • The right to erasure (“right to be forgotten”)
  • The right to restrict or object to processing
  • The right to data portability
  • The right to lodge a complaint with the Information Commissioner’s Office (ICO)

Requests to exercise these rights should be made in writing to artspace using the contact details:
hello@artspacearttherapy.co.uk

11. Data Breach Procedures

artspace takes all breaches of data security seriously.

  • Any suspected data breach must be reported immediately to a Director
  • All breaches will be investigated promptly and where appropriate, steps will be taken to mitigate risk
  • If a breach is likely to result in a risk to individuals’ rights or freedoms, artspace will notify the Information Commissioner’s Office (ICO) within 72 hours of becoming aware
  • Where a breach poses a high risk to an individual, that person will be informed without undue delay

12. Roles and Responsibilities

  • The Directors of artspace act as Data Controllers and are responsible for ensuring compliance with this policy and all applicable data protection laws
  • All employees, associates and facilitators are responsible for ensuring that personal data is handled in accordance with this policy and reported promptly if compromised

13. Review and Updates

This policy will be reviewed annually or sooner if significant changes occur in legislation, operational practices, or data processing activities. Updated versions will be communicated to all staff and made available to clients upon request.

14. Contact Details

For all enquiries or requests related to this policy or your personal data please contact:

artspace Data Protection Leads: Sarah Edmonds and Karen Wilson
Email: hello@artspacearttherapy.co.uk

If you believe that your data have not been handled appropriately, you can contact the Information
Commissioner’s Office (ICO) at www.ico.org.uk or by calling 0303 123 1113