Data Protection and Privacy Policy

What we do
In Place of War is a Community Interest Company working in post conflict areas, in education, cultural spaces, research and production, always focused on creativity and social change.

In preparation to comply with the GDPR, In Place of War (IPOW) is currently reviewing our data processing activities and our data security arrangements. Once the review has been completed a Data Protection Impact Assessment and a Risk Assessment (DIPA) will take place, which will detail any further measures that will need to be put in place to address any identified risks, including security, to demonstrate that IPOW comply.

Information we collect and how we store it
When you sign up to our mailing list, the only data we collect is your email address, and name, which is held securely via Mail Chimp account, who also comply with GDPR.

Project Beneficiaries
We collect information relating to individuals who engage with us on our projects, this includes

  • Your name and address
  • Your phone number
  • Your gender identity
  • Your ethnicity
  • Any access requirements you may have
  • An emergency contact
  • Your employment status
  • Your educational attainment
  • Your baseline knowledge relating to the project you are engaging with

This data is held securely, on a password-protected drive, and is only accessed by the IPOW. We will be working towards our own servers in due course that will be held in the UK and securely protected.

Data Retention
We will contact you to ask if you wish for your details to be removed from our database, at the end of the project or programme, with the exception of funded projects where there is a contractual obligation to maintain the records of beneficiaries for audit or evaluation. This data will not be held for any other purposes. The project timeframe may vary according to funders specific needs, but we will work on the HMRC standard of 6 years + 1 current year.

Data Controller
The Data Controller is Ruth Daniel – CEO and Artistic Director of IPOW –

Data Processing
IPOW (the Data Controller) acts only on instructions from the Data Subjects (individuals) and/or partners who provide us with data in relation to a requested service or a contract.

Where appropriate, if IPOW acts as Data Processor as part of our contract with our partners, as a vital term of our Service Level Agreement, we comply with the partners’ instructions in relation to the processing of Personal Data
Data Sharing
In Place of War shares data only with funders that relate direct to project activities, and does not share data with third parties for any other purpose. Consent will be sought for publications, use of image and any other sensitive data that could cause harm or impact on individual’s rights or freedoms. Working in the contexts that we do, we are highly aware of the risks posed for many work, train and collaborate with us.

Subject Access Requests
IPOW will adhere to the following rights to individuals in respect of the personal data that organisations hold about them.
A right to be informed about the collection and use of their personal data, purposes for processing, retention periods, and who it will be shared with. This would be covered under ‘privacy notice’ and/or ‘privacy policy’

  • A right of access to a copy of the information comprised in their personal data;
  • A right in certain circumstances to have inaccurate personal data rectified, blocked, erased or destroyed;
  • A right to object to processing that is likely to cause or is causing damage or distress;
  • A right to data portability in readable format
  • A right to amend their consent/prevent processing for direct marketing;
  • A right to be excluded to an automated decision making including profiling
  • A right to claim compensation for damages caused by a breach of the Act.

For More information please refer to ICO website: the-general-data-protection-regulation-gdpr/individual-rights/

All subject access requests (SAR) must be made in writing, these usually be free of charge.
In Place Of War reserves the right to charge for SARs in some circumstances, which can be clarified via Data Controller.

Data Breaches

GDPR states that it is mandatory to report a personal data breach if it’s likely to result in a risk to people’s rights and freedoms within 72 hours of discovery. If it’s unlikely that there’s a risk to people’s rights and freedoms from the breach, the breach does not need to be reported.
In Place of War will evaluate all data breaches once they have been discovered, and will maintain a record of all discovered data breaches whether notified to the ICO or not. As best practice, we will report data breaches to our affected stakeholders. We will report data breaches to the ICO depending on the risk it poses to people involved.

In Place of War understand how to recognise a personal data breach and our staff know how to escalate a security incident to the appropriate person or team at IPOW to determine whether a breach has occurred.

The right to compensation and liabilities will be in accordance to Art 82 of the General Data
Protection Regulation (GDPR) for any data breaches that are due to an In Place of War error alone.