Members get FREE access to Cinema 3. Join today.
Sign up
to emails
Privacy Policy
Institute of Contemporary Arts
Institute of Contemporary Arts

This ‘privacy policy’ explains how we use any personal information we hold about you – and your rights about this.

Defined terms are in bold. They are defined where they are introduced in ‘quotes’.

If you have any queries, please do contact us at privacy@ica.art

About us
‘We’ (‘us’, ‘our’ etc) means the Institute of Contemporary Arts Limited:
• a registered charity No. 236848
• a company incorporated in England and Wales with registration number 00444351 with registered office The Mall, London, SW1Y 5AH, England

The ICA is a registered charity and not-for-profit, presenting a year-round programme of contemporary arts with additional activities to support our vital work.

About you
A – You use our website (currently at www.ica.art)

B – You interact with us another way, for example:
• You email us or contact us using the contact form on our website
• You give us a business card (physically, or supply the equivalent to us electronically)
• You create a user account on our website

C – You apply to work with us, for example:
• Replying to a job advert or invitation to provide services
• Sending us an unsolicited CV

D – You attend or register for an event we are running, including:
• Directly with us or via a third party booking service (e.g. our database, Spektrix)
• An event we are running for someone else and you gave them permission to pass on your details to us

E – We are contracted to work for or with you, including:
• You have contracted us to provide products or services (including purchases such as tickets, art or books)
• You have purchased one of our memberships
• You have funded us to undertake a project
• Someone else has contracted or funded us to work with you, with your agreement
• We and you have a contract between us to together deliver services and/or a project

F – We have been asked to contact you in the course of our work, for example:
• We are working with an organisation that you work with or for, and they directed us to contact you in order for us to undertake our work
You were identified as a stakeholder who may be impacted by a project we are involved in – or as an expert – with whom we should consult

G – We have found out about you in another lawful way, including:
• Information about you is in the public domain, for example on a website, on social media or in published materials
• Your details are shared with the other participants in an event (which we are not involved in running) that we have attended alongside you

H – You have visited the ICA buildings, for example
• You have come to our premises to see an exhibition / film / performance / talk / other public programme event
• You have come to our premises to participate in a workshop / symposium / other public programme event
• You have come to visit our bookshop
• You have come to attend a meeting at our offices
• You have hired a room at our buildings
• You are attending an event at our buildings run by somebody else

Please note that our in-house restaurant and bar, Rochelle Canteen, is run by a third party, Arnold & Henderson. When you make a booking with Rochelle Canteen, sign up to receive the restaurant’s e-newsletter or engage with them on social media, your personal data is being held and used by Arnold & Henderson. The ICA does not process your data in this case. The Canteen use ResyOS for their reservations system (resy.com/privacy)

I – You have made a donation to the ICA, for example
• You have donated to one of our charity appeals
• You have donated on our website when purchasing a ticket online or in person
• You have donated by joining one of our individual giving circles such as a Friend or member of the Directors’ Circle

Data protection and privacy laws – your rights and our obligations
We are bound by ‘data protection and privacy laws’ by which we mean the Data Protection Act 1998, General Data Protection Regulations (GDPR), Privacy and Electronic Communications Regulations (PECR) and any later legislation enacting, re-enacting, amending or consolidating this these regulations.

We are the ‘data controller’ of information about you (as this term is defined in data protection and privacy laws). This means we are responsible for deciding how that information is processed and for what purposes.

Under data protection and privacy lawswe are responsible for information about you being processed lawfully, fairly and responsibly – and to keep records of how we are doing that.

What’s covered in the rest of this privacy policy are the other things we have to make sure you are aware of under these laws:
• What information we are processing about you, for what purpose and under what legal basis
• How long we keep it
• How you can control what marketing communications, if any, you receive from us
• The situations under which we disclose information about you
• Where information about you is processed and by whom
• Information about cookies your devices may receive when they use on our website
• Your rights under data protection and privacy laws

Processing information about you – purpose and legal basis
In A – You use our website:

The purpose of us holding data about you is:
• To manage, maintain and improve our website for you and others to use
• To personalise and otherwise improve your experience of our website

What data we may collect and process about you:
• Details of your visits to our site including, but not limited to, traffic data, location data, weblogs and other communication data and the resources that you access
• Information about your computer, including but not limited to where available your IP address, operating system and browser type

We process this data under the legitimate interests of:
• Ourselves to promote our business and areas of interest
• Others to receive better information and support through our website

In B – You interact with us another way:

The purpose of us holding data about you is:
• To respond to your interaction with us
• To keep a proper record of communications we receive and make as a business

What data we may collect and process about you:
• Any contact details you provide to us including your email address and social media identities
• Any other information you have provided to us
• Any information about you which is available publicly

Where you are enquiring about us providing services to youwe process information about you on the legal basis of us responding to you prior to us entering into a contract with you.

Where it is more general communication or interaction, we process information about you to fulfil our legitimate interests to promote our services and areas of interest and be knowledgeable about professionals working in our areas of interest.

Also, see the marketing communications section below.

In C – You apply to work with us:

The purpose of us holding data about you is:
• To give you the chance to be considered for current and future opportunities
• To comply with relevant employment, equal opportunities and visa regulations

What data we may collect and process about you:
• Anything you provide us, including your CV, covering letter
• References we take up, notes from interviews, email correspondence
• Any information about you which is available publicly

We process and keep what information we need to in order to comply the regulations above, under the legal obligation basis.

Other information about you we will keep under our legitimate interest to ensure that we are up to date and knowledgeable about professionals and private individuals working in our areas of interest.

In D – You attend or register for an event:

The purpose of us holding data about you is:
• To give you information about the event before and afterwards
• To improve our events for you and others

What data we may collect and process about you:
• Any contact details you provide to us
• Any other information you have provided to us (e.g. dietary requirements, purpose of attending)
• Which events (our events, or events where we are a partner) you have been invited to, registered for or attended
• Any information about you which is available publicly

We process information about you in order to fulfil our obligations to you under our contract to provide the event to you – or where this isn’t the case under the legitimate interests of ourselves, any other event organisers and of the other attendees to provide a quality event.

We may use your feedback, comments and questions in other events or marketing but never in such a way that you or your organisation could be identified unless we have your permission first.

Also, see the marketing communications section below.

In E – We are contracted to work for or with you:

This section E applies to information and situations which are not already covered by a contract between us and you. Where there is such a contract, the provisions relating to data protection and privacy in that contract take precedence.

The purpose of us holding data about you is:
• To do the work or provide the products or services we are contracted to do
• To report on the work we are contracted to do to the organisation funding the work

What data we may collect and process about you:
• Any contact details you provide to us
• Any other information you have provided to us
• Any information produced while working with you (project meeting notes, survey responses, emails or similar)
• Any information that is available about you publicly

We process information about you – and about others whose data you have shared with us – in order to fulfil our contractual obligations to you.

Financial information – including payment information, direct debit information, invoices and correspondence about finance – we keep in order to comply with our legal obligation to maintain proper accounting and tax records.

Also, see the marketing communications section below.

In F – We have been asked to contact you in the course of our work:

The purpose of us holding data about you is:
• To contact you at the request of our partners or clients to enable us to complete the work we have been asked to do
• To ensure you have been given the chance to express your opinion on a project if you are likely to be impacted – or likely to have an opinion you would like to be considered

This does not include sending you marketing communications but may include one of us contacting you to see if you would be willing to respond.

What data we may collect and process about you:
• Any contact details or other information our partners or clients, or you, provide to us about you
• Information you provide to us in the course of interacting with us
• Any information about you which is available publicly

We process information about you in this case under the legitimate interests of ourselves to behave in a thorough and professional way and of our clients or partners to ensure that they take into consideration stakeholder and expert views.

Also, see the marketing communications section below.

In G – We have found out about you in another lawful way:

The purpose of us holding data about you is to identify people and organisations who:
• Are leaders in their field, undertaking interesting work
• Could potentially be a partner, sponsor or funder on a project we are developing or delivering
• Could potentially be interested in supporting our charitable mission
• Have responsibility in areas of expertise that overlap with our interests
• Could potentially be interested in our products, services or events

What data we may collect and process about you:
• Any information about you which is available publicly
• Notes of opinions you express, information you present or questions that you ask in meetings or events

We process information about you under our legitimate interest to ensure that we are up to date and knowledgeable about professionals and private individuals working in our areas of interest.

Also, see the marketing communications and the supporter research and analysis section below.

In H – You have visited our buildings:

The purpose of us holding data about you is to:
• Manage your and others’ safety and security
• Protect our buildings and assets and your possessions
• Maintain and archive the use of our spaces including events in them
• Promote the ICA overall and our spaces, activities and events

What data we may collect and process about you:
• We use CCTV to monitor the building. CCTV footage (which may include images of you) may be shared with the police and/or local authorities. Unless it is required by the police and/or local authorities for their investigations, CCTV footage is deleted after 30 days.
• We reserve the right to take photographs, film or take audio recordings in our public spaces and at events. You should notify staff if you do not wish to be photographed, filmed or recorded.

This processing is based on our and other visitors’ legitimate interests – and our legal obligations to comply with Health & Safety regulations and to provide information to the police and/or local authorities to enable them to investigate crime and enforce the law.

In I – You have made a donation to us:

The purpose of us holding data about you is to:
• Properly record and manage the donation you have given to us
• Claim gift aid on your donation to us when you have instructed us to do so
• Keep records of your support of us

Also, see the marketing communications and the supporter research and analysis section below.

Marketing communications
We will contact you with marketing communications by email – or occasionally by post or by phone. These could be:
• The latest information about our year-round contemporary arts programme – exhibitions, film, live, talks, books, artists editions and learning – including how you can engage and enjoy, often this will include booking or special access details e.g. Red Members previews
• Information about products, services and events that we are involved in providing or selling – like free events, ticketed programme, memberships
Our emails which contain information intended to be of interest to you including – notifications about our programme, information about our programme and artists / partners / collaborators, opportunities with usour products, special offers and the work of the ICA.

In the cases where:

• EITHER we have provided services to you – including ticketed programme and hires – or you have enquired about us doing this

• OR you are a professional who has (A/B) interacted with us or (F) whose details we have obtained lawfully (By ‘professional’we mean someone who owns or is working for an organisation and not using a generic email provider often associated with personal activities, such as Gmail, Hotmail, Yahoo, etc.)

We will normally sign you up to email marketing communications. In the case of our programme bookers – free and ticketed – you will be given the option to set your email contact preferences at the point of booking at www.ica.art/login – which you can update anytime, or you can opt out from the start and at any point thereafter. For professionals, on receiving any email communications from usyou can opt out at any point thereafter.

While you are opted in to receive marketing communications, we will store records of what emails we have sent you and phone calls we have made and how you have engaged with them. If you opt out, we will store only enough to ensure that we do not contact you against your wishes.

If you are a professionalwe will send you marketing communications by email under our legitimate interests to promote our services and in the wider public and economic benefit of supporting our charitable mission as a not-for-profit contemporary arts organisation carrying out vital work. If the email address we’re using is clearly associated with you as an individual, you have the right to object to us using it for direct marketing and/or provide your professional email contacts.

We may – on occasion – as a professional, phone you to promote the service, under our legitimate interests to promote our services and in the wider public and economic benefit of supporting innovation. You have the right to object to such calls. We will not contact you again for that purpose if you have objected.

If you are a ‘private individual’ (that is, not a professional by our definition above), we will send marketing communications to you by email where we have your consent. You have the right to withdraw this consent at any time.

If we are mistakenly treating you as a professional, but in fact you don’t have a role in a relevant organisation – let us know and we will ensure we have your consent for any marketing communications.

If you wish to not receive marketing communications by email at any point, please use the unsubscribe feature in any marketing email you receive from us. If your details change or if you no longer wish to receive marketing communications – or if you want to change how we may contact you – please contact us at privacy@ica.art

Supporter research and analysis
We would like to meet with or deepen our connection with individuals and organisations who might have an interest in our work.

We are committed to nurturing collaborative relationships with donors, influencers, prospective donors, corporate supporters and others so that together we can grow and sustain the ICA’s vital work now and for generations to come.

We may use the information you provide us in combination with publicly available information to help us find and connect with people with a passion for contemporary arts and culture, and the interest and capacity to support us in new ways, if we consider it within our legitimate interests to do so.

We will use information that is already in the public domain (information that has been published in print or online) for the purpose of identifying individuals who may be interested in supporting our work with a major gift. These publicly available sources of information include (but are not limited to) Companies House, the electoral register, the phone book, the Charity Commission’s Register of Charities, Who’s Who, social media channels namely LinkedIn, company annual reports and articles in newspapers and magazines.

We do not use publicly available sources which we consider would be intrusive for this purpose. We may also carry out research to identify existing supporters who may be able to join our major donor programme. This is based both on publicly available information as well as information given to us directly by youour supporters.

We may use profiling and database segmentation techniques to analyse your personal information and create a profile of your interests, preferences and ability to donate. This allows us to ensure communications are relevant and timely, to provide an improved experience for our supporters. It also helps us understand our supporters, so that we can make appropriate requests to those who may be willing and able to donate more than you already do or leave a gift in your will. This enables us to raise funds in the most cost-effective and least intrusive way.

Under data protection legislation, you have the right to object to your data being processed in this way. If you wish to ask not to be identified as a potential donor or to review or amend your personal data, please contact our Data Protection Officer at privacy@ica.art

Please be aware that Charity Commission rules require us to be assured of the provenance of funds and any conditions attached to them, and we are legally required to carry out checks on individuals who give us large donations to prevent money laundering and protect against fraud. To meet these legal obligations, we follow a due diligence process which involves researching the financial soundness, credibility, reputation and ethical principles of donors who have made, or are likely to make, a significant donation to the ICA. This is in accordance with our Grants and Donations Policy, which is available on request by emailing privacy@ica.art.

Disclosure of your information
We will never sell your data to third parties.

We will only disclose any of your personal information to any third party where we are under a duty to do so in order to comply with any legal obligation, or in order to enforce or protect any of our rights, property or safety (or those of our customers).

We will share your data with Her Majesty’s Revenue and Customs (HMRC) to meet our legal obligations regarding Gift Aid where you give us permission.

If we need to transfer your personal information to countries which do not provide the same level of data protection as the UK, we will put a contract in place to ensure that your information is adequately protected.

When you give us information about another individual for business purposes, you do so on the basis that the other individual has agreed and has consented to the processing of his or her personal data and to the transfer of his or her information abroad and to your receiving on his or her behalf any data protection notices.

Where our business or assets are acquired by, merged with or otherwise transferred to a new organisation (for example, because of corporate restructuring), you agree to share your personal data with that organisation. In this situation, they would have to inform you of this – they would have the same rights and obligations as we had under this privacy policy, and you would have the same rights as well (for example, to object or withdraw your consent).

Where we will store your data
We will only disclose your personal information to third parties who provide services to us, as clearly listed below.

When we do so they are required to act in accordance with our instructions and this privacy policy, to keep your personal information secure and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal information for their own purposes and only permit them to process your personal information for specified purposes and in accordance with our instructions.

The information that we collect from you may be transferred to, and stored at, a destination outside the European Economic Area (“EEA”). It may also be processed by staff operating outside the EEA who work for us or for one of our suppliers:
• our Customer Relationship Management (CRM) and ticketing system, Spektrix which connects to WolrdPay to process transactions
• our marketing email provider, Dot.Digital or Mailchimp, which has its own privacy policy (see section 16 which details how transfers of data to the US are covered by the US-EU Privacy Shield)
• our membership and donations payment system for transactions post April 2020, Stripe
• our membership direct debit system for members who joined pre April 2019, Rapidata
• our payment system, SagePay
• our event management system Artifax
• our staff HR system, BrightHR
• our web hosting sub-processor, Amazon Web Services (although our actual hosting with them is based in the EU in Ireland)
• our payment terminal by Barclaycard for PDQ
• our e-commerce – Bookstore, ICA Artist Editions’ and merchandise – also use, Shopify and Paypal
• our pension scheme administrator, The People’s Pension
• our payroll provider Paycloud, the ICA’s payroll service provider, to pay staff
• our staff only office software and systems, namely Microsoft Office 365 and Mimecast for email and website usage, and BLKSMS for emergency text
• our criminal record checks, Disclosure and Barring Service (DBS), with UKCRBS
• our visa and immigration processes and checks including sponsorship for staff, artists and suppliers alike, UK Visas & Immigration
• our anonymised audience research, Audience Agency’s Audience Finder tool on behalf of Arts Council England

By providing personal data to usyou agree to this transfer, storing or processing. We will take all steps necessary to ensure that your data is treated securely and in accordance with this privacy policy.

All information you provide to us is stored on our secure servers. Unfortunately, the transmission of information via the Internet (including via email) is not completely secure.

Although we will do our best to protect your personal data, we cannot guarantee the security of your data transmitted to us – any transmission is at your own risk. Once we have received your information, we will use strict procedures and security features to try to prevent unauthorised access.

Cookies
Cookies are text files placed on your computer by a website when you use it to collect standard Internet log information and information about the behaviour of visitors to that website. They are also often used by many websites when you are logged into them to remember as you move between pages what you are in the middle of doing (e.g. shopping baskets, or what you were looking at).

For further information on cookies, visit www.aboutcookies.org or www.allaboutcookies.org

We will use the information we collect as a result of you accepting a cookie from our site to track your use of the site and to compile reports on the use of the site overall by all visitors. You can set up your browser not to accept cookies – and the websites above tell you how to remove cookies from your browser.

How long we keep your information
We will keep financial information – including invoices, donations, payment details, direct debit details, gift aid documents and email correspondence relating to finance – for as long as we are obliged to by law, which is currently for 6 years after the end of the financial period in which they fall.

We will keep project documentation – including meeting notes, identifiable opinions, photos and email correspondence relating to project – for 10 years after the completion of the project.

We will keep online account personal information – relating to ticket sales or other purchases for up to 3 years since we last had active contact with you.

We will keep contact details – including name, email, phone number, address, social media handles – for 3 years after we last had active contact with you.

We will keep recruitment information – such as your CV and email correspondence around recruitment – for up to 1 year after an unsuccessful application, except as required by our visa sponsor license where we will keep this information for as long as we are obliged to by law, which is currently one year from the date we end our sponsorship of a sponsored migrant or until a Home Office compliance officer has examined and approved them, whichever is the shorter.

We will keep research information – such as your survey responses, interview notes and email correspondence around research – in an identifiable form for 3 years after the end of the project and in an anonymous or aggregated form from that point on.

We will keep technical information – such as IP address, usage of the website partners, device and country – for up to 1 year in an identifiable form and anonymously or aggregated from that point on.

Your rights
In addition to your rights about marketing communications above, under data protection and privacy laws you have various rights.

You have the right to request a copy of the information that we hold about you. In that case, please send a copy of your ID (passport or driving licence) to us at privacy@ica.art, with ‘subject access request’ in the subject line of the email.

We want to make sure that the information we hold about you is accurate and up to date. You have the right to ask us to correct, complete or remove information you think is inaccurate or incomplete. In that case please send a copy of your ID (if b haven’t got it already) to us at privacy@ica.art, with details of what amends you propose and evidence that these are accurate – and ‘personal data rectification’ in the subject line of the email.

In certain circumstances you may have the right to ask us to delete information we hold about you, or suspend or restrict its processing or object to its processing. In these cases, please contact us at privacy@ica.art explaining what you want us to do – and why.

You may have the right to request information about you in a portable format. This applies only to data you have provided us which we process in automated systems either with your consent or in order to fulfil our responsibilities under a contract with you.

We will do everything we reasonably can to ensure that you are satisfied with the way we have responded to you about your personal data and privacy. So, please do tell us if you are not so we can rectify any outstanding issues. If you are still not satisfied, you have the right to complain to the Information Commissioner’s Office (ICO) – see https://ico.org.uk/concerns/handling/.

Changes to this privacy policy
We keep this privacy policy under regular review and will put any updates to it on this site. This privacy policy was last updated on 30 April 2020.

We will notify you of any changes to this privacy policyYou can check this privacy policy at this page at any time – and we recommend that you review it regularly.

Contact
Get in touch with us if you have any questions about any aspect of this privacy policy, and in particular if you would like to object to us processing any of your personal information with legitimate interest.

Contact us if you have any questions about the information we hold about you, or to change your contact preferences with us.

Data Protection Officer
privacy@ica.art
Institute of Contemporary Arts (ICA), The Mall, London, SW1Y 5AH, England