The Royal Academy of Music respects your privacy and is committed to protecting your personal data
This privacy notice sets out how the Academy processes the personal data of supporters and friends of the Academy including donors, alumni, ticket buyers, and corporate contacts. This privacy notice should be read in conjunction with any other privacy or fair processing notices we may provide on specific occasions when we are collecting or processing personal data about you, so that you are aware how and why we are using your data. We want to be as transparent as possible in the way in which we use your information, so that you can be comfortable in providing the information to us and clear on why we need certain information.
Contact details
Royal Academy of Music
Marylebone Road
London
NW1 5HT
Data protection registration number: Z4819206
Data Protection Officer: dpo@ram.ac.uk
Changes to the privacy notice and your duty to inform us of changes
This privacy notice may be updated from time to time; where necessary and possible, we will notify you of any changes, via the Academy website or by contacting you directly.
It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes.
The data we collect about you
Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).
We may collect, use, store and transfer different kinds of personal data about you. We have grouped these different kinds of personal data together as follows:
Includes first name, maiden name, last name, username, stage name or similar identifier, gender, birth date or relationship to other Academy friends and supporters.
Includes home address, correspondence address, business address, social media accounts, personal websites, email addresses, telephone numbers and contact preferences.
Includes alumni documentation, passports and photos.
Includes briefing profiles, due diligence reports, financial information, wealth estimations, our assessment of your potential to support the Academy, network connections and memberships.
Includes Academy interactions and connections, Academy memories and case studies, family and social circumstances, education and biographical information (such as marital status and family/partner/spousal details), professional activities and employment, competitions and prizes, Academy supporter participation (including attendance at events), contact details and communication preferences, interests and volunteering.
The Charity Commission requires us to “Know Your Donor.” This means we must carry out due diligence work if gifts exceed a certain threshold. This is to ensure we comply with anti-money laundering regulations and to safeguard our reputation; both are core requirements of our regulator. This could include us receiving information about any criminal convictions. Such data would be stored securely and would only be available to those who needed to see it.
Includes event booking history, digital communication history such as website clicks and email opens, philanthropic history such as giving, fundraising requests and engagement, postal communication history and volunteering hours.
Includes bank account and/or payment card details and details of transactions with the Academy, such as concert ticket purchases, donations of gifts, actual giving history and potential future gifts and HMRC Gift Aid scheme status.
We may share your data with:
- Third parties that process data on behalf of the Academy to support it in fulfilling its obligations and responsibilities to, and relationship with, you (eg software and system providers) including Dotdigital, etc.
- Third parties who award financial scholarships.
- Personal data relevant to the American Society of the Royal Academy of Music may be transferred between the UK and the USA. Please contact us if you would like to see a copy of the Data Sharing Agreement.
How we collect data
We use different methods to collect data from and about you:
Digital Systems, including website visits, payments and donations, data collection forms, event bookings, survey submissions, social media interactions (including information you may have publicly shared on social media sites like LinkedIn, Facebook, Twitter and Instagram – depending on your privacy settings), and email interactions.
Analogue Systems, including data collection forms, gift forms, received letters, phone calls and in-person visits to the Academy.
Third Party/ Appending, including Royal Mail National Change of Address Register (NSOA), Fundraising Regulator – Fundraising Preference Service (FPS), referrals from supporters of the Academy, public domain website research, subscribed research (including wealth screening) and due diligence tools. We may also collect data from third party organisations involved in the services provided by the Academy that have obtained the information in the first instance, for example mailing houses completing data cleanse checks before mailing distribution.
Hosting, including Box Office services for cultural touring companies.
Sensitive Personal Data/ Special Category Data, obtained directly from you or through direct relationships. We collect this information if, for example, you have a disability and need us to provide suitable access arrangements when you visit, or if you have specific dietary requirements if you attend a function.
In the case of individuals whose personal data is acquired for the first time by the Academy from a third-party source, we will inform you of the collection and our purpose of processing within one month prior to starting the cultivation process, unless this involves a disproportionate effort or seriously impairs the objectives of the processing.
How we use your personal data
We will only use your personal data when the law allows us to. Most commonly, we will use your personal data in the following circumstances:
- For our legitimate interest where your interests and fundamental rights do not override those interests.
- Where you have given consent for your information to be used, based on preferences you have communicated to us.
- Where we need to comply with a legal or regulatory obligation.
See below to find out more about which lawful basis we will rely on to process your personal data in different ways. We rely on legitimate interest in the first instance for the purpose of using the personal data of friends, donors, alumni and ticket buyers. Data subjects are provided with regular opportunities to update both their contact preferences and the consent given under which the Academy is permitted to use their data.
We have set out below a description of the main ways we plan to use your personal data, and which legal bases we rely on to do so. We have also identified what our legitimate interest is, where appropriate.
1. Marketing for concerts
Type of data:
- Identity
- Contact
- Contextual
Lawful basis for processing:
- Legitimate interest
- Consent
2. Fundraising and Alumni / Supporter Relations
Type of data:
- Identity
- Contact
- Contextual
Lawful basis for processing:
- Legitimate interest
- Consent
3. Administration (eg contact about an event you’ve registered for)
Type of data:
- Identity
- Contact
- Contextual
Lawful basis for processing:
- Legitimate interest
- Contractual obligation
- Legal obligation
4. Screening in order to identify donors
Type of data:
- Identity
- Contact
- Contextual
Lawful basis for processing:
- Legitimate interest
5. Security
Type of data:
- Image/CCTV footage
Lawful basis for processing:
- Legitimate interest
6. To capture your image in video footage or photographs for the purpose of promoting the Academy
Type of data:
- Identity (photographic image)
Lawful basis for processing:
- Legitimate interest
- Consent
7. To meet the audit requirement of funding providers
Type of data:
- Identity
- Contact
- Identity evidence
- Financial
- Special category
Lawful basis for processing:
- Contractual obligation
- Legal obligation
- Public task
8. To maintain an archive for historical record
Type of data:
- Basic studentship
Lawful basis for processing:
- Legitimate interest
Public task
Change of Purpose
We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If you wish to obtain an explanation as to how the processing for the new purpose is compatible with the original purpose, please contact us.
If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.
Please note that we may process your personal data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.
Disclosures of your personal data
We may have to share your personal data with the parties set out below for the purposes set out in the sections above.
We require all third parties who receive personal data from us to respect the security of your personal data and to treat it in accordance with the law. We ensure there is a liability clause in all contracts with our third-party partners. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.
International transfers
Where necessary service providers are based outside of the UK and EU, we may transfer limited data to approved contractors, in accordance with the conditions and legal obligations described above. Whenever any international transfers are made, we ensure we have the appropriate safeguards in place to protect your personal data.
Data Security
We have in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instruction and they are subject to a duty of confidentiality.
We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.
We have benchmarks regarding the adequacy of our data systems and the suppliers that are in place, and where applicable data privacy impact assessments have been conducted.
Data retention - how long will you use my personal data for?
We will only retain your personal data for as long as necessary to fulfil the purposes for which we collected it, including for the purposes of satisfying any legal, accounting, or reporting requirements.
To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes.
Please refer to our Data Retention Policy for more information on the specific retention of your data.
In some circumstances you can ask us to delete your data: see Request Erasure below for further information.
In some circumstances we may anonymise your personal data (so that it can no longer be associated with you) for research or statistical purposes, in which case we may use this information indefinitely without further notice to you.
Your legal rights
You have the right to see your data, subject to the redaction from it of any data which also identifies another data subject.
You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances.
We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.
We try to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.
We aim to offer supporters of the Academy a superior experience when they fund the future of music through our programmes. Donors and prospective donors can opt out of communications from the Academy at any time. If donors and prospective donors have any queries, wish to update the information held on them, or do not wish to be contacted by the Academy, please contact philanthropy@ram.ac.uk. We will, however, need to keep a skeleton record to ensure that this data is not used for further processing.
Alternatively, there is the option to opt out through the Fundraising Regulator, using the Fundraising Preference Service. The Academy will be notified of this and we will update our systems accordingly.
The Royal Academy of Music is committed to treating its donors with care and consideration. This section specifically relates to personal data processed by the Philanthropy and Communications, Marketing and Audiences departments in their work to build a more vibrant, engaged community.
The Philanthropy department has responsibility for fundraising and charitable giving to the Academy.
If you have a complaint regarding fundraising activities, please download this document, which outlines the process.
Glossary
Legal basis
Legitimate interest means the Academy’s interest in conducting and managing our business to enable us to give you the best service/product and the best and most secure experience. We make sure we consider and balance any potential impact on you (both positive and negative) and your rights before we process your personal data for our legitimate interest. We do not use your personal data for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to by law). You can obtain further information about how we assess our legitimate interest against any potential impact on you in respect of specific activities by contacting us: dpo@ram.ac.uk
Performance of contract means processing your data where it is necessary for the performance of a contract to which you are a party or to take steps at your request before entering into such a contract.
Comply with a legal or regulatory obligation means processing your personal data where it is necessary for a compliance with a legal or regulatory obligation that we are subject to.
For the purposes of a public task means that, to the extent that the Academy is a public body, we are required by statute or other legal obligation to carry out certain types of processing.
External third parties
These are:
- Service providers acting as processors based in the EU who provide IT and system administration services.
- Professional advisers acting as processors or joint controllers including lawyers, bankers, auditors and insurers based in the UK who provide consultancy, banking, legal, insurance and accounting services.
- HM Revenue & Customs, regulators and other authorities acting as processors or joint controllers based in the United Kingdom who require reporting of processing activities in certain circumstances.
- Other external service providers.
Action you can take
If you wish to exercise any of the rights set out below, please contact us on dpo@ram.ac.uk.
You have the right to:
Commonly known as a 'data subject access request'. This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.
This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us.
This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully or where we are required to erase your personal data to comply with local law. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request. An example would be a requirement to keep some data for audit purposes.
Where we are relying on a legitimate interest and there is something about your particular situation which makes you want to object to processing on this ground, as you feel it impacts on your fundamental rights and freedoms, you can object to this processing. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your rights and freedoms. You also have the right to object where we are processing your personal data for direct marketing purposes.
This enables you to ask us to suspend the processing of your personal data in the following scenarios: (a) if you want us to establish the data's accuracy; (b) where our use of the data is unlawful but you do not want us to erase it; (c) where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims; or (d) you have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it.
Where we are relying on consent to process your personal data you can withdraw your consent. However, this will not affect the lawfulness of any processing carried out before you withdrew your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent.
Complaints
You have the right to make a complaint at any time to the Information Commissioner's Office (ICO), the UK supervisory authority for data protection issues. We would, however, appreciate the chance to address your concerns before you approach the ICO, so please contact our Data Protection Officer to raise any concerns in the first instance: dpo@ram.ac.uk.