Privacy Notice
Last Updated March 2026
Introduction
Arts for Health MK is committed to protecting and respecting your privacy. This Privacy Policy explains how we collect, use, store, and protect personal data in accordance with the following legislation:
• UK General Data Protection Regulation (UK GDPR)
• Data Protection Act 2018.
Who We Are
Arts for Health MK is a UK-based Creative Health charity. Our primary activities include:
• Managing and curating a hospital-based art collection
• Delivering artist-led participatory arts programmes in community and healthcare settings
• Working with artists, healthcare professionals, volunteers, and participants, of all ages.
• Promoting wellbeing through creativity
For the purposes of data protection law, the Director is the Data Controller.
Collection of Personal Data
We may collect and process the following types of personal data:
a) General Personal Data
• Name
• Address
• Email address
• Telephone number
• Organisation and role (where relevant)
b) Health and Special Category Data
(Only where necessary and with appropriate safeguards)
• Health or wellbeing information related to participation in creative health programmes
• Access needs or reasonable adjustments
c) Artistic and Professional Information
• Artist biographies and CVs
• Images of artworks (any format)
• Copyright ownership details
• Exhibition or loan records
• Commissioning records including archiving for public interest and historical research purposes
• Valuations
d) Monitoring and Evaluation Data
• Feedback forms
• Questionnaires
• Anonymised evaluation data for reporting and funding purposes
e) Website and Digital Data
• IP addresses
• Website usage data (via cookies – see Section 11)
We collect data through:
• Referral forms (including Arts on Prescription referrals)
• Registration and consent forms
• Contracts and agreements with artists and depositors
• Emails, phone calls, and correspondence
• Feedback and evaluation tools
• Our website and social media channels
Lawful Basis for Processing
We process personal data under one or more of the following lawful bases:
• Consent – particularly for participatory arts participants and use of images, and display of artworks
• Contract – for artists, freelancers, and service providers
• Public task – archiving for the public interest and research purposes
• Legal obligation – e.g. charity reporting and safeguarding
• Legitimate interests – for charity administration and promotion
• Vital interests – where health or safety is at risk (rare circumstances)
Special category (health) data is processed under explicit consent and/or for the provision of managing referrals and ensuring participants are directed into the correct course, evaluations and monitoring outcomes.
Use of personal data at Arts for Health MK
We use personal data to carry out our work effectively, safely, and lawfully, and to ensure our programmes and activities meet the needs of participants, artists, partners, and funders. We only use personal data where we have a lawful basis to do so and in line with GDPR legislation.
Personal data may be used for the following purposes:
Deliver Arts on Prescription and other Creative Health programmes
We use personal data to plan, deliver, and manage Arts on Prescription and other Creative Health programmes. This includes understanding participant needs, making reasonable adjustments, communicating about sessions, and ensuring activities are safe, inclusive, and appropriate.
Manage referrals, participation, and evaluation Personal data is used to receive and process referrals, register participants, and manage attendance. We also use information to evaluate participation and outcomes, helping us to understand impact, improve services, and ensure programmes are effective, as well as provide reports to our funders, where data is usually anonymised. Where reports to funders include personal identifiable information, appropriate written consent will be taken.
Administer and curate the hospital art collection We use personal data to manage the hospital art collection, including records relating to artists, lenders, depositors, staff, and volunteers. This can include contact details, agreements, provenance records, and information needed for collection management, installation, maintenance, and loans and archival purposes. This information may be shared with the hospital’s estates team, leadership team or other representative. The hospital are the owners of the art collection and have in place a privacy and umbrella consent policy (Caldicott Guidelines; GDPR). The management of the collection is detailed in the Collections Management Policy.
Manage relationships with artists, partners, and funders
Personal data is used to communicate with artists, artists representatives, depositors, facilitators, partner organisations, commissioners, and funders. This includes managing contracts, agreements, payments, collaboration arrangements, and partnership activity, as well as day-to-day operational communications.
Monitor outcomes and report to funders We use personal data to monitor outcomes and assess the impact of our work. Reports to funders and commissioners are usually anonymised or aggregated so that individuals cannot be identified. Where identifiable information is required, this will only be used where there is a clear lawful basis and, where necessary, consent.
Promote our work (with consent)
With appropriate consent, we may use personal data such as names, images, quotes, or creative outputs to promote our work. This may include use on our website, social media, reports, exhibitions, or other communications. Individuals can withdraw consent at any time by contacting the Director (director@artsforhealthmk.org.uk) or the Administrator (info@artsforhealthmk.org.uk).
Meet legal, safeguarding, and regulatory requirements
We use personal data to comply with legal obligations, safeguarding duties, and regulatory requirements. This may include maintaining appropriate records, responding to legal or regulatory requests, managing insurance and risk, and protecting the wellbeing and safety of participants, staff, artists, and volunteers. In all cases, we aim to use the minimum amount of personal data necessary for each purpose and to keep it accurate, secure, and up to date.
Sharing Personal Data
We only share personal data where it is necessary, lawful, and appropriate to do so, and always in line with data protection legislation. We never sell personal data to third parties.
Personal data may be shared with the following categories of recipients:
Healthcare professionals or referrers
Where relevant, and with explicit consent, we may share personal information with healthcare professionals, social prescribers, or other referrers involved in the care and support of our participants. This is done to ensure programmes are suitable, safe, and coordinated, and that any specific needs or reasonable adjustments can be understood and met. We may also have formal “data-sharing” agreements in place with third-party providers to improve data sharing and this will include sharing any qualitative and quantitative data collected during the arts programme. Participants will be asked to consent to having their data shared under any data sharing agreement.
Artists and facilitators delivering programmes
We may share relevant personal information with artists, facilitators, or practitioners who deliver our programmes on our behalf. This will typically be limited to what they need to know to deliver sessions safely and effectively, such as names, attendance information, or relevant access or support requirements. All artists and facilitators are required to handle personal data securely and in accordance with our instructions.
Funders and commissioners
We may share information with funders or commissioning bodies for monitoring, reporting, and evaluation purposes. Wherever possible, this information is anonymised or aggregated so individuals cannot be identified. If identifiable information is required, this will only be shared where there is a clear lawful basis and, where required, your consent.
Professional advisors and Researchers
We may share personal data with trusted professional advisors such as accountants, auditors, insurers, or legal advisors where necessary for financial management, compliance, or insurance purposes. These advisors are subject to professional confidentiality obligations and data protection requirements.
In all cases, we only share the minimum amount of personal data necessary, and we take steps to ensure that any third parties we work with handle information securely and lawfully.
Data Sharing in relation to AI
This is an emerging area of concern for the protection of personal data. The charity recognises that any information that is freely available online could be automatically processed by AI systems without explicit consent. AfHMK will be guided by UK Law to meet this challenge going forward. The charity also recognises that some AI tools will be useful in the pursuit of our operations and strategic goals, but that privacy and confidentiality controls must be in place and risk assessed appropriately.
AfHMK contractors, trustees or volunteers must not upload documentation, data, confidential or personal information to Chat GPT or other unsecure AI networks however ChatGPT can be used for basic everyday tasks such as research and content generation. Other permitted AI tools that are secure and that can be used are Microsoft Copilot. The use of MS Copilot must be carried out in accordance with the terms of any software licences. Contractors, trustees and volunteers should contact the Data Controller in the event of any identified data breaches via AI or if unsure whether use of an AI platform in the normal course of their duties might risk a breach.
Data Security and Storage We are committed to protecting personal data and take reasonable and appropriate technical and organisational measures to ensure it is kept secure, confidential, and protected against unauthorised access, loss, misuse, or disclosure. Our approach to data security will comply with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. We use a range of measures to safeguard personal data, including:
Secure digital storage
Personal data stored electronically is held on secure systems with appropriate technical protections in place, such as password protection, user authentication, and, where appropriate, encryption. Systems and software are kept up to date to reduce security risks.
Access controls
Access to personal data is restricted to trustees, contractors, artists, or facilitators who need the information to carry out their role. Access is granted on a need-to-know basis and reviewed regularly to ensure it remains appropriate.
Secure storage of paper records
Where personal data is held in paper form, it is stored securely in locked cabinets or rooms with controlled access. Paper records are handled carefully and disposed of securely when no longer required.
Data retention and review
We regularly review the personal data we hold to ensure it remains relevant, accurate, and necessary. Personal data is retained only for as long as needed for the purpose for which it was collected and in accordance with our Data Retention Policy, which reflects legal, regulatory, and funding requirements.
Secure disposal
When personal data is no longer required, it is securely deleted, destroyed, or anonymised in a way that prevents it from being reconstructed or identified.
Despite the measures we take, no system is completely secure. We therefore have procedures in place to manage and respond to personal data breaches, including assessing risk and, where required by law, reporting breaches to the Information Commissioner’s Office (ICO) and affected individuals.
Contractors will take all reasonable steps to ensure data is securely accessed including sharing of data using password protected files, adhering to the Coldicott guidelines:
1. The purpose of the data sharing is justified
2. Confidential data is shared only when necessary
3. The minimum amount of confidential data is included 4. Access to data is on a “need-to-know” basis
5. Contractors are fully aware of their responsibilities
6. Comply with the law
Copyright, Artworks, and Intellectual Property
a) Ownership of Artworks Unless
otherwise agreed in writing:
• Copyright in artworks remains with the artist
• Ownership of physical artworks may transfer to Arts for Health MK or a partner organisation through purchase, donation, or commission
b) Use of Images and Reproductions
Consent will be obtained for the use of all artworks in copyright.
We may ask for consent to use images of artworks for but not exhaustive of:
• Documentation and collection management
• Marketing
• Education
• Fundraising
• Reports (which may be internal or external i.e. to a funder)
• Websites, social media, and publications
Such use will be:
• Agreed in advance through contracts or license agreements
• Credited appropriately to the artist
• Limited to agreed purposes and durations
c) Participant Artwork
Where participants create artwork as part of programmes:
• Copyright remains with the participant unless otherwise agreed
• We will seek explicit consent before reproducing or sharing images
• Additional care is taken where participants are vulnerable adults
d) Moral Rights
We respect artists’ moral rights, including the right to be identified as the creator and the right to object to derogatory treatment of their work.
10. Your Rights
Under UK GDPR, you have the right to:
• Access your personal data
• Request correction of inaccurate data
• Request erasure of data (where applicable)
• Restrict or object to processing
• Withdraw consent at any time
• Request data portability
• Lodge a complaint with the Information Commissioner’s Office (ICO)
ICO Website: www.ico.org.uk
11. Cookies and Website Use
Our website may use cookies to improve functionality and user experience. You can control or disable cookies through your browser settings.
12. Changes to This Policy
We may update this Privacy Policy from time to time. The latest version will always be available on our website or upon request.
13. Contact Us
If you have any questions about this policy or how we handle your data, please contact:
Data Protection Lead
Arts for Health MK
Facilities Directorate
Milton Keynes University Hospital
Standing Way
Milton Keynes
MK6 5LD
︎ Email: director@artsforhealthmk.org.uk
14. ICO Contact
The Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire SK9 5AF
Phone: +44 303 123 1113
Fax: +44 1625 524510
Web Form: http://ico.org.uk/make-a-complaint/data-protection-complaints/data-protection-complaints/
Website: http://ico.org.uk
Privacy Notice
Arts for Health Milton Keynes
Introduction
Arts for Health MK is committed to protecting and respecting your privacy. This Privacy Policy explains how we collect, use, store, and protect personal data in accordance with the following legislation:
• UK General Data Protection Regulation (UK GDPR)
• Data Protection Act 2018.
Who We Are
Arts for Health MK is a UK-based Creative Health charity. Our primary activities include:
• Managing and curating a hospital-based art collection
• Delivering artist-led participatory arts programmes in community and healthcare settings
• Working with artists, healthcare professionals, volunteers, and participants, of all ages.
• Promoting wellbeing through creativity
For the purposes of data protection law, the Director is the Data Controller.
Collection of Personal Data
We may collect and process the following types of personal data:
a) General Personal Data
• Name
• Address
• Email address
• Telephone number
• Organisation and role (where relevant)
b) Health and Special Category Data
(Only where necessary and with appropriate safeguards)
• Health or wellbeing information related to participation in creative health programmes
• Access needs or reasonable adjustments
c) Artistic and Professional Information
• Artist biographies and CVs
• Images of artworks (any format)
• Copyright ownership details
• Exhibition or loan records
• Commissioning records including archiving for public interest and historical research purposes
• Valuations
d) Monitoring and Evaluation Data
• Feedback forms
• Questionnaires
• Anonymised evaluation data for reporting and funding purposes
e) Website and Digital Data
• IP addresses
• Website usage data (via cookies – see Section 11)
We collect data through:
• Referral forms (including Arts on Prescription referrals)
• Registration and consent forms
• Contracts and agreements with artists and depositors
• Emails, phone calls, and correspondence
• Feedback and evaluation tools
• Our website and social media channels
Lawful Basis for Processing
We process personal data under one or more of the following lawful bases:
• Consent – particularly for participatory arts participants and use of images, and display of artworks
• Contract – for artists, freelancers, and service providers
• Public task – archiving for the public interest and research purposes
• Legal obligation – e.g. charity reporting and safeguarding
• Legitimate interests – for charity administration and promotion
• Vital interests – where health or safety is at risk (rare circumstances)
Special category (health) data is processed under explicit consent and/or for the provision of managing referrals and ensuring participants are directed into the correct course, evaluations and monitoring outcomes.
Use of personal data at Arts for Health MK
We use personal data to carry out our work effectively, safely, and lawfully, and to ensure our programmes and activities meet the needs of participants, artists, partners, and funders. We only use personal data where we have a lawful basis to do so and in line with GDPR legislation.
Personal data may be used for the following purposes:
Deliver Arts on Prescription and other Creative Health programmes
We use personal data to plan, deliver, and manage Arts on Prescription and other Creative Health programmes. This includes understanding participant needs, making reasonable adjustments, communicating about sessions, and ensuring activities are safe, inclusive, and appropriate.
Manage referrals, participation, and evaluation Personal data is used to receive and process referrals, register participants, and manage attendance. We also use information to evaluate participation and outcomes, helping us to understand impact, improve services, and ensure programmes are effective, as well as provide reports to our funders, where data is usually anonymised. Where reports to funders include personal identifiable information, appropriate written consent will be taken.
Administer and curate the hospital art collection We use personal data to manage the hospital art collection, including records relating to artists, lenders, depositors, staff, and volunteers. This can include contact details, agreements, provenance records, and information needed for collection management, installation, maintenance, and loans and archival purposes. This information may be shared with the hospital’s estates team, leadership team or other representative. The hospital are the owners of the art collection and have in place a privacy and umbrella consent policy (Caldicott Guidelines; GDPR). The management of the collection is detailed in the Collections Management Policy.
Manage relationships with artists, partners, and funders
Personal data is used to communicate with artists, artists representatives, depositors, facilitators, partner organisations, commissioners, and funders. This includes managing contracts, agreements, payments, collaboration arrangements, and partnership activity, as well as day-to-day operational communications.
Monitor outcomes and report to funders We use personal data to monitor outcomes and assess the impact of our work. Reports to funders and commissioners are usually anonymised or aggregated so that individuals cannot be identified. Where identifiable information is required, this will only be used where there is a clear lawful basis and, where necessary, consent.
Promote our work (with consent)
With appropriate consent, we may use personal data such as names, images, quotes, or creative outputs to promote our work. This may include use on our website, social media, reports, exhibitions, or other communications. Individuals can withdraw consent at any time by contacting the Director (director@artsforhealthmk.org.uk) or the Administrator (info@artsforhealthmk.org.uk).
Meet legal, safeguarding, and regulatory requirements
We use personal data to comply with legal obligations, safeguarding duties, and regulatory requirements. This may include maintaining appropriate records, responding to legal or regulatory requests, managing insurance and risk, and protecting the wellbeing and safety of participants, staff, artists, and volunteers. In all cases, we aim to use the minimum amount of personal data necessary for each purpose and to keep it accurate, secure, and up to date.
Sharing Personal Data
We only share personal data where it is necessary, lawful, and appropriate to do so, and always in line with data protection legislation. We never sell personal data to third parties.
Personal data may be shared with the following categories of recipients:
Healthcare professionals or referrers
Where relevant, and with explicit consent, we may share personal information with healthcare professionals, social prescribers, or other referrers involved in the care and support of our participants. This is done to ensure programmes are suitable, safe, and coordinated, and that any specific needs or reasonable adjustments can be understood and met. We may also have formal “data-sharing” agreements in place with third-party providers to improve data sharing and this will include sharing any qualitative and quantitative data collected during the arts programme. Participants will be asked to consent to having their data shared under any data sharing agreement.
Artists and facilitators delivering programmes
We may share relevant personal information with artists, facilitators, or practitioners who deliver our programmes on our behalf. This will typically be limited to what they need to know to deliver sessions safely and effectively, such as names, attendance information, or relevant access or support requirements. All artists and facilitators are required to handle personal data securely and in accordance with our instructions.
Funders and commissioners
We may share information with funders or commissioning bodies for monitoring, reporting, and evaluation purposes. Wherever possible, this information is anonymised or aggregated so individuals cannot be identified. If identifiable information is required, this will only be shared where there is a clear lawful basis and, where required, your consent.
Professional advisors and Researchers
We may share personal data with trusted professional advisors such as accountants, auditors, insurers, or legal advisors where necessary for financial management, compliance, or insurance purposes. These advisors are subject to professional confidentiality obligations and data protection requirements.
In all cases, we only share the minimum amount of personal data necessary, and we take steps to ensure that any third parties we work with handle information securely and lawfully.
Data Sharing in relation to AI
This is an emerging area of concern for the protection of personal data. The charity recognises that any information that is freely available online could be automatically processed by AI systems without explicit consent. AfHMK will be guided by UK Law to meet this challenge going forward. The charity also recognises that some AI tools will be useful in the pursuit of our operations and strategic goals, but that privacy and confidentiality controls must be in place and risk assessed appropriately.
AfHMK contractors, trustees or volunteers must not upload documentation, data, confidential or personal information to Chat GPT or other unsecure AI networks however ChatGPT can be used for basic everyday tasks such as research and content generation. Other permitted AI tools that are secure and that can be used are Microsoft Copilot. The use of MS Copilot must be carried out in accordance with the terms of any software licences. Contractors, trustees and volunteers should contact the Data Controller in the event of any identified data breaches via AI or if unsure whether use of an AI platform in the normal course of their duties might risk a breach.
Data Security and Storage We are committed to protecting personal data and take reasonable and appropriate technical and organisational measures to ensure it is kept secure, confidential, and protected against unauthorised access, loss, misuse, or disclosure. Our approach to data security will comply with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. We use a range of measures to safeguard personal data, including:
Secure digital storage
Personal data stored electronically is held on secure systems with appropriate technical protections in place, such as password protection, user authentication, and, where appropriate, encryption. Systems and software are kept up to date to reduce security risks.
Access controls
Access to personal data is restricted to trustees, contractors, artists, or facilitators who need the information to carry out their role. Access is granted on a need-to-know basis and reviewed regularly to ensure it remains appropriate.
Secure storage of paper records
Where personal data is held in paper form, it is stored securely in locked cabinets or rooms with controlled access. Paper records are handled carefully and disposed of securely when no longer required.
Data retention and review
We regularly review the personal data we hold to ensure it remains relevant, accurate, and necessary. Personal data is retained only for as long as needed for the purpose for which it was collected and in accordance with our Data Retention Policy, which reflects legal, regulatory, and funding requirements.
Secure disposal
When personal data is no longer required, it is securely deleted, destroyed, or anonymised in a way that prevents it from being reconstructed or identified.
Despite the measures we take, no system is completely secure. We therefore have procedures in place to manage and respond to personal data breaches, including assessing risk and, where required by law, reporting breaches to the Information Commissioner’s Office (ICO) and affected individuals.
Contractors will take all reasonable steps to ensure data is securely accessed including sharing of data using password protected files, adhering to the Coldicott guidelines:
1. The purpose of the data sharing is justified
2. Confidential data is shared only when necessary
3. The minimum amount of confidential data is included 4. Access to data is on a “need-to-know” basis
5. Contractors are fully aware of their responsibilities
6. Comply with the law
Copyright, Artworks, and Intellectual Property
a) Ownership of Artworks Unless
otherwise agreed in writing:
• Copyright in artworks remains with the artist
• Ownership of physical artworks may transfer to Arts for Health MK or a partner organisation through purchase, donation, or commission
b) Use of Images and Reproductions
Consent will be obtained for the use of all artworks in copyright.
We may ask for consent to use images of artworks for but not exhaustive of:
• Documentation and collection management
• Marketing
• Education
• Fundraising
• Reports (which may be internal or external i.e. to a funder)
• Websites, social media, and publications
Such use will be:
• Agreed in advance through contracts or license agreements
• Credited appropriately to the artist
• Limited to agreed purposes and durations
c) Participant Artwork
Where participants create artwork as part of programmes:
• Copyright remains with the participant unless otherwise agreed
• We will seek explicit consent before reproducing or sharing images
• Additional care is taken where participants are vulnerable adults
d) Moral Rights
We respect artists’ moral rights, including the right to be identified as the creator and the right to object to derogatory treatment of their work.
10. Your Rights
Under UK GDPR, you have the right to:
• Access your personal data
• Request correction of inaccurate data
• Request erasure of data (where applicable)
• Restrict or object to processing
• Withdraw consent at any time
• Request data portability
• Lodge a complaint with the Information Commissioner’s Office (ICO)
ICO Website: www.ico.org.uk
11. Cookies and Website Use
Our website may use cookies to improve functionality and user experience. You can control or disable cookies through your browser settings.
12. Changes to This Policy
We may update this Privacy Policy from time to time. The latest version will always be available on our website or upon request.
13. Contact Us
If you have any questions about this policy or how we handle your data, please contact:
Data Protection Lead
Arts for Health MK
Facilities Directorate
Milton Keynes University Hospital
Standing Way
Milton Keynes
MK6 5LD
︎ Email: director@artsforhealthmk.org.uk
14. ICO Contact
The Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire SK9 5AF
Phone: +44 303 123 1113
Fax: +44 1625 524510
Web Form: http://ico.org.uk/make-a-complaint/data-protection-complaints/data-protection-complaints/
Website: http://ico.org.uk
Office
Arts for Health Milton Keynes
Facilities Directorate
Milton Keynes Hospital
Standing Way
Eaglestone
Milton Keynes
MK6 5LD
Privacy Policy
Arts for Health Milton Keynes
Facilities Directorate
Milton Keynes Hospital
Standing Way
Eaglestone
Milton Keynes
MK6 5LD
Privacy Policy
Arts for Health Milton Keynes is the working name of MK Arts for Health charity number 1107625 company number 05137693