The information on this page sets out how we manage the personal information of audiences which is provided to us by organisations participating in Audience Finder.
The Audience Agency (TAA), as custodian of the national Audience Finder dataset, is fully committed to protecting the personal information of the audience members (data subjects) who entrust their data to the arts and cultural organisations (data controllers) that use the Audience Finder service. We consider it our duty to maintain the trust and confidence of every audience member, and every data controlling organisation on whose behalf we provide the Audience Finder service. We will protect and process all personal information in accordance with both the letter and the spirit of the relevant data protection regulations.
TAA processes limited personal information from audience members on behalf of participating, data-controlling organisations who manage that personal information, in order to provide them with analytical services, comprising fully anonymised outputs, which can help those organisations to best plan and evidence their impact and reach, to help them become more sustainable, to provide a better and more relevant cultural offering to the public, and to help ensure that public subsidy may have the greatest impact.
The Audience Agency is a charitable, not-for-profit organisation, registered in England and Wales
(Company Number 811 7915), and Charity Registered (Number 114 9979). In respect of the Audience Finder service, TAA acts as a data processor to provide analytics services to participating datacontrolling arts and cultural organisations. TAA is registered with the Information Commissioner’s Office (Registration Number ZA009719).
Contact details for The Audience Agency:
The Audience Agency
35-47 Bethnal Green Road
London E1 6LA
By phone +44 (020) 7407 4625 or you can contact us via our website www.theaudienceagency.org/contact
If you have any questions regarding how we process personal information, please contact our Data Protection Manager by email firstname.lastname@example.org or by phone +44 (0)20 7260 2505.
2. How we collect personal information
We collect and process personal information, comprising transactional data from ticket purchases made by audience members at participating arts and cultural venues, through regular, automated data extractions from the source ticketing systems used by those venues or organisations.
We also collect and process survey data collected from audience members by participating arts and cultural organisations. Although this data is collected anonymously, some elements of the data have the potential, either in combination or otherwise linked to third party data sources, to render a household or individual identifiable if not appropriately managed. We therefore manage and protect the survey data that we process with due care to ensure that it may not be used in such a way as to render individuals or households identifiable.
3. The types of information that we collect
We only collect and process personal information that is necessary to provide the anonymised statistical analyses that comprise the Audience Finder service.
Information from ticketing transactional data
From arts and cultural organisations that use the Audience Finder service by providing audience data through transactional ticketing data feeds, we extract the following personal information about their audience members:
- Source ticketing system’s customer unique reference number
- Household address
We also collect, store and process details linked to these customer records of ticket purchases for performances or events at the arts and cultural organisations which originally collected the data from their audience members, (the data controllers) and which use the Audience Finder service.
Information from audience surveys
From those arts and cultural organisations that use the Audience Finder service by providing audience survey data, we collect the following data anonymously:
- Sex and/or gender
- Limiting disability
None of these fields in and of themselves constitute personal information as they are collected anonymously. In a very small proportion of cases in the UK a postcode may apply to an individual household, but it is not possible to ascertain which postcodes this applies to without reference to further information sources about the makeup of the postcode. The Audience Finder survey also provides for the collection of email addresses, but TAA does not collect or process that data, which remains with the organisations that collect this data from their audience members or visitors. Even so, TAA takes all reasonable steps in order to provide necessary safeguards to ensure that any of this data that it processes is appropriately safeguarded to protect against the identification of any individuals through the combination of data, or the addition of secondary datasets, as well as ensuring that all outputs of the Audience Finder service are published at a level of detail that does not allow the identification of any individual or household.
4. Why we collect personal information and how we use it
It is in the legitimate interests of arts and cultural organisations to use the personal information that they collect to produce statistical analysis to support their business planning activities and their funding obligations. The Audience Agency therefore acts as a data processor on behalf of those organisations using the Audience Finder service, processing elements of the personal information for which those organisations are responsible as data controllers, in order to provide them with accurate analysis of the size and nature of both their own audiences and those for arts and cultural events in the United Kingdom as a whole.
It is necessary to use some elements of personal information to produce this information, even though the results we present are aggregated and anonymised. For example, to properly understand how many households are attending cultural activities, it is important to be able to identify when the same household books tickets to attend events at two different venues/cultural organisations, so that it can be understood that one household has made two visits, rather than that two households having made one visit each. In order to accurately measure in this way, we use the personal information that we collect from the various participating organisations to link the booking/attendance activity to pseudonymised keys.These are codes that we use to replace and anonymise the booker’s name and address details, and which we protect against the reidentification of any individuals by security measures that we implement. We then use these pseudonymised keys to run the analysis. Once the personal information has been linked to these keys, we no longer retain the name and address, except the postcode. In this way, the individuals whose personal information was used are no longer identifiable, and all analysis and reporting is anonymous.
5. How we handle the personal information we process and data sharing
TAA never uses the personal information that it processes in Audience Finder for the purpose of contacting any individuals. Neither will we ever sell, share, trade or rent any personal information that we process with any third-party organisations without the express instruction of the respective data controller. In order to further avoid certain unnecessary transfer of personal information between cultural organisation in the UK, TAA provides a service, called Show Stats, which enables the sharing of anonymous audience insight between cultural organisations, on the instruction of the respective data controller, in which no personal information is shared or transferred between organisations.
In order to deliver the Audience Finder service, The Audience Agency works with Baker Richards Consulting Limited and Jacobson Consulting Applications, who provide and maintain the technical infrastructure for extracting the ticketing data which drives the Audience Finder service, and therefore have access to the data we process, solely for the purpose of maintaining and supporting the service. The Audience Agency enters into an agreement with anybody who provides a service to it to ensure that they meet its standards for data security, and all obligations under the relevant data protection regulations. TAA will not use the personal information in Audience Finder for anything other than the clearly defined purpose of supporting and maintaining the delivery of the Audience Finder service.
6. How we protect the personal information that we process
The Audience Agency is committed to protecting the personal information that is entrusted to it to process. TAA adopts robust and appropriate technologies and policies, so the personal information it has about the audiences of the organisations that use the Audience Finder service is protected from unauthorised access and improper use.
The personal information of audience members processed by TAA (on behalf of the arts and cultural organisations that they attend, the respective data controlling organisations), in order to provide the Audience Finder service, is stored and processed on computer servers in the European Economic Area (EEA), and no personal information will be stored outside of the EEA. One of TAA’s technical service providers, Jacobson Consulting Applications (JCA), is based in the United States of America and, for the purposes of providing and maintaining the Audience Finder infrastructure, is able to access the servers in the EU where the personal information that is processed for Audience Finder is hosted. Any processing activity involving Jacobson Consulting Applications is carried out securely in accordance with the Standard Contractual Clauses pre-approved by the European Commission to ensure an adequate level of protection for personal data.
TAA only processes the personal information that is absolutely required in order to create a pseudonymised cultural attendance dataset for the purposes of providing the anonymised outputs of the Audience Finder analytics service (i.e. name, address, postcode and customer unique reference number). TAA does not process or store more information than is needed. Once name and address has been matched to pseudonymised keys it is no longer retained and is securely deleted. TAA does retain the customer unique reference number (CURN) assigned to the customer by the source ticketing system of each participating organisation and the customer’s postcode. In these cases, only the respective data controller issuing the CURN in the first place would be capable of identifying the individual to whom it was assigned (which they can in any case do), and the postcode does not personally identify an individual without reference to other information sources about the constitution of the postcode. Nonetheless, TAA protects both of these fields using all reasonable procedural and technical measures to prevent any identification of individuals. .
Personal information transferred by organisations to TAA for use in Audience Finder is protected by encryption. Only appropriately authorised staff members are able to access the personal information and procedural and technical measures are in place, and regularly reviewed, in order to ensure appropriately restricted access.
7. Respecting the rights of audiences
The personal information processed in order to provide the Audience Finder service is never used by TAA for the purpose of contacting individuals. Under the data protection regulations, individuals have a number of other rights, including (but not limited to) the right to access a copy of their data, the right to correction of incorrect data, the right to request deletion of their data, and the right to complain. TAA aims to help audiences easily exercise their rights, and to help the data-controlling organisations fulfil their obligations in respect of those rights.
Subject Access Requests
TAA acts as a data processor on behalf of many arts and cultural organisations (the data controllers) to provide the Audience Finder service, and for this purpose TAA holds a subset of the personal information held by those organisations. The full list of organisations for whom TAA provides this service is here.
Audience members wishing to see a copy of the data an organisation holds, should make their request directly to the organisation giving a description of the information they would like to see. The organisation is then able to disclose to the data subject the relevant, full set of data held about the person in the organisation’s own source ticketing system, together with the information that a sub-set of that data is processed by TAA. If further required, TAA will, upon the instruction of the data controller, provide the organisation with a full copy of the information held on the audience member by TAA for disclosure to the data subject, save that it can only supply information relating directly to that individual, and not relating to any further individuals, without their express consent.
Participating organisations should advise audiences in their privacy notices that a limited subset of their information, including name, address, postcode and customer number, linked to transactional ticketing data is shared with TAA, and that the name and address is liked to an anonymised (pseudonymised) key, but is not retained by TAA, in order to provide those organisations with anonymised analytical information for business planning purposes and, in the case of organisations in receipt of public subsidy from Arts Council England, in order to fulfil their funding obligations.
Requests for deletion
People have the right in certain circumstances to ask for their data to be deleted but it is for the data controller to decide whether to agree to such requests. Organisations may have legitimate reasons to continue to process personal information, for example to comply with legal requirements related to financial auditing of credit/debit card sales, or Gift Aided donations. Most commonly, the effect of preventing further contact, that an audience member might be actually seeking to bring about when making a deletion request, can be served by simply suppressing them from future communications lists. Where this is not the case, the data controller must weigh up its need to retain the data, versus the risk to the rights and freedoms of the individual. In order to enable this, audience members /visitors should contact the arts organisations on whose behalf TAA holds a subset of their data, to provide the Audience Finder service, in order to request deletion of their data in that organisation’s own database. If the organisation agrees to the request, and instructs TAA to do so, then TAA will remove the postcode and render the customer identifier fully anonymous on the instruction of the organisation (data controller).
Requests for correction
People have a right to request correction of inaccurate data processed about them, but it is for the data controller to decide whether to agree to such requests. The impact of the processing of personal information that takes place in Audience Finder upon individuals is negligible, and therefore the correction of any inaccurate data is not likely to have any noticeable impact. TAA provides an analysis service comprising fully anonymised outputs to arts and cultural organisations that is based on the state of accuracy and completeness of the data that is provided at the point of data submission. There is no claim made to complete, dynamic and wholly accurate data, and no negative impact on data subjects accruing from inaccuracies of data recording on the part of the participating venues.
How to complain
People have the right to lodge a complaint with the supervisory authority, if they feel their data is being processed unreasonably or unlawfully. To do so, contact The Information Commissioner’s Office – www.ico.org.uk , or by phone: 0303 123 1113
This notice was updated on 21 February 2022. It may be updated to take into account changes at The Audience Agency or, for example, to reflect changes to regulation or legislation.
Updates to this policy will be posted on this page – please check back from time to time.
Further information on data protection regulations and laws can be found here: