DATA PROTECTION POLICY
Starmaker Theatre Company needs to collect, store and process certain information to carry out its day to day operations, to meet its objectives and to comply with legal obligations. The organisation is committed to ensuring any personal data is dealt with in line with the General Data Protection Regulations (GDPR). To comply with the law, personal information will be collected and used fairly, stored safely and not disclosed to any other person unlawfully. The aim of this policy is to ensure that everyone handling personal data is fully aware of the requirements and acts in accordance with data protection procedures. This document also highlights key data protection procedures within the organisation.
This policy covers members and students, their parents/guardians, volunteers, trustees, patrons who have attended performances on requested information and providers of performing arts services.
In line with the GDPR principles, Starmaker Theatre Company will ensure that personal data will:
a) processed lawfully, fairly and in a transparent manner in relation to individuals;
b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;
c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals; and
f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
The definition of ‘Processing’ is obtaining, using, holding, amending, disclosing, destroying and deleting personal data. This includes some paper based personal data as well as that kept on computer.
Starmaker Theatre Company processes the following categories of personal information:
-
Information relating to members of the theatre company for the purpose of managing productions, safeguarding and licensing
-
Information relating to students who attend its classes for the purpose of managing classes and safeguarding
-
Information relating to its trustees and members of the Artistic Development Team for the purpose of running the charity, provision of its services and meeting statutory regulations
-
Information relating to supporters who work with Starmaker on either a paid or voluntary basis to support the provision of its classes and the production of its performances, and its alumni community
-
Information relating to patrons who have attended performances or asked to be kept informed about the activities of the company
Personal information is kept in the following forms:
-
On a secure, cloud-based server
-
On digital and hard copy documents prepared for the purpose of licensing members as performers in accordance with the Child Employment Act or entering them into examinations
-
On digital and hard copy documents prepared for the purpose of ensuring that those running auditions have sufficient information
-
On digital and hard copy attendance registers and emergency contact lists
-
On hard copy documents prepared for the purpose of ensuring that those responsible for the welfare of cast members at the theatre have sufficient information about any health issues that may arise
Groups of people within the organisation who will process personal information are: members of the management committee, heads of schools, and members of production teams.
Under the Data Protection Guardianship Code, overall responsibility for personal data in a not for profit organisation rests with the governing body. In the case of Starmaker Theatre Company this is the Board of Trustees. The governing body delegates tasks to the Data Controller, in this case the Chair of the Board of Trustees. The Data Controller is responsible for, and must be able to demonstrate, compliance with the data protection principles.
All those who process personal information must ensure they not only understand but also act in line with this policy and the GDPR principles. Every member of the management committee, and any volunteer or performing arts professional with whom personal data is shared will be required to read and sign this document to signify that they have understood the Data Protection Policy and agreed to adhere to it.
Breach of this policy may result in termination of the contract where a service provider is concerned, and in dismissal from post for a trustee or a member of the management committee. Any unauthorised disclosure of personal data to a third party may result in legal action being taken.
To meet our responsibilities Starmaker will:
-
Ensure any personal data is collected in a fair and lawful way;
-
Explain why it is needed at the start;
-
Ensure that only the minimum amount of information needed is collected and used;
-
Ensure the information used is up to date and accurate;
-
Review the length of time information is held;
-
Ensure it is kept securely;
-
Ensure the rights people have in relation to their personal data can be exercised
We will ensure that:
-
Everyone managing and handling personal information is trained to do so.;
-
Anyone wanting to make enquiries about handling personal information knows what to do;
-
Any disclosure of personal data will be in line with our procedures.
-
Queries about handling personal information will be dealt with swiftly and courteously.
Before personal information is collected, we will consider what is necessary and appropriate, how it is to be stored and managed and what permission is needed:
-
We will inform people whose information is gathered about why we want the data and how it is to be used.
-
We will not use personal sensitive information apart from the exact purpose for which permission was given.
-
We will take measures to ensure that personal information kept is accurate, by checking with the individual or their parent/guardian at least annually.
-
We will take steps to ensure that personal data is kept secure at all times against unauthorised or unlawful loss or disclosure, by only storing it only in password-protected files.
-
We will delete personal data when we no longer have a reason to hold it.
Anyone whose personal information we process has the right to know:
-
What information we hold and process on them
-
How to gain access to this information
-
How to keep it up to date
-
What we are doing to comply with GDPR.
They also have the right to prevent processing of their personal data in some circumstances and the right to correct or erase information regarded as wrong.
Individuals have a right under the Regulation to access certain personal data being kept about them. Any person wishing to exercise this right should apply by email to admin@starmaker.org.uk. We may require proof of identity before access is granted. The following forms of ID will be accepted: Driving Licence, Passport, Council Tax or Utility Bill. Queries about handling personal information will be dealt with swiftly and politely.
We will aim to comply with requests for access to personal information as soon as possible, but will ensure it is provided within the 40 days required by the Act from receiving the written request.
This policy will be reviewed at intervals of 3 years to ensure it remains up to date and compliant with the law.