DATA PROTECTION AND PRIVACY POLICY
Imaginari Theatre CIC takes its responsibilities with regard to General Data Protection Regulation (GDPR) very seriously. This policy sets out how it manages those responsibilities.
Imaginari Theatre obtains, uses, stores and otherwise processes personal data relating to its staff, pupils and their families participating in its puppetry programmes, school and teacher information, and supporters and donors. These are collectively known as data subjects. When processing personal data, the Imaginari Theatre must fulfil individuals’ reasonable expectations of privacy by complying with GDPR and other relevant data protection legislation (data protection law).
This policy applies to all personal data processed by Imaginari Theatre across the locations where personal data are stored and across data subjects. All those processing personal data on behalf of Imaginari Theatre must read and comply with this policy.
For any questions about our privacy policy or the use of information, please contact info@imaginari.org
DATA PROTECTION PRINCIPLES
When processing personal data, the Imaginari Theatre is guided by the following principles, which are set out in the GDPR. Imaginari Theatre is responsible for and must be able to demonstrate compliance with these principles, which require personal data to be:
1. Processed lawfully, fairly and transparently in relation to individuals.
2. Collected only for specified, explicit and legitimate purposes and not further processed in a manner incompatible with those purposes.
3. Adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed.
4. Accurate and, where necessary, kept up to date.
5. Not kept in a form which permits identification of data subjects for longer than is necessary for the purposes for which the personal data is processed.
6. Processed in a manner that ensures its security, using appropriate technical and organisational measures to protect against unauthorised or unlawful processing and accidental loss, destruction or damage.
This policy sets out how Imaginari Theatre operates in a way that complies with these principles.
ROLES AND RESPONSIBILITIES
​
Imaginari Theatre is the Data Controller for the purposes of GDPR and the company’s associate director is the designated Data Protection Officer with operational responsibility for ensuring Imaginari Theatre is compliant with data protection legislation. Individual project leaders are data processors and must read this policy and undertake to understand and fulfil their responsibilities.
Where the Imaginari Theatre uses third-party organisations to process data on its behalf (e.g. Google, Hubspot, or Donorbox), Imaginari Theatre will undertake due diligence to ensure its suppliers also have adequate data protection policies and procedures in place.
WHAT DATA IS COLLECTED AND WHY
​
Imaginari Theatre collects the names, email addresses, workplace addresses and other necessary contact details such as telephone numbers in relation to schools, individuals and other organisations participating in its puppetry programmes and shows. It also collects supporters' and donors' names, email addresses, home addresses, and other contact details. This information is used to be able to carry out its projects successfully and to communicate with those interested in its work.
This data is collected based on individuals’ consent to share their information with the CIC. Imaginari Theatre’s privacy notice and data collection forms (such as the photo consent form and mailing list sign-up form) clearly state the purposes for which the information will be used, give people an opt-in to join the Imaginari Theatre mailing list, and a way to withdraw their consent in the future should they wish to do so. A parent or guardian gives consent on behalf of children under 13.
For the purpose of managing an employee’s PAYE and other taxation affairs the information collected will additionally contain details, as required by HM Revenue & Customs, of: the person’s National Insurance Number, taxation codes, salary/wages, benefits, taxation deductions & payments and such other information as may be required by HM Revenue & Customs.
Imaginari Theatre will not share its personal data with any third party unless they are processing data on the CIC’s behalf or if there is a safeguarding reason to do so.
DATA SECURITY
​
Where Imaginari Theatre collects personal data via paper forms, these are stored by the associate director in a locked desk or cupboard. When no longer needed, they are shredded and disposed of. Project leaders & facilitators who may be collecting paper forms must be mindful to keep them secure in transit until they can be given for safekeeping to the associate director.
Electronic personal data should be password-protected and stored on encrypted computers or portable devices only. Personal devices (e.g. an individual’s smartphone) should not be used to capture and store personal data – only work devices can be utilised for this purpose.
Data should be stored and backed up to cloud servers as much as is practicable. Imaginari Theatre also ensures it has adequate virus protection on its systems and devices to reduce the risk of malware and hacking.
PHOTOGRAPHY AND VIDEO
Parental/guardian consent for photography or video recording of any child or young person is obtained through enrolment forms. If this consent is not given, those individual children and young people will not be included in any filming or photography. If this consent is given and later removed, Imaginari Theatre will make its best endeavours to remove photography or footage, including that child or young person.
Photographs or videos of children and young people will be stored in a designated folder accessible only by Imaginari Theatre staff and managed in line with our data protection and privacy policies.
Any camera owned by Imaginari Theatre and used by staff for photographing children and young people engaged in an Imaginari Theatre’s activity must have its memory wiped once content has been transferred to the designated Imaginari Theatre’s folder.
Imaginari Theatre will ensure that any professional photographers or video-makers contracted by Imaginari Theatre to make photos/videos of children under the age of 18 and vulnerable adults have an Enhanced Disclosure and Barring Service (DBS) check which is dated within the last 3 years, inclusive of their period of engagement.
Imaginari Theatre will announce at all performances and showcases by children or young people that “Video and photography are not permitted during the performance”. In the case of school performances and presentations by children and young people, and where in line with Child Protection guidelines, Imaginari Theatre will always announce that “Parents are allowed to take pictures, but those must be used for personal purposes only and not shared on social media channels.”
DATA STORAGE LIMITS
Imaginari Theatre will hold onto contact information relating to its puppetry programmes and shows for no longer than three years from the end of the project.
Imaginari Theatre will keep personal data relating to email subscribers, supporters and donors for however long those data subjects continue to give consent to do so.
DATA SUBJECTS' RIGHTS AND ACCESS REQUESTS
Data subjects have rights in relation to the way Imaginari Theatre handles their personal data. These include:
1. Withdrawing their consent at any time.
2. Asking for access to personal data that Imaginari Theatre holds about them.
3. Asking Imaginari Theatre to correct/update inaccurate data or to erase their personal data permanently.
Requests for access or changes to personal data held by Imaginari Theatre should be made in writing to the associate director, who must respond within one month of receipt.
REPORTING AND INVESTIGATING A BREACH
Any and all data breaches should be reported to the Imaginari Theatre’s associate director as soon as discovered. Once notified, the associate director will assess the extent of the breach, the risks to the data subjects as a consequence of the breach, any security measures in place that will protect the information, and any measures that can be taken immediately to mitigate the risk to the individuals.
Unless the associate director concludes that there is unlikely risk to individuals from the breach, the breach must be notified to the Information Commissioner’s Office within 72 hours of its occurrence having come to the CIC's attention unless a delay can be justified.
All data breaches should be recorded as incidents. The associate director will then be responsible for investigating the breach, including how it happened and whether it could have been prevented. Any recommendations for further training or a change in procedure shall be reviewed and decided upon by the CIC’s managing directors.
HOW TO CONTACT THE APPROPRIATE AUTHORITY
If you wish to report a complaint or if you feel that we have not addressed your concern in a satisfactory manner, you may contact the Information Commissioner’s Office: www.ico.gov.uk
CHANGES TO OUR PRIVACY POLICY
Any changes we may make to our privacy policy in the future will be posted on this page.
This privacy policy was last updated on 29th February 2024.