Privacy Policy

1. Context and overview

Introduction

Tamasha needs to gather and use certain information about individuals.

These can include customers, suppliers, business contacts, employees and other people the organisation has a relationship with or may need to contact.

This policy describes how this personal data is collected, handled and stored to meet the company’s data protection standards – and to comply with the law.

 

Why this policy exists

This data management policy ensures Tamasha:

Complies with data protection law and follows good practice

Protects the rights of customers, staff and partners

Is transparent about how it stores and processes individuals’ data

Protects itself from the risks of a data breach

 

Data protection law

The General Data Protection Regulation (GDPR) applies in the UK and across the EU from May 2018. It requires personal data shall be:

1. Processed lawfully, fairly and in a transparent manner in relation to individuals;

2. Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research or statistical purposes shall not be considered to be incompatible with the initial purposes;

3. Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;

4. Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;

5. Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by GDPR in order to safeguard the rights and freedoms of individuals;

6. Processed in a manner that ensures appropriate security of personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

7. The controller shall be responsible for, and be able to demonstrate, compliance with the principles.

 

2. People and responsibilities

Everyone at Tamasha contributes to compliance with GDPR. Key decision makers must understand the requirements and accountability of the organisation sufficiently to prioritise and support the implementation of compliance. 

Keeping senior management and board updated about data protection issues, risks and responsibilities

Documenting, maintaining and developing the organisation’s data protection policy and related procedures, in line with agreed schedule

Embedding ongoing privacy measures into corporate policies and day-to-day activities, throughout the organisation and within each business unit that processes personal data. The policies themselves will stand as proof of compliance. 

Dissemination of policy across the organisation, and arranging training and advice for staff 

Dealing with subject access requests, deletion requests and queries from clients, stakeholders and data subjects about data protection related matters

Checking and approving contracts or agreements with third parties that may handle the company’s sensitive data

Ensuring all systems, services and equipment used for storing data meet acceptable security standards

Performing regular checks and scans to ensure security hardware and software is functioning properly

Evaluating any third party services the company is considering using to store or process data, to ensure their compliance with obligations under the regulations

Developing privacy notices to reflect lawful basis for fair processing, ensuring that intended uses are clearly articulated, and that data subjects understand how they can give or withdraw consent, or else otherwise exercise their rights in relation to the companies use of their data

Ensuring that audience development, marketing, fundraising and all other initiatives involving processing personal information and/or contacting individuals abide by the GDPR principles.

 

3. Scope of personal information to be processed

The scope of the data we process is:

- Data that you provide to us for subscribing to our website services, email announcements, and/or newsletters including:

- Names of individuals

- The postal address of an individual

- The region an individual or organisation resides

- Email addresses

- Telephone numbers 

- Job titles

- The cultural organization, educational establishment or community organisation an individual belongs to

- The art form of an artist

- CVs of individuals who have applied for posts at Tamasha

- Data about your computer and about your visits to and use of this website via Google Analytics (see below);

- Data that you provide to us for the purpose of working with us;

 

Tamasha’s data is collected:

- From an online form on the Tamasha website (primarily) 

- On sign up sheets with a clear opt in that matches the Tamasha website online form at events, conferences or workshops managed and held by a Tamasha member of staff at all times

- From individuals who directly request via email, telephone or in person including, for example by giving a Tamasha member of staff a business card, to be added to our database

- From online surveys such as “survey monkey” with a clear “opt in” to our mailing list that matches the Tamasha website online form and links to our data policy

- Occasionally from “Data controller” partner venues who we tour our work to and with whom we have a GDPR compliant data sharing agreement

- Via Google Analytics:

  • We use Google Analytics to analyse the use of this website. Google Analytics generates statistical and other information about website use by means of cookies*, which are stored on users’ computers. The information generated relating to our website is used to create reports about the use of the website. Google will store this data. Google’s privacy policy is available here.

*Cookies - Most browsers allow you to reject all cookies, whilst some browsers allow you to reject just third party cookies. Blocking all cookies will, though, have a negative impact upon the usability of many websites.

- Via Mail Chimp

  • We use MailChimp to collect and maintain data collected from this website. MailChimp generates and stores information and other materials about you when you sign up with us. The information generated relating to what you provide to us. MailChimp will store this data. MailChimp’s privacy policy is available here. 

 

Tamasha’s data is stored:

- In a password protected database only accessible by key members of staff

- We use a secure online mailing software, “Mail Chimp” for all email communications which automatically removes duplicates and opt outs and allows customers access / information on how to remove / amend records. Only key member of staff have access to this.

 

4. Uses and conditions for processing

The table below documents the various specific types of processing that Tamasha carries out, the intended purpose for that processing, the data to be processed and what is the lawful basis for processing the data, and how these conditions for processing are supported. 

5. Privacy Impact Assessments

Privacy Impact Assessments (PIAs - also known as Data Protection Impact Assessments, DPIAs) form an integral part of taking a privacy by design, best practice approach, and there are certain circumstances under which organisations must conduct PIAs. They are a tool which can help organisations identify the most effective way to comply with their data protection obligations and meet individuals’ expectations of privacy, and protect against the risk of harm through use or misuse of personal information. An effective DPIA will allow organisations to identify and fix problems at an early stage, reducing the associated costs and damage to reputation which might otherwise occur.

PIAs undertaken by Tamasha specifically relating to our consent and legitimate interest conditions for processing data are as follows.

Where we rely on consent as the lawful condition for processing, we should be able to demonstrate and describe how we have reviewed our processes and systems to make sure that consent is freely and unambiguously given for specific purposes, and that we can evidence an affirmative action on the part of the data subject to have indicated consent, and such that data subjects can reasonably understand who is using their personal information, what information, and for what purposes, and using which communications channels. Pursuant these goals, Tamasha strives to:

1) Provide a tick box asking for consent whenever collecting information from individuals and record how and when such consent was obtained, retaining this information together with the record collected

2) For online sign ups to our general mailing list, clearly stating where our privacy policy can be viewed and providing a tick box to confirm subjects have read our policy before details are sent to us.  

3) Follow up requests to join our other mailing lists by showing where our privacy policy can be viewed

4) Include an unsubscribe link in all email communications, allowing for the individual to request cessation of such communications

 

Where ‘legitimate interest’ is the lawful condition for processing, evidence should be given of the process by which the rights and freedoms of the individual have been weighed against the interests of the company, and how consideration/mitigation of the outcomes of the process have been made. To assist us in determining legitimate interest, we have compiled the following Legitimate Interest Test:

 

Purpose

 

1) We are required to process the data we collect (such as names, emails, postal addresses etc.) in order to communicate relevant information of interest to our customers, partners and supporters, regarding our activities, productions, events and other pertinent materials

 

2)     Our customers and partners benefit from this processing, as they are kept up-to-date on our latest activities, productions, and news. We also benefit by creating audiences to experience and appreciate our work.

 

3)     Processing provides the wider public benefit of allowing us to communicate about our work, which seeks to enrich and contribute to society through theatre, and assists us in disseminating this information to the widest possible potential audiences

 

4)     This public benefit is deeply important for supporting and advancing the cause of culturally diverse theatre in a sphere that struggles with diversity

 

5)     Without the ability to communicate with our potential and past audiences and supporters, we would be unable to promote our offerings to the widest possible audience and therefore the appreciation for and participation in our art form would suffer

 

6)     The data collected would never be used in an unlawful or unethical manner

 

Necessity

 

1)     Processing helps to further our purpose and interest through providing us with the raw material necessary for communication with our potential and future audiences, supporters and partners

 

2)     The processing of data is reasonable because without such processing the data collected would not be useful

 

3)     There is not another less intrusive way of obtaining the same result, because basic contact details are required in order to carry out our above stated purposes

 

Balancing

 

1)     Our relationship with the individuals whose data we process is that of:

 

a)     Customer

 

b)     Partner Organisation

 

c)     Supporter

 

2)     Some of the data, including email, CVs and postal addresses, is sensitive, but it would be reasonable for anyone supplying such information to expect it to be used for communication of information

 

3)     If needed, we are happy to explain how exactly such data will be used

 

4)     It is unlikely that, after providing consent, someone would object to their data being used in this way; however, any such objection shall be treated with the utmost seriousness

 

5)     There is a small chance that by providing such data individuals are open to being contacted through their email or address if a data breach were to occur; however, the chance of any such breach is minimal given the security systems in place

 

6)     It is likely that any such breached data would be used for marketing purposes and there prove a nuisance to the individual; however, there is a small possibility of identity theft that would have larger ramifications

 

7)     We are not routinely processing the data of children. That being said, we from time to time do collect the data of children in relation to our productions and (especially) workshops. Any such data shall be obtained with the express permission of the child’s parent or guardian and treated accordingly.

 

8)     Some of the individuals whose data is processed by us are vulnerable and therefore any such data should be treated with the utmost sensitivity, discretion and protection

 

9)     All data shall be safeguarded with the encryption provided through our mailing hosting service (MailChimp) and on our server.

 

10) Any individual who does not wish to receive further communications from us may opt-out at any time, as indicated clearly with each email or mailing

 

On balance, it can be concluded that legitimate interests are an appropriate lawful basis for our processing activities.

 

6. Data Sharing

Tamasha will not enter into agreements to share personal data that we have obtained with third parties. We will request data controller venues we collaborate with to send out a post show email communication encouraging direct sign up to our mailing list, as opposed to entering a data sharing agreement wherever possible. Where we are satisfied that data controller venues obtain the correct permissions with clear usage information on our behalf we will enter into a clear and detailed data sharing agreement with them.

 

7. Security measures

We will take sensible technical and structural precautions to prevent the loss, misappropriation, or modification of your personal data.

Data will be stored in a password-protected database on our server. This will only be accessible by key members of staff who need to access it in accordance with their lawful roles within the company. The password is updated regularly and stored securely.

Data is never emailed between members of Tamasha staff. Data is uploaded to Mail Chimp only. 

Of course, information transmission over the internet is inherently insecure, and we cannot promise the security of data sent over the internet.

 

8. Subject access requests and privileges

We ensure that all individuals who are the subject of data held by Tamasha are entitled to:

Ask what information the company holds about them and why

Ask how to gain access to it

Be informed how to keep it up to date

Be informed how the company is meeting its data protection obligations

 

If asked by individuals what information Tamasha holds on them we will access their information in the database and respond to their enquiry via email personally within 10 working days addressing each of the question individually and lawfully. Delivery of such information will be subject to the supply of appropriate evidence of your identity. As we are a small team with a relatively small amount of data this is a feasible process and ensures that we are able to be as communicative and transparent as possible. 

We can keep data up to date and delete records on a case by case basis and share our data policy and the ways in which we are GDPR compliant.

We retain all data collected for a period of two years, after which information which demonstrates dormancy (for example, the subject has not opened an email from us in two years) is purged from the system.

 

10. The right to be forgotten

In any circumstance in which subjects request to be deleted from our database and we respond to their request we will do so immediately. 

 

11. Ongoing documentation of measures to ensure compliance

Meeting the obligations of the GDPR to ensure compliance will be an ongoing process. The ongoing measures implemented include:

 

1) Maintaining documentation/evidence of the privacy measures implemented and records of compliance 

 

2) Regularly testing the privacy measures implemented and maintain records of the testing and outcomes.

 

3) Using the results of testing, other audits, or metrics to demonstrate both existing and continuous compliance improvement efforts.

 

4) Keeping records showing training of employees on privacy and data protection matters. 

 

13. Annual review and reporting

Tamasha’s policy will be monitored on an ongoing basis and revised as needed. Annually, a formal review will be undertaken and a report provided to our Board of Trustees for consideration. 

 

14. Recruitment Privacy Policy

As part of recruitment policy and in line with our obligations under data protection legislation, Tamasha collects and processes personal data relating to all job applicants. We are committed to being transparent about how we collect and process that data and, and to ensuring that we meet our data protection obligations.

What information do we collect?

Tamasha collects a range of personal information about you. This includes: your contact details, including email address and telephone number; details of your qualifications, skills, experience and employment history; information about your current level of remuneration; whether or not you have a disability for which the organisation needs to make reasonable adjustments during the recruitment process; and information about your entitlement to work in the UK.

The information may be collected in a variety of ways. For example, data might be contained in application forms, your CV, or collected through interviews or references supplied by third parties, such as your former employers. We will only seek information from third parties once a job offer to you has been made, and will inform you that we are doing so. Data will be stored in your application record, in recruitment management systems and on other IT systems (including email).

Who has access to data?

Your information may be shared internally for the purposes of the recruitment. This includes members of the senior management team, and other members of staff, plus the Board of Trustees (for senior management roles only). We will not share your data with third parties, unless your application for employment is successful and we make you an offer of employment, in which case we will need to share your data with former employers to obtain references for you, and with relevant authorities when we are undertaking any necessary background or residency checks.

Why does Tamasha process personal data?

Tamasha has a legitimate interest in processing personal data during the recruitment process and for keeping records of the process. Processing data from job applicants allows us to, assess and confirm a candidate's suitability for employment and decide who we should offer a job. We also need to process your data to enter into a contract with you. In some cases, we need to process data to ensure that we are complying with relevant legal requirements, such as checking that you have a right to work in the UK for example. 

Tamasha also processes equal opportunities monitoring data, such as information about ethnic origin, sexual orientation or religion or belief, to monitor recruitment statistics. We also collect information about whether or not an applicant has any access needs that we should make a reasonable adjustment for at interview. 

If your application is unsuccessful, Tamasha may keep your personal data on file in case there are future employment opportunities for which you may be suited. We will ask for your consent before we keep your data for this purpose and you are free to withdraw your consent at any time.

How does Tamasha protect data?

We take the security of your data seriously. We have internal policies and controls in place to ensure that your data is not lost, accidentally destroyed, misused or disclosed, and is not accessed except by appropriate employees in the proper performance of their duties. 

How long will your data be kept?

If your application for employment is unsuccessful, the organisation will hold your data on file for 12 months after the end of the relevant recruitment process. At the end of that period, or once you withdraw your consent, your data is deleted or destroyed. You will be asked when you submit your application whether you give us consent to hold your details for the full 12 months in order to be considered for other positions or not.

If your application for employment is successful, personal data gathered during the recruitment process will be transferred to your HR file (electronic based) and retained during your employment. The periods for which your data will be held will be provided to you in your contract of employment.

 

Your rights

As a data subject, you have a number of rights. You can:

access and obtain a copy of your data on request;

require the organisation to change incorrect or incomplete data;

require the organisation to delete or stop processing your data, for example where the data is not longer necessary for the purposes of processing;

If you would like to exercise any of these rights, please contact us on admin@tamasha.org.uk 

If you believe that Tamasha has not complied with your data protection rights, you can complain to the Information Commissioner – www.ico.org.uk.

 

< Back