DATA PROTECTION AND PRIVACY POLICY
The Young People’s Puppet Theatre (YPPT) takes its responsibilities with regard to General Data Protection Regulation (GDPR) very seriously. This policy sets out how it manages those responsibilities.
The YPPT obtains, uses, stores and otherwise processes personal data relating to its staff, pupils and their families taking part in its puppet programmes, school and teacher information, and supporters and donors. These are collectively known as data subjects. When processing personal data, the YPPT is obliged to fulfil individuals’ reasonable expectations of privacy by complying with GDPR and other relevant data protection legislation (data protection law).
This policy applies to all personal data processed by the YPPT across the locations where personal data are stored and across data subjects. All those processing personal data on behalf of the YPPT must read and comply with this policy.
For any questions about our privacy policy or the use of information, please contact [email protected].
DATA PROTECTION PRINCIPLES
When processing personal data, the YPPT is guided by the following principles, which are set out in the GDPR. The YPPT is responsible for, and must be able to demonstrate compliance with these principles which require personal data to be:
1. Processed lawfully, fairly and in a transparent manner in relation to individuals.
2. Collected only for specified, explicit and legitimate purposes and not further processed in a manner incompatible with those purposes.
3. Adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed.
4. Accurate and where necessary kept up to date.
5. Not kept in a form which permits identification of data subjects for longer than is necessary for the purposes for which the personal data is processed.
6. Processed in a manner that ensures its security, using appropriate technical and organisational measures to protect against unauthorised or unlawful processing and against accidental loss, destruction or damage.
This policy sets out how the YPPT operates in a way that is compliant with these principles.
ROLES AND RESPONSIBILITIES
The YPPT is the Data Controller for the purposes of GDPR and the charity’s associate director is the designated Data Protection Officer with operational responsibility for ensuring the YPPT is compliant with data protection legislation. Individual project leaders are data processors and must read this policy and undertake to understand and fulfil their responsibilities.
Where the YPPT uses third party organisations to process data on its behalf (e.g. Google, MailChimp, or Donorfy), the YPPT will undertake due diligence to ensure its suppliers also have adequate data protection policies and procedures in place.
WHAT DATA IS COLLECTED AND WHY
The YPPT collects the names, email addresses, workplace addresses and other necessary contact details such as telephone numbers in relation to schools, individuals and other organisations participating in its puppet programmes. It also collects names, email addresses, home addresses and other contact details of supporters and donors. This information is used in order to be able to successfully carry out its projects and to communicate with those interested in its work.
All of this data is collected on the basis of individuals’ consent to sharing their information with the charity. The YPPT’s privacy notice and data collection forms (such as the photo consent form and mailing list sign-up form) clearly state the purposes for which the information will be used, gives people an opt-in to join the YPPT mailing list, and a way to withdraw their consent in the future should they wish to do so. Consent on behalf of children under 13 is given by a parent or guardian.
For the purpose of managing an employee’s PAYE and other taxation affairs the information collected will additionally contain details, as required by HM Revenue & Customs, of: the person’s National Insurance Number, taxation codes, salary/wages, benefits, taxation deductions & payments and such other information as may be required by HM Revenue & Customs.
For the purpose of managing an employee’s statutory pension rights the information collected will additionally contain details, as required by the Charity’s pension scheme (National Employees Savings Trust, NEST), of: National Insurance Number, salary/wages, benefits, taxation & payments, and such other information as may be required by the NEST scheme.
The YPPT will not share its personal data with any third party unless they are processing data on the charity’s behalf or if there is a safeguarding reason to do so.
DATA SECURITY
Where the YPPT collects personal data via paper forms, these are stored by the associate director in a locked desk or cupboard. When no longer needed they are shredded and disposed of. Project leaders who may be collecting paper forms must be mindful to keep them secure in transit until they can be given for secure keeping to the associate director.
Electronic personal data should be password protected and stored on encrypted computers or portable devices only. Personal devices (e.g. an individual’s smartphone) should not be used to capture and store personal data – only work devices can be used for this purpose.
As much as is practicable data should be stored and backed up to cloud servers. YPPT also ensures it has adequate virus protection on its systems and devices to reduce the risk of malware and hacking.
DATA STORAGE LIMITS
The YPPT will hold onto contact information relating to its puppet programmes for no longer than three years from the end of a project. Where personal data relates to video and photo content produced as part of the programmes, these will be stored for longer for training purposes but the YPPT won’t use them publicly if they are more than three-years-old.
The YPPT will keep personal data relating to supporters and donors for however long those data subjects continue to give consent to do so.
DATA SUBJECTS' RIGHTS AND ACCESS REQUESTS
Data subjects have rights in relation to the way the YPPT handles their personal data. These include:
1. Withdrawing their consent at any time.
2. Asking for access to personal data that the YPPT holds about them.
3. Asking the YPPT to correct/update inaccurate data or to erase their personal data permanently.
Requests for access or changes to personal data held by the YPPT should be made in writing to the associate director who must respond within one month of receipt.
REPORTING AND INVESTIGATING A BREACH
Any and all data breaches should be reported as soon as discovered to the YPPT’s associate director. Once notified, the associate director will assess: the extent of the breach; the risks to the data subjects as a consequence of the breach; any security measures in place that will protect the information; and any measures that can be taken immediately to mitigate the risk to the individuals.
This assessment will be reported to the chair of trustees and, unless the chair and associate director conclude that there is unlikely to be any risk to individuals from the breach, it must be notified to the Information Commissioner’s Office within 72 hours of the breach having come to the attention of the charity, unless a delay can be justified.
All data breaches should be recorded as an incident and reported to the Board of Trustees. The associate director will then be responsible for instigating an investigation into the breach, including how it happened and whether it could have been prevented. Any recommendations for further training or a change in procedure shall be reviewed and decided upon by the trustees.
HOW TO CONTACT THE APPROPRIATE AUTHORITY
If you wish to report a complaint or if you feel that we have not addressed your concern in a satisfactory manner, you may contact the Information Commissioner’s Office: www.ico.gov.uk
CHANGES TO OUR PRIVACY POLICY
Any changes we may make to our privacy policy in the future will be posted on this page.
This privacy policy was last updated on 29th July 2023.
The Young People’s Puppet Theatre (YPPT) takes its responsibilities with regard to General Data Protection Regulation (GDPR) very seriously. This policy sets out how it manages those responsibilities.
The YPPT obtains, uses, stores and otherwise processes personal data relating to its staff, pupils and their families taking part in its puppet programmes, school and teacher information, and supporters and donors. These are collectively known as data subjects. When processing personal data, the YPPT is obliged to fulfil individuals’ reasonable expectations of privacy by complying with GDPR and other relevant data protection legislation (data protection law).
This policy applies to all personal data processed by the YPPT across the locations where personal data are stored and across data subjects. All those processing personal data on behalf of the YPPT must read and comply with this policy.
For any questions about our privacy policy or the use of information, please contact [email protected].
DATA PROTECTION PRINCIPLES
When processing personal data, the YPPT is guided by the following principles, which are set out in the GDPR. The YPPT is responsible for, and must be able to demonstrate compliance with these principles which require personal data to be:
1. Processed lawfully, fairly and in a transparent manner in relation to individuals.
2. Collected only for specified, explicit and legitimate purposes and not further processed in a manner incompatible with those purposes.
3. Adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed.
4. Accurate and where necessary kept up to date.
5. Not kept in a form which permits identification of data subjects for longer than is necessary for the purposes for which the personal data is processed.
6. Processed in a manner that ensures its security, using appropriate technical and organisational measures to protect against unauthorised or unlawful processing and against accidental loss, destruction or damage.
This policy sets out how the YPPT operates in a way that is compliant with these principles.
ROLES AND RESPONSIBILITIES
The YPPT is the Data Controller for the purposes of GDPR and the charity’s associate director is the designated Data Protection Officer with operational responsibility for ensuring the YPPT is compliant with data protection legislation. Individual project leaders are data processors and must read this policy and undertake to understand and fulfil their responsibilities.
Where the YPPT uses third party organisations to process data on its behalf (e.g. Google, MailChimp, or Donorfy), the YPPT will undertake due diligence to ensure its suppliers also have adequate data protection policies and procedures in place.
WHAT DATA IS COLLECTED AND WHY
The YPPT collects the names, email addresses, workplace addresses and other necessary contact details such as telephone numbers in relation to schools, individuals and other organisations participating in its puppet programmes. It also collects names, email addresses, home addresses and other contact details of supporters and donors. This information is used in order to be able to successfully carry out its projects and to communicate with those interested in its work.
All of this data is collected on the basis of individuals’ consent to sharing their information with the charity. The YPPT’s privacy notice and data collection forms (such as the photo consent form and mailing list sign-up form) clearly state the purposes for which the information will be used, gives people an opt-in to join the YPPT mailing list, and a way to withdraw their consent in the future should they wish to do so. Consent on behalf of children under 13 is given by a parent or guardian.
For the purpose of managing an employee’s PAYE and other taxation affairs the information collected will additionally contain details, as required by HM Revenue & Customs, of: the person’s National Insurance Number, taxation codes, salary/wages, benefits, taxation deductions & payments and such other information as may be required by HM Revenue & Customs.
For the purpose of managing an employee’s statutory pension rights the information collected will additionally contain details, as required by the Charity’s pension scheme (National Employees Savings Trust, NEST), of: National Insurance Number, salary/wages, benefits, taxation & payments, and such other information as may be required by the NEST scheme.
The YPPT will not share its personal data with any third party unless they are processing data on the charity’s behalf or if there is a safeguarding reason to do so.
DATA SECURITY
Where the YPPT collects personal data via paper forms, these are stored by the associate director in a locked desk or cupboard. When no longer needed they are shredded and disposed of. Project leaders who may be collecting paper forms must be mindful to keep them secure in transit until they can be given for secure keeping to the associate director.
Electronic personal data should be password protected and stored on encrypted computers or portable devices only. Personal devices (e.g. an individual’s smartphone) should not be used to capture and store personal data – only work devices can be used for this purpose.
As much as is practicable data should be stored and backed up to cloud servers. YPPT also ensures it has adequate virus protection on its systems and devices to reduce the risk of malware and hacking.
DATA STORAGE LIMITS
The YPPT will hold onto contact information relating to its puppet programmes for no longer than three years from the end of a project. Where personal data relates to video and photo content produced as part of the programmes, these will be stored for longer for training purposes but the YPPT won’t use them publicly if they are more than three-years-old.
The YPPT will keep personal data relating to supporters and donors for however long those data subjects continue to give consent to do so.
DATA SUBJECTS' RIGHTS AND ACCESS REQUESTS
Data subjects have rights in relation to the way the YPPT handles their personal data. These include:
1. Withdrawing their consent at any time.
2. Asking for access to personal data that the YPPT holds about them.
3. Asking the YPPT to correct/update inaccurate data or to erase their personal data permanently.
Requests for access or changes to personal data held by the YPPT should be made in writing to the associate director who must respond within one month of receipt.
REPORTING AND INVESTIGATING A BREACH
Any and all data breaches should be reported as soon as discovered to the YPPT’s associate director. Once notified, the associate director will assess: the extent of the breach; the risks to the data subjects as a consequence of the breach; any security measures in place that will protect the information; and any measures that can be taken immediately to mitigate the risk to the individuals.
This assessment will be reported to the chair of trustees and, unless the chair and associate director conclude that there is unlikely to be any risk to individuals from the breach, it must be notified to the Information Commissioner’s Office within 72 hours of the breach having come to the attention of the charity, unless a delay can be justified.
All data breaches should be recorded as an incident and reported to the Board of Trustees. The associate director will then be responsible for instigating an investigation into the breach, including how it happened and whether it could have been prevented. Any recommendations for further training or a change in procedure shall be reviewed and decided upon by the trustees.
HOW TO CONTACT THE APPROPRIATE AUTHORITY
If you wish to report a complaint or if you feel that we have not addressed your concern in a satisfactory manner, you may contact the Information Commissioner’s Office: www.ico.gov.uk
CHANGES TO OUR PRIVACY POLICY
Any changes we may make to our privacy policy in the future will be posted on this page.
This privacy policy was last updated on 29th July 2023.