DATA USAGE POLICY
EFFECTIVE DATE: 19th August 2019
1. INTRODUCTION & PURPOSE
This policy covers the full spectrum of East Meets West activity, including when you interact with us:
- online via our main website at eastmeetswest.org.uk;
- online via the hub website or app at hub.eastmeetswest.org.uk;
- online via the Facebook group at facebook.com/groups/emwtheatre;
- online via any of our other associated social media profiles;
- by any other means.
Before interacting with East Meets West and other members of the network, you should read:
- this Privacy & Data Usage Policy;
- our Terms, Conditions & Community Guidelines.
By continuing to interact with East Meets West and other members of the network, you agree to the terms set out in both of these documents.
East Meets West and its curators are committed to protecting your personal information (often referred to as personal data). It’s your information, it’s personal, and we respect that. It is very important for us that we can maintain the trust and confidence of those who interact with us.
This policy gives you detailed information about the types of data we collect, when and why we collect it, as well as how we handle it and keep it secure.
East Meets West is owned and operated by Little Earthquake as part of our wider activities. This policy does not extend to those interacting with Little Earthquake outside of East Meets West. A separate privacy and data usage policy exists for Little Earthquake which can be found at: little-earthquake.com/policy-privacy-data-usage
More information about Little Earthquake, including our contact details:
Little Earthquake is known as the “data controller” of any data you share with East Meets West. A controller determines the purposes and means of processing data.
Little Earthquake is a company limited by guarantee incorporated in England and Wales (Company number 10168346).
Our website address is: little-earthquake.com
Our correspondence address is:
Department of Drama and Theatre Arts
University of Birmingham
The Old Library (SOVAC)
998 Bristol Road
You can also contact us using the contact form on our website, or email us at epicentre [at] little-earthquake [dot] com.
If you have questions regarding your data and/or its use, please don’t hesitate to contact us using the details above. Depending on your enquiry, we may need to ask you to prove your identity.
2. DATA PROTECTION REGULATION
The General Data Protection Regulation (GDPR) applies in the UK and across the EU. Within the regulation, there are three broad categories of data:
- Personal data. The concept of personal data is extremely wide, but in general terms it means any information by which an individual (or “data subject”) can be identified, either directly or indirectly;
- Anonymous data. Anonymous data is any information that cannot be used to identify the specific data subject it relates to. Anonymisation destroys any way of identifying the data subject and is irreversible;
- Pseudonymous data. Pseudonymous data is personal data to which some kind of de-identification has taken place. Pseudonymisation substitutes the identity of the data subject, meaning you need additional information to re-identify them. It is reversible.
This policy outlines how we handle personal, anonymous and pseudonymous data.
When we collect your personal data, GDPR requires that we:
- Tell you who we are, why we are collecting the data, for how long we will hold the data, and who receives the data. This policy informs you of all these things;
- Get clear consent from you before collecting the data and maintain a record of that consent;
- Let you have access to the data we hold about you at your request, and allow you to take that data with you;
- Have the ability to amend the data we hold about you at your request;
- Have the ability to change the way we use your data at your request;
- Have the ability to delete your data at your request (sometimes called ‘the right to be forgotten’);
- Let you know if data breaches occur.
In addition, GDPR requires that your personal data shall be:
- Processed lawfully, fairly and in a transparent manner;
- Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes. Further processing for archiving purposes in the public interest, scientific/historical research, or statistical purposes shall not be considered to be incompatible with the initial purposes;
- Adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed;
- Accurate and, where necessary, kept up-to-date. Every reasonable step must be taken to ensure that inaccurate personal data is rectified or erased without delay;
- Kept in a form which permits identification of data subjects for no longer than necessary;
- Processed in a manner that ensures appropriate security of personal data, including protection against unauthorised or unlawful processing, and against accidental loss, destruction or damage, using appropriate organisational and technical measures.
The data controller (in this case Little Earthquake) shall be responsible for, and be able to demonstrate, compliance with these principles.
For more information about GDPR, visit: eugdpr.org
3. WHEN AND HOW WE COLLECT YOUR PERSONAL DATA
Personal data we collect directly from you
Generally, we only collect your personal data when you choose to interact with East Meets West directly. At such times we may collect the data in a number of ways, including:
- When you visit our main website at eastmeetswest.org.uk;
- When you send comments and messages to us via the contact forms on our main website;
- When you make blog posts comments on our main website;
- When you create a member account on the hub website / app at hub.eastmeetswest.org.uk;
- When you add and/or update information on your hub profile;
- When you post information and/or interact with other members on the hub. Please note that we can only access information you choose to publish or information which we need to administer the membership elements of the hub. Private messages between members cannot be accessed by us;
- When you upload images and other media to the hub. Please note that some media can contain embedded location data that was automatically generated when the media was created. You should remove this data if you don’t wish it to be accessed by us or others;
- When you join the Facebook group at facebook.com/groups/emwtheatre;
- When you post information and/or interact with other members of the Facebook group;
- When you interact with us via our other associated social media profiles including Twitter and Instagram;
- When you sign up to our mailing list to receive our regular community round-up bulletins, newsletters, promotions about our work, and information about how you can support us;
- When you purchase tickets for an East Meets West event for which we are running the box office ourselves. This may be by using a third-party ticketing service such as Eventbrite;
- When you contact us by email;
- When you contact us by post;
- When you speak to us over the telephone or communicate with us via text message;
- When you apply for a position with East Meets West or send us unsolicited CVs;
- When you apply to take part in one of our participatory activities;
- When you enter competitions that we run;
- When you fill out feedback forms about our work;
- When you make financial or in-kind donations in support of our work;
- When you attend one of our events or take part in a participatory activity;
- When we are documenting our work with photographs or by filming it.
Personal data we collect from third parties
As well as obtaining personal data directly from you, we may obtain information about you independently. Times when we do this include:
- When you purchase tickets for an East Meets West event through a third-party venue/promoter via their online, telephone, app or in-person box office systems and they get your consent for you to be contacted by East Meets West;
- When another organisation thinks that you will like our work and they get your consent for you to be contacted by East Meets West;
- When we screen our database against recognised data hygiene files such as the National Change of Address file in order to rectify inaccurate data;
- When we collect information found in places such as Companies House and information that has been published in other publicly available sources, including articles and newspapers;
- When your personal settings or the privacy policies for the social media accounts and messaging services you use give us permission to access information from those accounts or services.
Within one month of your personal data being provided to us by a third party or collected from a publicly accessible source, we will contact you directly and tell you who shared it with us or from where we collected it. We will ask if you’re still happy for us to hold your personal data and if you aren’t, we will delete it securely with immediate effect.
4. THE TYPES OF DATA WE COLLECT
The types of data we collect are listed below. Although it is not compulsory for you to provide all of the information listed, we may not be able to provide you with the full range of services that we have to offer should you choose not to do so.
- Prefix/preferred title;
- First name and last name;
- Email address;
- Region in which you live and/or work;
- Description of your involvement in the Midlands’ independent theatre sector;
- Date of birth;
- Contact telephone number;
- Contact address;
- Delivery address;
- Billing address;
- Payment card details. Please note that we do not store any Credit Card or other payment information once a transaction has been completed;
- Your image, including photographs and film;
- The organisation(s) you work for and the position(s) you hold within those organisations;
- Your role(s) within the industry;
- Your training credentials;
- Descriptions about your work;
- Your previous credits;
- Details of what you’re currently working on;
- Opportunities you are looking for;
- Your website address and social media profiles;
- Events you are producing;
- Your thoughts, opinions and comments;
- Any other information you voluntarily choose to disclose.
Online usage data (including cookies) that cannot be used to identify you personally
When you visit our main website, our hub website/app, the Facebook group, interact with us via our other associated social media profiles, or click on links that we have posted, there are certain industry standards we follow that collect specific types of anonymous and/or pseudonymised data about you. This data cannot be used to identify you personally.
When you interact with us online, we may obtain your automatically populated Internet Protocol Address (more commonly known as an IP Address). This is a unique number which allows a computer or device to browse the internet. Your IP Address gets linked to all online activity you carry out, and a log file records the websites you visit (including the individual pages on a website), the date, time and duration of your visit, the referring website (if provided), your Internet browser type and version, unique device identifiers and other diagnostic data.
IP Addresses, in and of themselves, do not collect, save or store any personally identifiable information about you and are only used for pseudonymised tracking. However, if you’re signed up with an Internet Service Provider (ISP) — which is the way most of us get our Internet service — then your ISP can easily link your IP Address with your contact information. We can’t access this information through your ISP, however.
Our websites also use tracking software provided by Google Analytics that utilises these cookies in order to monitor website visitors so we can better understand how they use them. Again, the tracking software does not collect, save or store any personally identifiable information.
Our websites might tell other websites to issue cookies on our behalf (or vice versa) if we use referral programs, sponsored links or adverts. Such cookies are only used for conversion and referral tracking and typically expire after 30 days, though some may take longer. Again, these cookies do not collect, save or store any personally identifiable information.
Our websites and the social media platforms we use may include social sharing buttons which help users to share publicly accessible web content directly from one website/platform to other websites/platforms. This means that any information you post publicly (on our website, outside of the membership sections of the hub, on the Facebook group, or via our other public social media profiles) could subsequently be shared by other users in other places on the Internet. Users who click on social sharing buttons should be aware that the social media platform linked to the share button may track your share request through your social media account.
Our websites and social media accounts may shorten lengthy web addresses (and this is often done automatically by social networks). Services that shorten web addresses (such as bit.ly) may track the use of these shortened links and collect anonymous and pseudonymised data. This data includes the IP Address and physical location of devices accessing the shortened link, the time and date of each access, the referring websites or services, and information about the link being shared on other third-party services such as Twitter and Facebook.
Monitoring forms and anonymous data
If you are applying for a position with East Meets West, applying to take part in one of our participatory activities, or attending one of our events, we may also ask you to complete an anonymous monitoring form. Completing an anonymous monitoring form isn’t compulsory and there will also be ‘prefer not to disclose’ options on the form. Your monitoring form will be detached immediately from any other information that could identify you specifically (such as your name and contact information) as soon as we receive it.
The information you provide on an anonymous monitoring form will not be used in any decision-making process in the case of recruitment and participation selection. We will ensure that no applicant receives less favourable treatment either directly or indirectly, on the grounds of age, race, disability, gender, marital status, class, religion or faith, sexual orientation or social-economic background. The information you provide will enable us to develop appropriate policies and strategies in respect of diversity and equal opportunities.
Through the anonymous monitoring form, we may collect information on:
- How you would describe your gender;
- Your age;
- Your marital or civil partnership status;
- How you would describe your sexual orientation;
- Your nationality;
- How you would describe your disability (as defined by the Disability Discrimination Act);
- How you would describe your ethnic origin;
- How you would describe your religion or belief;
- Your average income.
If we are considering employing you in any capacity, we may solicit a reference about you from the referees you nominate on your application form.
Disclosure and Barring Service (DBS) checks
A DBS check helps employers make safer recruitment decisions and prevents unsuitable people from working with vulnerable groups, including young people. For more information, visit the government’s DBS information page at: gov.uk/government/organisations/disclosure-and-barring-service.
If East Meets West offers you work, there are certain roles for which we would be legally obliged to run a DBS check about you. If you hold a current DBS certificate, we will ask to see it and will record the certificate number, along with your current name, address and date of birth. We will never take a photocopy or photograph of your certificate.
Young people’s privacy
You must be aged 16 or over to become a member of the East Meets West network.
Parent or guardian consent must be provided when we collect personal data from anyone under the age of 16. We do not knowingly collect personal data from anyone under the age of 13.
An exception to this is when we are working on a specific project involving young people and we need to collect and store data in order to carry out the project. In such circumstances each young person’s parent or guardian will be informed of the data we need and the purposes for collecting it, before we ask for clear consent on behalf of the young person. Due care is given to the security of the young person’s data and it is immediately and securely deleted on the completion of the project.
Parent or guardian consent will also be required for us to use photographs or film of a young person in the documentation of our work. We will never publish a photograph or film of a young person which is captioned with their name.
If you are a parent or guardian of someone under the age of 16 and you are aware that your child has provided us with personal data, please contact us. If we become aware that personal data has been collected from a young person without verification of parental/guardian consent, we will take immediate steps to delete that data securely.
5. WHY WE COLLECT YOUR PERSONAL DATA AND HOW WE USE IT
It is necessary for us to collect personal data in order for us to fulfil important aspects of our day-to-day business and to provide the particular services you’ve requested in a personalised and conscientious manner.
More specifically, where we have your clear consent, we collect your personal data so that we can:
- Operate the membership elements of the hub;
- Operate the membership elements of the Facebook group;
- Send you the regular community round-up bulletin email;
- Send you information and promotions about our work, including our regular newsletters;
- Send you details about the ways you can support us, including through financial and in-kind donations;
- Send you patron care and support notifications, including order confirmations, reminders of upcoming events you’ve booked for, or letting you know about event changes that may affect your experience;
- Reply to your direct correspondence, including comments on blog posts, social media platforms and feedback forms;
- Contribute to online discussions you also choose to take part in;
- Administer and facilitate any special requirements you may have when interacting with us;
- Fulfil your ticket requests, including delivery;
- Fulfil your donation requests;
- Process payments from you. Please note that we do not store any Credit Card or other payment information once a transaction has been completed;
- Process payments to you, including invoices, refunds and donations;
- Monitor and analyse how you interact with us in person and online so we can understand our audiences’ needs better, and increase the quality, reach and impact of our work;
- Administer recruitment processes for both employment and participatory activities;
- Use the information you provide to develop appropriate policies and strategies in respect of diversity and equal opportunities;
- Run competitions, inform you about the competition results and administer prize giving;
- Contact you to let you know if third parties shared your personal data with us and to check that you’re still happy for us to hold it. You will always have given clear consent to the third party sharing your details with us, but we want to make sure you’re still happy for that to happen;
- Share your details with other specific third parties if you have given us clear consent to do so. These third parties will contact you to let you know how they collected your personal data and to check that you’re still happy for them to hold it. You will always be able to opt out of their communications by contacting them directly;
- Gather your opinions about our work through feedback to help us develop it further;
- Document our work through photographs and film, and use this documentation to evaluate, promote and market our work.
Where we have justifiable reason (including a legal obligation and legitimate interest), we may use your personal data to:
- Contact you if you are the parent or guardian of a young person taking part in one of our projects in order to tell you about what the work entails and to get clear consent from you for your child to take part;
- Solicit references about you from your nominated referees if we are considering employing you in any capacity;
- Run a DBS check about you if we are employing you to work with vulnerable groups, including young people;
- Keep our database accurate and relevant. This may include merging your personal data if it has been collected at different places and times, removing duplicate information, and checking against public records such as the National Change of Address file;
- Undertake consumer research. We may contact you to ask you to participate either online, by telephone, or in person. You are under no obligation to participate in this research and should you provide any further personal data, we will inform you about how this data will be used;
- Classifying our patrons into groups or segments, using personal data you have provided and publicly available information. These segments help us to understand our patrons better and ensure we’re sending relevant messages to each group;
- Learn about your interests and preferences so that we can contact you with information that is relevant to you, including our marketing communications and adverts;
- Measure and understand how our audiences respond to a variety of marketing activity so we can ensure it remains effective, well-targeted, and relevant;
- Create regular secure back-ups of our website;
- Scan for malware;
- Help us run the test version of our websites/app that we use internally to pilot new features and ensure the smooth running of our online services;
- Detect and reduce fraud and credit risk.
6. SHARING YOUR PERSONAL DATA WITH THIRD PARTIES
We will never share, sell, rent or trade your personal information to any third parties for marketing purposes without your prior consent.
There may be times when we ask for your clear consent to share personal information with specific third parties who have collaborated with us or whose work we think you will like. These third parties will contact you to let you know how they collected your personal data and to check that you’re still happy for them to hold it. You will always be able to opt out of their communications by contacting them directly.
Some of our third-party service providers may have access to your personal data in order to facilitate or perform specific services on our behalf. Good examples of this are payment and mailing list processing.
These service providers are often referred to as “data processors” as they are responsible for processing personal data on behalf of a data controller (in this case Little Earthquake). Sometimes it is necessary to provide these data processors with personal data that can identify you personally. All of the data processors we use have policies stating that they will not use your personal data for anything other than the clearly defined purpose relating to the service they are providing for us.
The data processors we use are:
- Krystal: they host our main website servers, domain names and also create regular backups of our website. The servers are all UK based and protected by top level security. Visit Krystal at: krystal.co.uk;
If we run a competition, we sometimes use a third party to administer it. In order for them to do so, we will need to share with them the personal data you provide. We will make this clear at the point when you choose to enter the competition.
There may be times when we are legally obliged to share your personal data. Such circumstances include:
- If required to do so by the ‘know your donor’ principles under charity law. Charities are required to know, at least in broad terms, where the money they are being given comes from;
- Via a court order;
- When requested by the police or a regulatory or government authority investigating illegal activities;
- To protect and defend the rights (including against legal liability) or property of East Meets West and Little Earthquake;
- To prevent or investigate possible wrongdoing in connection with our services;
- To protect the personal safety of users of our services or the public.
7. HOW WE HANDLE AND PROTECT YOUR DATA
We will handle all of your data in an honest, transparent and conscientious manner. We are also committed to protecting your data from improper use.
While we strive to use commercially acceptable means to protect your data, no data transmission over the Internet or method of storage is 100% secure. We therefore cannot guarantee the security of any data which you disclose to us and so wish to draw your attention to the fact that you do so at your own risk.
Membership sections of the hub
The membership sections of the hub are private. This means you need to have an account and log into the site to access membership features such as your own and other members’ profiles, the activity streams and the messaging systems. This also means your profile and other information you post through your account can’t be seen by visitors who aren’t logged in.
When you post content to the hub through your profile, you are voluntarily publishing information that can be seen by other members of the network. You should therefore only post information that you’d be happy to share with those members and are advised to do so with due care and caution in regard to your own personal privacy.
We have a duty to remind you that publishing personally identifiable information on the internet (even on a private membership site) potentially puts you at a higher risk of identity theft. You can find more information about identity theft here: www.actionfraud.police.uk.
While we take technical steps to prevent the automated harvesting of information you post, we cannot guard against manual collection or sharing by other members of the network, despite this being forbidden in our Terms, Conditions & Community Guidelines.
East Meets West encourages users wishing to discuss sensitive details to contact their correspondent through more private communication channels (such as by telephone, email, contact forms or private messaging) rather than through publicly visible posts.
With regards to private messaging on the hub, it is only your correspondent who can see your messages. Little Earthquake (curators of East Meets West) does not have access to any private messages sent by other members.
Publicly posted information, including social media posts and blog post comments
When interacting with us online (either outside the membership sections of the hub or through public social media platforms), users are also advised to do so with due care and caution in regard to their own personal privacy.
Interactions through external social media platforms on which East Meets West participates are subject to the terms and conditions as well as the privacy policies held with each social media platform respectively. You are advised to read the privacy policies and other relevant notices for these platforms when you sign up to them.
If you comment on blog posts featured on our main website, these comments can be seen by everyone visiting the site. These visitors will only be able to see your comments and your name.
We ensure that appropriate organisational and technical measures are taken against unauthorised or unlawful processing of your personal data, and against accidental loss, destruction or damage.
This means that we have taken the time to implement the right physical and technical security, and have designed and organised our data security policies and procedures according to the nature of the personal data we hold and the harm that may result from a security breach.
We are clear about who is responsible for ensuring data security in our organisation and we back this up with staff training.
We are ready to respond to any breach of security swiftly and effectively.
How long we hold your data
We will review the personal data we hold on a regular basis and will only keep information for as long as is reasonably necessary for the purposes set out in this policy and to fulfil our legal obligations. The retention period of your personal data will vary according to the purpose for which the data has been collected.
When your personal data is no longer required, it will be securely deleted. As soon as we become aware that any personal data is out-of-date and inaccurate, we will rectify or securely delete it.
If you ask us to stop using your data, we will keep the minimum amount of information (such as your name, address or email address) to ensure we adhere with such requests.
Transferring your data outside the European Economic Area
There are times, due to a very specific purpose, when the personal data you provide to us needs to be transferred to countries outside the European Economic Area (EEA). By way of example, this happens when any of the data processors we use are located in territories outside of the EEA.
The GDPR requires data about European residents which is transferred outside the EEA to be safeguarded to the same standards as if the data was in Europe.
We will only transfer your personal information outside of the EEA to territories approved by GDPR or to organisations with public facing policies which explicitly state they apply data protection standards in line with GDPR as part of their binding corporate rules.
Web links and external sites
East Meets West is not responsible for the privacy policies, notices, practices or content of other organisations or websites, even if those websites are accessed using links or other prompts from East Meets West (including on our main website, the hub website/app and associated social media profiles).
Although we only look to include quality, safe and relevant external links, we cannot be held liable for any damages, loss or implications caused by clicking on those links. We advise you to take all necessary precautions before clicking on any external links as you do so at your own risk.
Risk of data breach
In the extremely unlikely event of a data breach, we will attempt to notify all users immediately, outline the nature of the breach, the risks that the breach poses, and the precautions we have taken.
8. YOUR CHOICES
At any time you have the right to:
- Ask to see the personal data we hold about you, and to take that data with you;
- Ask to amend the data we hold about you;
- Ask us to change how we use your personal data, including for marketing purposes;
- Ask us to delete the personal data we hold about you. This does not include any data we are obliged to keep for administrative, legal, or security purposes.
You can contact us at any time to exercise these rights. Depending on your enquiry, we may need to ask you to prove your identity.
Within the hub you have full control over the notifications you receive via your account settings.
Every email we send to you will include details on how to change your email communication preferences or unsubscribe from future email communications.
You can instruct your browser to block all cookies or to indicate when a cookie is being sent. Blocking cookies may impact the personalised experience and speed you get when accessing our websites.
If you are attending an event or taking part in a participatory activity which we are photographing or filming for documentation purposes, we will display signs telling you that this is happening. You have the right not to appear in any photographs or footage we capture and we have systems in place to respect that. The event signage will tell you who to speak to if you don’t want to appear in our documentation.
Should you wish to do so, you have the right to lodge a complaint with The Information Commissioner’s Office. Contact them via their website at: ico.org.uk
9. CHANGES TO THIS PRIVACY & DATA USAGE POLICY
The most up-to-date version of this Privacy & Data Usage Policy can always be found on this page.
It may be updated in the future to take into account changes at East Meets West and the services we provide, or to reflect changes to regulation or legislation. Whenever we update the policy, we will also update the “effective date” at the top. We will also inform you of any changes via a prominent notice on eastmeetswest.org.uk prior to the change becoming effective.
10. FURTHER INFORMATION
Further information on data protection regulations and laws can be found on the following websites:
The Information Commissioner’s Office: ico.org.uk
The General Data Protection Regulation: eugdpr.org
The Fundraising Regulator: fundraisingregulator.org.uk