PRIVACY AND COOKIES POLICY
References to “you” or “your” are to you as an individual using our website or otherwise contacting us (whether on behalf of yourself, your school or another individual or organisation).
- IMPORTANT INFORMATION
- WHO WE ARE
- BASIS FOR PROCESSING PERSONAL DATA
- CATEGORIES OF INFORMATION WE COLLECT ABOUT YOU
- DISCLOSURES OF INDIVIDUALS’ PERSONAL DATA
- INTERNATIONAL TRANSFERS
- DATA SECURITY
- DATA RETENTION
- YOUR LEGAL RIGHTS
- CONTACT DETAILS
This version was last updated on 28th November 2018.
Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).
We are The International Schools Theatre Association, a company limited by guarantee, incorporated in England with company number 03108893. We are also a UK registered charity, with registration number 1050103. Our registered office is 14 Coinagehall Street, Helston, Cornwall TR13 8EB.
We are bound by applicable data protection laws in respect of the handling and collection of your personal data. ISTA is registered as a data controller in England and Wales, with the Information Commissioner’s Office (ICO) under the ICO number ZA172994.
3.1 – When schools (or other organisations) register to become members of ISTA, the data they provide may include the personal data of students, teachers, parents or members of the public or other individuals related to that school (or applicable organisation). In such circumstances, the school (or other organisation) is the controller of and wholly responsible for the individual’s personal information that the school (or other organisation) share with us, but which we require for providing our services to the individual(s) registered by the school (or other organisation).
If you have any specific queries or concerns about how we have obtained your personal information, where you have not provided such personal information to us directly yourself, you should contact your school (or the relevant organisation) in their capacity as a controller of your personal information. This policy only applies to the processing that we carry out as a controller and is set out on the basis that the personal information we have received about you has been lawfully provided to us.
3.2 – Sections 3.3 – 3.16 below explain the purposes for which we may process personal data as a controller, as well as the legal basis on which this processing is carried out.
3.3 – To enter into a contract for membership: Where you apply for ISTA membership, you may do so as an individual on your own behalf or as an individual applying for and on behalf of a school (or other organisation). In either case, we may process personal data relating to you in order to process the application for ISTA membership. Our use of personal data in this way may include sharing your personal data with our payment system provider.
Where you are an individual making an application for ISTA membership on your own behalf, the legal basis on which we process your personal data in this way is the necessity to be able to enter into and perform the contract for our membership services that you have requested from us. If you do not wish to provide us with your personal data in this way, we will be unable to provide you with ISTA membership.
Where you are an individual making an application for ISTA membership for and on behalf of a school (or other organisation) the legal basis on which we process your personal data is that it is necessary for the purposes of our legitimate interests to enter in to a contract for membership services that you have requested from us with the school (or other organisation) on behalf of whom you have submitted the membership application. If you do not wish to provide us with your personal data in this way, we will be unable to provide the school (or other organisation) with ISTA membership at least until another individual can be found who is comfortable sharing their personal data for such purposes.
3.4 – To enter into a contract for services with you: Where you are an individual with whom we contract for your services (i.e. a teacher or a freelance artist) we may use your personal data for being in contact with you, processing any payments owed to you or for other reasons in relation to working with you.
The legal basis for using your information in this way is that it is either necessary for the performance of a contract to which you are a party or necessary for the purposes of our legitimate interests in organising our events.
3.5 – To provide our membership services: Upon a successful application for ISTA membership, we may process your personal data in order to fulfil the membership contract that we have with you or the school (or other organisation) that you represent and supply our membership services accordingly. We provide individuals with member log-in access to our website and such access is provided to individual members acting on their own behalf or to an individual who is the point of contact for and on behalf of a school (or other organisation) member. Members are provided with the opportunity to update their respective profiles by providing additional information (which may include additional types of personal data).
Where you are an individual member acting on your own behalf, the lawful bases on which we process your personal data is that it is necessary for the performance of a membership contract with you or for our legitimate interest to provide our membership services to you and to run our business.
Where you are an individual who is the point of contact for a school (or other organisation) member, the lawful basis on which process your personal data is that it is necessary for the purposes of our legitimate interests to provide our membership services to the school (or other organisation) and to run our business.
3.6 – To run our events: At ISTA we produce and run a number of different events (such as our ‘Festivals’, or ‘Theatre Arts Programme Symposiums (TaPS)’, or ‘International Baccalaureate (IB) Teacher Workshops’, or ‘Professional Development & Learning Studios’, or our ‘Artist in Residence (AiR)’ programmes) aimed at different individuals of different ages.
Where individuals (who may or may not be an ISTA member) register for an ISTA event on their own behalf, or where an individual student is registered for an event by teacher or a parent (or guardian), we ask for certain personal information to be provided to us in relation to the individual who is registered to attend the event. This includes details such as the individual’s name, gender, age and travel information and also where applicable requires particular special categories of personal information to be provided, such as in relation to the individual’s health, whether or not the individual has any disabilities or dietary requirements of which we need to be made aware and their t-shirt size. It may also involve information related to the racial or ethnic origin of the individual.
We use personal information for the purposes of organising, running and managing the relevant event and (save for any special categories of personal information where we rely on consent or in the absence of consent the necessity of protecting an individual’s vital interests) the lawful basis on which we rely is our legitimate interests in being able to operate our events safely and appropriately.
Where individual artists provide us with personal information about themselves in order to appear in our AiR Directory and to promote their own profile as being available for selection for an AiR programme, we process such personal information (which typically includes information about the artist’s relevant experience and a photograph of the artist) on the lawful basis that it is necessary for our legitimate interests in providing an AiR event which supports and enhances the learning of theatre.
3.7 – To provide information to you: We may process personal data relating to an individual in order to respond to general or specific enquiries, however communicated, which may have been sent by you on your own behalf or in your capacity as an employee or representative of a school (or other organisation) on behalf of a student.
The legal basis on which we process an individual’s personal data in these circumstances is our legitimate interest to assist you with queries, grow our business and to provide good customer service.
3.8 – To make our website better: We may process an individual’s personal data in order to provide a more tailored user experience, including using the individual’s personal data to make sure our website is displayed in the most effective way for the device the individual is using. This processing means that the individual’s experience of our site will be more tailored to that individual, and that the content that individual sees on our website may differ from someone accessing the same website with a different browsing history or habits. We also use various cookies to help us improve our website (more details are set out in section 4.3), and share an individual’s personal data with the third party analytics and search engine providers that assist us in the improvement and optimisation of our website.
We will also process personal data for the purposes of making our website more secure, and to administer our website and for internal operations, including troubleshooting, data analysis, testing, research, statistical and survey purposes.
The legal basis on which we process personal data in these circumstances is our legitimate interest to provide the individual with the best experience we can, keep our website updated and relevant, study how individuals use our services, to inform our marketing strategy and to ensure that our website is kept secure.
3.9 – For marketing purposes:
3.9.1 – Photography, audio and video
We may take photographs, or record audio or video footage of individuals participating in or at one of our different events.
We do this for the purposes of using the images and footage to promote the engaging nature and educational value of our events to a wider audience. The lawful basis on which we process such personal data is that it is necessary for the legitimate interests we have in marketing and growing the educational impact of our organisation and where applicable, consent of the individuals featured in such photographs, audio and video footage.
3.9.2 – Marketing communications
We may send you marketing communications by email, telephone or mail.
Schools (and other organisations): We may send marketing information to schools and other organisations relating to the events and services they can purchase from or through us. The legal basis we rely on to engage with our stakeholders in this way is our shared legitimate interests in promoting educational learning through theatre. Any individual that receives any such marketing is entitled to exercise their right to object to receiving such marketing communications by contacting us (please see sections 9 and 10).
Individuals: We will only send direct marketing communications to individuals (such as teachers, students, parents or artists) if the individual has provided their express, opt-in consent. Individuals can withdraw their consent at any time by contacting us (please see section 10) or, by following the unsubscribe link in every marketing communication received from us.
If an individual does choose to object to the communications, unsubscribe or withdraw their consent, this will not mean that our processing of such individual’s personal data before they withdrew their consent was unlawful.
3.10 – For prospecting: In a business development context, we may make contact with individuals to provide or seek information in connection with our services or in connection with the services of a supplier or school with whom we wish to engage. The legal basis we rely on for making contact with individuals and processing their personal data is our shared legitimate interests in working together. When we make contact with individuals, they can exercise their right to object to such contact from us (for more information about individuals’ rights, see section 9).
3.11 – In connection with recruitment activities: We may process personal data relating to you in order to respond to general or specific enquiries from you in connection with work opportunities. These may have been sent by you on your own behalf or by recruitment agents. The legal basis on which we process your personal data in these circumstances is our legitimate interest to recruit employees and workers and to grow our business.
3.12 – If our business is sold: We may transfer personal data to a third party:
3.12.1 – In the event that we sell or buy any business or assets, in which case we will disclose personal data to the prospective seller or buyer of such business or assets (at all times in accordance with all applicable data protection laws); or
3.12.2 – If ISTA or substantially all of its assets are acquired by a third party, in which case personal data held by us will be one of the assets transferred to the purchaser,
in each case, the legal basis on which we process data in these circumstances is our legitimate interest to ensure our business can be continued by a purchaser. If you object to our use of personal data in this way, the relevant seller or buyer of our business may not be able to provide the applicable services to you.
The legal basis on which we process personal data in these circumstances is our legitimate interest to remain transparent in our use of personal data and to ensure you are kept updated on how and why we process your personal data.
3.14 – We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If you wish to get an explanation as to how the processing for the new purpose is compatible with the original purpose, please contact us.
3.15 – If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.
3.16 – Please note that we may process your personal data without knowledge or consent, where this is required or permitted by law.
4.1 – Information you give us:You (including where you work for and on behalf of a school or other organisation) may provide your personal data or that of another individual when corresponding with us by post, phone, email or otherwise.This includes personal data provided to us in relation to:
- registering for ISTA membership;
- registering for an event;
- submitting an artist’s profile for the AiR programme;
- contacting us using the details provided on our website;
- applying for a job with us;
- completing a survey; or
- giving us some feedback.
4.2 – Online information we collect: With regard to visits to our website we may automatically collect the following information:
4.2.1 – Technical information, including the Internet protocol (IP) address used to connect your computer to the Internet, login information, browser type and version, time zone setting, browser plug-in types and versions, other hardware information, domain name, operating system and platform and possibly other software information;
4.2.2 – Information about your visit, including the full Uniform Resource Locators (URL), clickstream to, through and from our website (including date and time), page response times, download errors, length of visits to certain pages, page interaction information (such as scrolling, clicks, and mouse-overs) and methods used to browse away from the page.
4.3 – Cookies: A cookie is a small file of letters and numbers that we store on your browser or the hard drive of your computer. Please see the table below for details of the cookies we use.
Cookie Purpose Expiration More information _ga Used to distinguish users 2 Years Full explanation of Google Analytics cookie usage available here. _gat Used to throttle request rate. 60 Seconds _gid Used to distinguish users 24 Hours ista_logged_in_ Record logged in user’s username Session cookie ista_test_cookie Checks Cookies for Logged in Users 60 Seconds wpSGCacheBypass Used in the caching process, Helps improves the speed and performance of the website. 2 hours YouTube YouTube is used by the website to store and show video content. These cookies are set by YouTube to track usage of its services. The YouTube Cookies are only installed when you press play. Various Please email YouTube for more details.
Except for essential cookies, all cookies will expire as outlined under the expiration column in the table above.
4.4 – Information we receive from other sources: We may receive information about you from the third parties we work with, including, for example our host schools or freelance theatre artists, suppliers of technical, payment and delivery services, advertising networks, analytics providers (such as Google Analytics), search information providers, credit reference agencies and hosting providers.
4.5 – Photographs, audio and video files: As stated above, we may collect photographic, audio and visual data relating to your participation in or at one of our different events.
4.6 – As stated above, we may collect Special Categories of Personal Data about you (this is personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union memberships, genetic data, biometric data, data concerning health, sex life, sexual orientation and information about criminal convictions and offences). Specifically, we may collect the following information about you when you register (or are registered) for an event – details of:
- your dietary requirements (which may reveal details of your personal health or religious beliefs) in order for us to cater for you;
- any health conditions or disability requirements (such as special wheel-chair access or other relevant information) in order for us to cater for you;
- your t-shirt size (which when combined with information about your age may reveal details of your personal health) in order for us to cater for you; or
- your racial and ethnic origin which we use in order to be ale to assess the cultural diversity of our events.
The legal basis on which we process such data will usually be your explicit consent. However, in the circumstances, where we are unable to obtain such consent, the legal basis for such processing will be to protect your vital interests and/or to meet our specific legal obligations (for example, pursuant to equality and anti-discrimination legislation).
For the purposes set out in section 3, we may have to share your personal data with the following parties:
5.1 Specific Third Parties such as:
• Sage Pay a payment gateway provider based in Europe who help us to provide secure financial transactions.
5.2 – External Third Parties who provide support integral to the provision of our services and enable us to operate as a charitable organisation, such as:• Host schools or other organisations that provide venues for our events to be held.
- Service providers acting as processors based in the UK who provide IT and system administration services.
- Professional advisers acting as processors or joint controllers including lawyers, bankers, auditors, insurers and employment and recruitment agencies based in the UK (or other relevant jurisdictions) who provide consultancy, banking, legal, insurance, accounting and recruitment services.
- Marketing and PR companies based in (and outside) the UK, in particular social media organisations such as Facebook, Instagram, Twitter, YouTube and Vimeo.
- HM Revenue & Customs, regulators and other authorities acting as processors or joint controllers based in the UK (or other relevant jurisdictions) who require reporting of processing activities in certain circumstances.
- Other third party companies where we have an agreement in place and only where an individual has agreed that we may share their personal data with them.
5.4 – We require all third parties to respect the security of individuals’ personal data and to treat it in accordance with the law. We do not allow our third-party service providers to use individuals’ personal data for their own purposes and only permit them to process individuals’ personal data for specified purposes and in accordance with our instructions.
6.1 – Many of the events that we provide are held at host schools or with organisations located outside the European Union (EU). As such, our activities require processing that involves the transfer and storage of personal data outside the EU.
6.2 – Whenever we transfer your personal data out of the EU, we ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented:
- We will only transfer the personal data to countries that have been deemed to provide an adequate level of protection for personal data by the European Commission.
- Where we use certain service providers, we may use specific contracts approved by the European Commission which give personal data the same protection it has in Europe.
- Where we use providers based in the US, we may transfer data to them if they are part of the Privacy Shield which requires them to provide similar protection to personal data shared between Europe and the US.
Please contact us if you want further information on the specific mechanism used by us when transferring personal data out of the EU.
7.1 – We have put in place appropriate security measures to prevent personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to individuals’ personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process personal data on our instructions and they are subject to a duty of confidentiality.
7.2 – We have put in place procedures to deal with any suspected personal data breach and will notify the individuals involved and any applicable regulator of a breach where we are legally required to do so.
8.1 – We will only retain personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.
8.2 – To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of the personal data, the purposes for which we process the personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.
8.3 – We will generally retain our members’ data for a period of 7 (seven) years after they cease to be a member, to ensure that we are able to assist should they have any questions or feedback in relation to our services, or to protect or defend our legal rights.
8.4 – Where we have processed personal data to provide you with marketing communications with consent, we may contact you at least every twelve (12) months to ensure you are happy to continue receiving such communications. If you tell us that you no longer wish to receive such communications, your personal data will be removed from our marketing lists (but will be added to a “do not contact” list).
8.5 – Where we have processed personal data for any other reason (such as where you have contacted us with a question in connection with our services), subject to section 8.3, we will retain your data for twelve (12) months.
8.6 – In some circumstances you can ask us to delete your data: see section 9.1.3 below for further information.
8.7 – In some circumstances we may anonymise personal data (so that it can no longer be associated with you) for research or statistical purposes in which case we may use this information indefinitely without further notice to you.
9.1 – Under certain circumstances, you have rights under data protection laws in relation to your personal data. You may have the right to:
9.1.1 – Request access to your personal data (commonly known as a “data subject access request”). This enables individuals to receive a copy of the personal data we hold about them and to check that we are lawfully processing it.
9.1.2 Request correction of the personal data that we hold about you. This enables individuals to have any incomplete or inaccurate data we hold about them corrected, though we may need to verify the accuracy of the new data they provide to us.
9.1.3 Request erasure of your personal data. This enables individuals to ask us to delete or remove personal data where there is no good reason for us continuing to process it. Individuals also have the right to ask us to delete or remove their personal data where they have successfully exercised their right to object to processing (see below), where we may have processed their information unlawfully or where we are required to erase their personal data to comply with local law. Note, however, that we may not always be able to comply with an individual’s request of erasure for specific legal reasons which will be notified to them, if applicable, at the time of their request.
9.1.4 Object to processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms. Individuals also have the right to object where we are processing their personal data for direct marketing purposes. In some cases, we may demonstrate that we have compelling legitimate grounds to process an individual’s information which override their rights and freedoms.
9.1.5 Request restriction of processing of your personal data. This enables individuals to ask us to suspend the processing of their personal data in the following scenarios: (a) if they want us to establish the data’s accuracy; (b) where our use of the data is unlawful but they do not want us to erase it; (c) where they need us to hold the data even if we no longer require it as they need it to establish, exercise or defend legal claims; or (d) they have objected to our use of their data but we need to verify whether we have overriding legitimate grounds to use it.
9.1.6 Request the transfer of your personal data to them or to a third party. We will provide to individuals, or a third party they have chosen, their personal data in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which they initially provided consent for us to use or where we used the information to perform a contract with the individual.
9.1.7 Withdraw consent at any time where we are relying on consent to process your personal data. However, this will not affect the lawfulness of any processing carried out before the individual withdrew their consent. If an individual withdraws their consent, we may not be able to provide certain services to them. We will advise the individual if this is the case at the time they withdraw their consent.
If you wish to exercise any of the rights set out above, please contact us directly.
Individuals have the right to make a complaint at any time to the ICO, the UK supervisory authority for data protection issues (www.ico.org.uk). We would, however, appreciate the chance to deal with concerns before you approach the ICO so please contact us in the first instance.
Our full details are:
Full name of legal entity: The International Schools Theatre Association
Company Number: 03108893
Registered Charity Number: 1050103
Email address: firstname.lastname@example.org
Postal address: 3 Omega Offices, 14 Coinagehall Street, Helston. Cornwall TR13 8EB