Introduction
Arcola Theatre is committed to protecting the privacy of all those who are involved with it. We are also committed to being transparent about how we collect and use personally identifiable information. We hope that this document answers any questions you may have, but if not, please do not hesitate to get in touch with us.
The purpose of this document is to tell you how we collect, store and use your personally identifiable information. This includes any information we receive from third parties. It covers all of the activities of Arcola Theatre, whether these are as Arcola Theatre Production Company (charity number 1108613, company number 5242988), or Arcola Theatre Limited (company number 04078239), both registered and based at 24 Ashwin Street, London E8 3DL, United Kingdom. These activities include producing shows, selling tickets, providing opportunities for participation and learning, running our bar, fundraising, promoting our activities, and running the theatre. This document is relevant to anyone who we collect or hold personally identifiable information about, including customers, donors, participants, volunteers, interns, employees, creatives, performers and others involved in producing or staging shows. Information will be shared between Arcola Theatre Limited and Arcola Theatre Production Company staff, and vice versa, as necessary, in line with this policy.
We collect, store and process personally identifiable information in accordance with all applicable laws, including the UK Data Protection Act (2018), Privacy and Electronic Communication Regulations, and European Union General Data Protection Regulation.
This document covers the following topics, for each of the activities that we collect, or use personal information for:
- what information we may collect about you
- how we may use it
- why we do so, including the legal basis and how this balances with your right to privacy, if relevant
- how long we will keep your personal information
It also covers the following:
- Children’s data
- When we disclose personal information to anyone else or store it or process it on computer systems based in other countries
- Keeping your personal information correct and up to date
- Your right to check what information we hold about you, and to have us delete it or stop processing it in some circumstances
- How we keep it secure from unauthorised access
- Debit and credit card information
- Cookies and our website
- CCTV
- How to get in touch with us or make a complaint
- How we change this document
Because we collect, store and use personal information about people with a range of different relationships with us, information in this document may not all be relevant to you.
Personal information collected from customers
When you first buy a ticket to see a show from us, we collect some contact details in order for you to be able to collect your ticket(s) on the night, and in case we need to contact you if there is a cancellation or changes to arrangements, and to process payment if you are paying by debit or credit card. We will always ask for your name and address and we will usually also ask for a phone and email address. If you are a returning customer, we will usually ask for some details other than your name to be able to find your other details, for example your postcode. We store all of this information (apart from your debit or credit card information) so that we have it to hand if you buy a ticket from us in future, and will keep it for 11 years after you have last booked from us, unless you ask us to delete it before then. We are, of course, happy to delete it sooner if you would like. If so, please contact us.
We will ask about, but not require, some other information for targeting marketing communications, such as your age and interests. This will be kept for the same period, and is only collected if you provide it. We are happy to remove this anytime if you ask us to.
We may also ask you if you have any special access needs that we can prepare to accommodate. This is only stored with your consent. We will keep this information for if you book in future if appropriate for the same period. This will only ever be used to aid your access to shows and be kept confidential. It will be stored in our ticketing system (Spektrix) but with no right for Spektrix to use it for any purpose other than to provide us access to it. This will not be disclosed to staff other than those that need access to it. We are happy to delete this at any time. If you would like us to remove or update this, please get in touch or tell one of our front of house staff.
We believe that most customers will want to hear about future shows, so we will also send you some information by email about our future shows which we believe you may be interested in, unless you tell us that you would prefer not to receive this. You can unsubscribe from these at any time from a link included in any of these emails, or by contacting us. We never want to send unwanted marketing information, so please let us know if you would prefer not to receive this and we will be happy to unsubscribe you. We will usually ask when we first collect your information if you would prefer not to receive these. We may also send flyers or brochures to some customers who attend more frequently. Again, please let us know if you would prefer to not receive these, but we will usually not do so unless you are a more frequent visitor and we have asked you about your preferences. Our legal basis for using your personal information to send marketing information is that we believe we have a legitimate interest in marketing shows to customers who may be interested, but we will not do this if we know that you would prefer not to receive these and will always offer you the opportunity to unsubscribe easily (as a link in emails or by contacting us). We also offer the opportunity to sign up to our email marketing list by providing your email to the box office staff, on a sheet in our foyer, or online.
We store records of bookings for our financial records for 7 years, which we need to do for accounting purposes. We also store this information to be able to better target marketing emails, and will keep it for this purpose until either you ask us to remove it, or you have not visited for 11 years. As with your contact information, we do this because we believe we have a legitimate interest in marketing to customers who are more likely to be interested in particular shows, but we are happy to remove this information if necessary and will do so if you tell us you would like us to.
We may use your address information to develop anonymised information about the average distance our customers travel or the locations that they live in, to help ensure that we reach our target audience and to monitor our environmental impact as a result of customers travelling to get to us. We will not use your personal information to produce this anonymised information longer than two years after your last visit, but we may store the anonymised conclusions of this analysis indefinitely for comparison.
If you email us, we will keep a record of this correspondence for our records, as long as it is useful to us, and in order to defend against legal claims, generally deleting it 50 years after it was received. We will however review whether we need to continue to hold your emails for these purposes if you ask us to.
Donations and fundraising
As a charitable organisation that depends on donations from donors and regular donors (supporters), we need to gather some information, and in some circumstances get in contact with you, about the possibility of you donating or becoming a supporter. We believe we have a legitimate interest in conducting fundraising activity, and this is our legal basis for these activities, but we do not want to send unwanted communication about opportunities to support us, or to hold information that donors or other people would prefer us not to gather or use, so please inform us if you would prefer we not do any of the below. You can also ask us for details of what information we have at any time by getting in touch. Information gathered for the purpose of targeting our information about donations and the benefits of supporter schemes will not be used for other purposes.
If you choose to make a donation, we may process the information you have provided us in order to claim Gift Aid, if you have given us consent to claim this. We may email you about your donation for other administrative reasons or to explain how it is helping us and to thank you. We may also contact you by email about other opportunities to donate to Arcola Theatre or benefit from being a supporter. We may in some circumstances also gather publicly available information about you, such as your job title or involvement with other organisations if these are publicly available, and use this to decide whether to contact you about opportunities to support our work.
If we hear from you that you particularly enjoyed a particular show, we may contact you about becoming a supporter to enable us to do more similar work in future.
We may also contact you if you have performed here, participated in a course here, paid for a course here for a specific young person, or been involved with a production here, with information about becoming a supporting if we think you might be interested.
If you are introduced to us specifically by one of our supporters, we may store information about your relationship with them that either you or they give us, unless we hear from you that you would prefer us not to.
In some circumstances, we may contact you even if you have not given us your contact details explicitly, if you have made these public for the purposes of being contacted about a particular community role, and we believe that you may be interested in supporting us because of that role. We will always offer you the opportunity to opt-out of emails like this in every email, and we will only use publicly available contact details which we believe have been made available for the purpose of being contacted about things of interest to you in your community role. Please let us know if you would like to stop receiving any of these emails, or follow the unsubscribe link from any email.
Feedback
We may ask you to complete a post-show feedback survey, asking you what you thought of a show you have been to see. We will always do this within 3 months of your visit, and participation is optional. If you do participate, survey responses will only be kept anonymously, unless you choose to identify yourself or you enter personal information into free text fields in the survey. We use this information to improve our work. If you choose to identify yourself, we may contact you about your comments within 3 months of you submitting the survey.
Literary submissions, visiting companies, PlayWROUGHT, commissions, STAMP and Arcola LAB
If you sign up to hear about information from us about our support for new writing or emerging artists, through our PlayWROUGHT mailing list, through STAMP, or our ArcolaLAB application form, we may use this to contact you about opportunities for support for new writing from us. If you apply to PlayWROUGHT, we will also store information about your work for the purposes of judging it to choose a winner. We collect special category information about applicants for ArcolaLAB, including ethnic background, in order to fulfil the mission of the ArcolaLAB programme to help increase the diversity of British theatre.
We also collect the names of artists whose work we are interested in, and details about their work, for the purposes of deciding who to work with, offer opportunities to collaborate with or to commission. This includes unsolicited submissions.
We invite proposals for productions on our website, and we may initiate discussion after seeing your work. We will keep contact information that you supply us while there is a possibility we may proceed with the production, which may be years later. If we enter into a contract, the contract will be kept indefinitely to defend against legal claims, and it may include your personal information and that of a witness to your signature.
Cast and creatives
We keep names of the cast and creatives involved in our productions indefinitely for our own archive purposes. We will keep the email address of cast and creatives in order to invite them back to anniversary events of the theatre indefinitely or otherwise contact them about their work, unless asked to remove it.
While casting productions, we store the names of performers and creatives who we are interested in contacting from publicly available information and from Spotlight. If we are interested in scheduling an audition, we will make contact via Spotlight or via your agent. If you attend an audition, we will keep contact details that you give us until after the production and any potential transfer, revival or tour is completed in case we decide to cast you in the production, and for the purposes of casting future productions.
We are required to report on the diversity of our cast and creatives to the Arts Council, and aim to have casts and creatives representing a diverse set of backgrounds, so keep information to monitor our own performance in this regard. We aim to keep this anonymous, but the small number of people involved in some productions makes it impossible to effectively anonymise this in some circumstances. Where this is the case, we will ask for your consent and how you identify.
If you are a cast member, we may need to discuss your health, welfare or performance with you and your agent, and in cases of ill health, with a doctor, in line with your contract. We may keep any such correspondence for the defence of legal claims indefinitely.
Employment, internships and volunteering
When you apply for a job, you will be required to complete an application form and equal opportunities form, as well as be asked about any access needs. Application forms will not be kept for longer than a year after the position is filled. The information in the equal opportunities form is only used to ensure that we are providing opportunities to a diverse range of people, and kept for no longer than a year after we close applications for the position. Any access information will only be used to ensure that we can meet your needs if inviting you for interview.
If you attend an interview, we may store notes about your suitability for the job until the position is filled, unless you may be suitable for other positions in the near future, in which case we will keep them while that is the case unless you object. We will ask for references from previous employers for most positions and keep these until the position is filled.
After you start, we will collect other information, including your personal phone number and email, address, and bank details. If you are a paid employee, we will gather information about your tax code from you, your P45, HMRC or letters from HMRC.
We store similar information about applicants for internships, but do not share it with HMRC or store it in our payroll system if you are unpaid. For successful applicants to our internship programme, we may keep details of your time here, duties assigned and performance and attendance for up to 5 years in order to provide references or contact you about future opportunities.
For volunteers, we store similar information as paid employees, except that we do not collect tax or banking information.
If you are employed by us, we will keep information about any disciplinary matters, the agreed notes from your regular appraisals, any doctors sick/fit notes, reports from doctors in line with your contract if necessary, and a description of your experience or CV for employment related matters. These may be kept for up to ten years after you leave us, for the purposes of giving references. We will also provide necessary information to the NEST pension scheme if you are an employee entitled to a workplace pension, or the Equity pension scheme as appropriate, for up to seven years.
We may ask for proof that you are entitled to work in the UK, including a copy of your passport, and store this information while you work for us, and for three years afterwards.
If you do shift work, we will keep information about your planned and accepted shifts in our rota and report applications, along with your email, for up to two years after you have left. We will also keep details of any accidents or near misses, in our reporting application for up to 40 years after they occur for defending legal claims.
Space hire
If you submit and enquiry about hiring space from us, we will store the details needed to prepare the contract, including your email, phone number and address, for the duration of the negotiation period, or until 6 months after the hire has been concluded and paid for, for the purposes of administering the hiring. We will keep copies of the contract, which may contain the same details, indefinitely for the purposes of defending against legal claims.
Sustainability and travel information
We may ask you for anonymous information about how far you travelled to get to us, in order to monitor the environmental impact of customer’s travel to get to us. We will only store this information as part of anonymous results, and will not use it for other purposes. We will always identify that this is why we are asking. The anonymised conclusions of this analysis may be kept indefinitely.
Participation companies and classes
If you join one of our participation companies that is only open to certain groups, we may be aware of special category data about you, as a result of your membership of that group. For example, if you join Arcola Queer Collective, we will be aware that you do not identify as heterosexual. We will only store this special category information with your permission, but not being able to store it may impact aour ability to give you a reference for your participation in the group. We will not disclose this to anyone outside of the participation group and the staff members who run and administer it, unless you are involved in a public production that the group, in which case you will be credited, with your permission.
We may also ask you other questions for reporting the impact that these groups have, for funding reasons. This may include your sexual orientation, ethnic background, or employment status. This information will be anonymised after it is collected, and not stored longer than necessary to do this (within 1 year of the end of the term of the programme you were involved in).
We will otherwise (where it does not imply special category data, such as your sexual orientation or ethnic background, keep information about your membership of these groups for the purposes of providing references in the future, and informing you about opportunities that are available to members of these companies, including shows that we put on and job opportunities that we hear about.
We will keep records of your attendance at our participation programme classes, workshops and rehearsals for safeguarding, reporting to funders and administrative reasons, but we will never disclose this to an outside body, except where required by law, unless it is necessary to safeguard the welfare of a child or vulnerable adult.
We may ask you for feedback on our classes or company programmes. This will always be anonymised, unless you identify yourself in the feedback.
We may keep notes on your suitability for roles in a participation programme production if you audition for one of these. We will not keep these longer than for the duration of the production.
Children’s data
We will not knowingly collect personal information from those under 13 without their parent or guardian’s consent. Where we expect to be collecting the personal information of under 13s, for example when selling tickets for shows aimed at under 13s, we will ask people’s age when collecting their information, and get parent’s or guardian’s permission where they are. If we know people will be under 13, for example in Young AYT classes, we will always ask for this.
Disclosing personal information to third parties and processing personal information abroad
We may need to disclose your personal information, to the appropriate authorities, if we become aware of a concern about the welfare of a child or vulnerable adult. We will only do this inline with our safeguarding policy.
If you are involved in any of our productions, including participation company productions, we may use the information about you we have, including special category information, to decide if you are suitable for other roles we are asked to identify people suitable for. For participation productions, we will look at your personal information to consider if you are suitable for these roles for up to 3 years, except for people involved in our programmes for young people, where we will do this for up to 5 years. We will never pass on your personally identifiable information, including identifying that you are suitable for a role, unless the information that determines your suitability is already widely available publicly (for example in the publicity information of other productions you have been in) or on Spotlight, without your prior permission.
If you have worked for us, or been involved in a participation programme production, we may provide information about your involvement or employment, your role and duties and your attendance and performance, in the form of a reference, to anyone asking for it, with your prior permission.
If you are a paid employee of ours, we will share any relevant information about your tax or student loan repayment status with HMRC as required to, and store it in our payroll system, Xero, for the purposes of running our payroll.
If you work for us, and receive any training supplied by an external body, we may provide your information to the company providing the training for the purposes of administering the course or confirming requests to verify that you have received that training.
We may ask if you wish to have your contact details shared with other companies we work with, but we will only share them where you have agreed to us sharing them with the particular company in question.
We store much of our own data on Google Drive, as part of our organisation GSuite account (rather than on personal Google Drive accounts, which are subject to different confidentiality agreements), and we may store any information we have mentioned that we collect or store in this document in this. We may also store any of the information we have mentioned that we collect or store in Spektrix, our ticketing, fundraising system relationship management, and email marketing system, or in databases or on servers controlled by us on Amazon Web Services (AWS) and Google Cloud Platform (GCP). AWS and GCP are major global cloud computing providers, providing us with cloud computing services, and our use of them does not give them additional rights to market to you as a result. With regard to the AWS or GCP cloud platforms, we will always use the UK or Ireland regions where possible. We may also use Survey Monkey to contact you about surveys or collect information from you, as mentioned elsewhere in this document. Finally, if you are involved in a production, including a participation programme one, we may store your personal information in Basecamp. All of these may involve storing or processing your information on servers outside the EU, where they are controlled by these third-parties, but we will always require them to only do so in countries where your rights under the GDPR are appropriately protected and enforceable – i.e. where there is an adequacy decision in place from the European Commission, or where they have a representative in the EU and agree to binding corporate rules that ensure that your rights under the GDPR are appropriately protected and enforceable.
Keeping your personal information correct and up to date
We will try to keep your personal information up to date, and may contact you from time to time to ask you to check the information we hold about you is still correct. You may contact us at any time to ask us to update this or inform us if it has changed.
Your rights to access or ask us to delete your personal information or to object to processing
You may ask us at any time for details of all of the personal information we hold about you, or for the information itself, in an appropriate machine readable format if desired, and we will provide this provided you are not making excessive or unfounded requests. We will need to verify your identify to be able to complete these requests.
Please get in touch if you object to anything in this document or about how we collect, use or store your personal information. We can erase you personal information if you ask us to where we are processing it based on your consent alone, where it is no longer necessary for the purposes for which it was collected, or any other circumstances where we are otherwise legally required to.
Security
We have policies in place to prevent people from accessing personally identifiable information unless needed to do their job. We require all of our employees not to disclose personally identifiable information they come into in contact with at work against the wishes of the person it is about.
Access to personally identifiable information is restricted to specific accounts belonging to people who need to access it to work. We use individual accounts wherever possible, and limit access where possible for shared accounts for people doing the same job. We secure access to all accounts via the use of strong passwords, and in some cases where security is particularly important because of the access someone has, with security tokens or secondary authentication methods (for example having to log-in with a password as well as confirming the attempt to login on a phone linked to the account).
We endeavour to apply security updates to devices we use, and software installations we maintain, as soon as possible, proactively monitoring news for details about new threats. We apply updates regularly, or as they become available if they present a significant threat to the security of our devices.
We keep devices on our internal network secure by limiting untrusted devices to parts of the network where they are not able to contact devices which we use to access personally identifiable information. We also block external traffic from entering our network where it is not in response to a request from inside the network, except in cases where access is needed to a device from outside our internal network, where requests from outside are only allowed to access that specific device.
We require employees to only access accounts that have access to personal information from secure devices. While we do allow employees to use personal computers for work, we only do so where we are convinced that they are kept secure, we are allowed access to them to verify this, and where personal information is removed when it is no longer needed to perform the task they are using it for.
We will contact you promptly to let you know, if we have your contact details, if there has been a breach of the security of your personal information, unless the breach just allows other internal employees to access the information and they are forbidden to so by own internal policies, or encryption, anonymisation, or pseudo-anonymisation (where this is maintained despite the breach so you cannot be identified by anyone not authorised to do so) of the data prevents unauthorised people accessing your personal information or identifying you.
Debit and credit card information
We take the security of your credit or debit card information very seriously. We never store your credit or debit card information directly, instead relying on industry leading trusted third parties to process payments for us. We only use your credit or debit card information to charge for or refund these transactions as agreed, or in cases of chargeback requests.
Debit and credit card information given over the phone is entered directly into our third-party ticketing application (Spektrix) for processing by our payment processor (SagePay). In person, a credit or debit card terminal connected to our payment processor is generally used to collect the information and submit it directly and securely to our payment processor, and, for tickets or merchandise sold at the box office, to our third-party ticketing application as well. Box-office transactions are processed by SagePay, and bar transactions are processed by Fiserv. Online, it is collected using a component of our third-party ticketing system embedded into our website and submitted directly to their secure servers. We never store your security code and we never store your cards details after the transaction is complete, apart from the last four digits of the card number. We store this in case there is a dispute about the card transaction for 7 years. Our payment processor stores your card details in order to process payments, comply with anti-money laundering legislation and to deal with charge-back requests. This is held for up to 7 years by SagePay, and only until the transaction has been authorised by Fiserv (non-personally identifiable information is held after the transaction is authorised for similar reasons). It is also passed to our acquiring bank, Elavon, in the case of box office transactions, in order to process the card transaction.
Both we and the third parties we use to help secure your debit or credit card information comply with the Payment Card Industry Data Security Standards.
Cookies and website logs
Cookies are small text files which are automatically stored by your web browser (such as Microsoft Internet Explorer or Edge, Google Chrome, Mozilla Firefox, Apple Safari etc) on your computer at the instruction of a website. When you visit the same site again, another page on the same site, or sometimes another site, these are requested by the website, allowing it to know some information about you from when you last visited, or from when you visited the site that the cookie originated from.
Cookies are widely used, and are necessary to make parts of our website function. For example, in order to remember what tickets you are in the process or ordering, the website must know what you have placed in your basket. It does this using cookies.
As well as using cookies to make our website function by remembering you when you sign in, remembering what tickets you are in the process of ordering etc, we also use cookies to help improve our website. Specifically we track how many people come to our site via adverts we have placed, and how many of them purchase tickets. We do this to monitor how effective adverts that we have placed have been in order to decide which adverts to place in future. We do not store information about where any identifiable individual has arrived at our website from, or what pages they have browsed, using cookies – this information is only available to us as anonymised information about our visitors as a whole. We use Google Analytics and Facebook to do this.
We store access logs to help secure our website and to ensure it is working properly. These store only the IP address access is from, the web browser and version (the UserAgent) you are using, and the URL (address) accessed. We never attempt to identify individuals from these except where we suspect a deliberate attack on our site, or with the permission of someone who is experiencing a problem. These are stored no longer than one month, unless part of an ongoing investigation into a suspected attack, where they are kept until we are sure we will not be prosecuting anyone using them.
CCTV
We use CCTV throughout the public areas of the building for the purposes of crime prevention, detection and investigation, and the safety of our patrons and staff. We will pass this on to the police when requested to do so to help with a police investigation. We store the CCTV for no longer than 1 year and access is restricted to staff who have a legitimate need to view it.
If you steal from someone in the building, or are violent or abusive to someone in the building, we will keep images of you from our CCTV for up to five years and use this to prevent you returning to the building or doing this again. These images will be shared with all of our staff, as well as staff of Arcola Theatre Limited, who also work in the building, to achieve this aim. We may also share these images with other organisations nearby for the purposes of coordinating our response. If you are acquitted in court of an offence in the building, we will destroy these images, if you notify us.
We may also use CCTV in spaces rented for the purposes of space hire to investigate when a space is left in an unacceptable condition, or equipment, or the fabric of the space itself, are damaged. This applies only to CCTV in these space and where this is a condition of the rental or use of the space.
Getting in touch
If you have any questions, concerns or requests, you think we have made a mistake with your personal information, or you would like to know more, please get in touch with us. You can do so by emailing us at dataprotection@arcolatheatre.com, phoning our office on +44 (0) 207 503 1645, or by writing to us at the following address:
Ben Todd,
Arcola Theatre,
24 Ashwin Street,
London E8 3DL
United Kingdom
We endeavour to respect your privacy, keep your personal information secure, and to use it fairly and reasonably. If you think we have failed to do so, we encourage you to get in touch with us first so that we can fix the problem as soon as possible, but you have the right to complain to the Information Commissioner instead or as well. At the time of writing, the following webpage provided details about how to do that: https://ico.org.uk/make-a-complaint/
Changes to this document
We will update details in this document as we change how we operate, or if we find ways to improve it. We will get in touch if there are changes to what purposes we use your information for, or if we collect new types of information, or in new circumstances. The most up to date version of this policy is available at https://www.arcolatheatre.com/terms/privacy/. This document was last updated on 24/09/2024.