Privacy Policy

Date: August 7, 2025 Author: Colin Billing Review Date: August 2026

1. Introduction

Welcome to BIGLITTLE Theatre School. We are committed to protecting your privacy and handling your personal data with transparency and care. This Privacy Policy explains how we collect, use, store, and share your personal data, and outlines your rights in relation to that data. We understand the importance of privacy, particularly when it concerns children, and are committed to complying with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

This policy applies to all individuals whose personal data we process, including our students, their parents/guardians, staff, volunteers, and visitors to our website or premises. By engaging with BIGLITTLE Theatre School, you entrust us with your information, and we are committed to being transparent about how we use it.

2. Who We Are

BIGLITTLE Theatre School is the data controller responsible for your personal data. This means we determine the purposes and means of processing your personal data. Our contact details are:

BIGLITTLE Theatre School
Unit 11 Somerford Business Park, Wilverley Road, Christchurch, BH23 3RU
office@biglittle.biz
01202 434499
For any questions regarding this Privacy Policy or our data protection practices, please contact our Data Protection Officer (DPO) using the details provided in Section 9.

3. What Personal Data We Collect

We collect various types of personal data to provide our services, manage our operations, and ensure the safety and well-being of our community. The types of personal data we collect depends on your relationship with us (e.g., student, parent, staff member). This may include:

  • Identity Data: Names, dates of birth, and gender.

  • Contact Data: Addresses, email addresses, and telephone numbers.

  • Educational/Performance Data (for students): Attendance records, progress reports, audition results, performance participation details, photographs and videos of performances/classes.

  • Health Data (Special Category Data): Medical conditions, allergies, disabilities, first aid incidents, and any other health information relevant to ensuring your safety and providing appropriate support. We collect this data with explicit consent or where necessary for vital interests or substantial public interest (e.g., safeguarding).

  • Safeguarding Data (Special Category Data): Information related to safeguarding concerns or incidents, collected and processed in accordance with our legal obligations and for the substantial public interest of protecting children.

  • Financial Data (for parents/guardians/staff): Payment information (e.g., bank details for fees or payroll), billing addresses.

  • Employment Data (for staff/volunteers): Employment history, qualifications, DBS check results, references, performance reviews, training records, and national insurance numbers.

  • Communication Data: Records of correspondence with us (emails, letters, phone calls).

  • Technical Data: IP addresses, browser type and version, time zone setting and location, operating system and platform, and other technology on the devices you use to access our website.

  • Marketing and Communications Data: Your preferences in receiving marketing from us and your communication preferences.

4. How We Collect Your Personal Data

We collect personal data from various sources, primarily directly from you or your parent/guardian. These sources include:

  • Direct Interactions: When you fill in forms (e.g., enrolment forms, consent forms), correspond with us by post, phone, email, or otherwise, or provide information during auditions, classes, or events.

  • Third Parties: We may receive personal data about you from various third parties, such as:

    • Previous schools or educational institutions (with appropriate consent).

    • Local authorities (e.g., for child performance licensing or safeguarding referrals).

    • Payment service providers for financial transactions.

    • DBS checking services for staff and volunteers.

    • Publicly available sources (e.g., Companies House for staff/contractor checks).

  • Automated Technologies or Interactions: As you interact with our website, we may automatically collect Technical Data about your equipment, browsing actions, and patterns. We collect this personal data by using cookies and other similar technologies. Please refer to our separate Cookie Policy for more details.

5. How and Why We Use Your Personal Data (Purposes and Lawful Basis)

We will only use your personal data when the law allows us to. Most commonly, we will use your personal data in the following circumstances:

  • To perform the contract we are about to enter into or have entered into with you: This includes processing your data for enrolment, providing educational and theatrical training, managing attendance, and processing payments.

    • Example: Using student names and contact details for class registers and communication about lessons.

  • Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests: This includes managing our operations efficiently, improving our services, and ensuring the safety of our community.

    • Example: Using attendance data to monitor student engagement and inform curriculum development.

  • Where we need to comply with a legal obligation: This includes our duties relating to safeguarding, employment law, health and safety, and financial reporting.

    • Example: Conducting DBS checks for staff and volunteers as required by law for safeguarding purposes.

  • Where we need to protect your vital interests or those of another person: This applies in life-threatening situations.

    • Example: Using medical information to administer emergency first aid.

  • Where it is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in us: This includes our safeguarding duties and promoting the welfare of children.

    • Example: Sharing safeguarding concerns with Children’s Social Care or the police when legally required.

  • Where you have given us clear consent to do so: We will obtain your explicit consent for specific purposes, particularly for special categories of personal data (e.g., health data, images for marketing) or when there is no other lawful basis.

    • Example: Obtaining parental consent to use a student’s photograph for marketing materials.

5.1 Purposes for Processing Special Categories of Personal Data

We may process special categories of personal data (such as health information or data revealing racial or ethnic origin) under specific conditions, including:

  • With your explicit consent.

  • Where it is necessary for reasons of substantial public interest, such as for safeguarding children and vulnerable adults.

  • Where it is necessary for the purposes of preventative or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services.

  • Where it is necessary for the establishment, exercise or defence of legal claims.

  • Where it is necessary to protect the vital interests of the data subject or another person, where the data subject is physically or legally incapable of giving consent.

6. Who We Share Your Personal Data With

We may share your personal data with third parties where there is a lawful basis to do so and where appropriate safeguards are in place. This may include:

  • Internal Staff: Relevant BIGLITTLE Theatre School staff (e.g., teachers, administrative staff, DSLs, finance team) on a need-to-know basis.

  • Local Authorities: For child performance licensing, safeguarding referrals, or other legal obligations.

  • Emergency Services: In cases of medical emergency or immediate danger.

  • Payment Processors: For processing fees and payments (e.g., GoCardless, banks).

  • IT Service Providers: For data storage, website hosting, email services, and system maintenance (e.g., cloud service providers, software vendors).

  • Professional Advisors: Lawyers, accountants, auditors, and insurers who provide professional services to us.

  • Performance Venues/Organisations: When students participate in external performances or events, limited data may be shared for logistical and safeguarding purposes.

  • Regulatory Bodies: Such as the Information Commissioner’s Office (ICO) or the Department for Education (DfE), when required by law.

  • Other Schools/Educational Institutions: With appropriate consent, for student safeguarding or other issues.

We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.

7. How We Keep Your Personal Data Secure

We have implemented appropriate technical and organisational measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. These measures include:

  • Access Controls: Restricting access to personal data to authorised personnel on a need-to-know basis.

  • Encryption: Encrypting sensitive personal data where appropriate, both in transit and at rest.

  • Pseudonymisation: Where feasible, using pseudonymisation to reduce the identifiability of data.

  • Regular Backups: Implementing regular backup procedures to prevent data loss.

  • Physical Security: Ensuring the physical security of our premises and data storage facilities.

  • Staff Training: Providing regular data protection and security awareness training to all staff, volunteers, and contractors.

  • Data Breach Response Plan: Having a clear plan in place to respond to and manage any personal data breaches promptly and effectively.

8. How Long We Keep Your Personal Data (Data Retention)

We will only retain your personal data for as long as necessary to fulfil the purposes for which we collected it, including for the purposes of satisfying any legal, accounting, or reporting requirements. To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.

For example, safeguarding records are typically retained for a significant period (e.g., until a child reaches 25 years of age) due to legal obligations. Financial records are kept for a minimum of 6 years plus the current year for tax purposes. Details of specific retention periods are available upon request from our DPO.

Once your personal data is no longer required, we will securely delete or anonymise it.

9. International Data Transfers

We do not routinely transfer personal data outside the UK or the European Economic Area (EEA). If, for any specific purpose (e.g., using a particular cloud service provider), personal data needs to be transferred outside the UK/EEA, we will ensure that appropriate safeguards are in place to protect your data, in accordance with UK GDPR requirements. This may include relying on adequacy decisions, standard contractual clauses, or other legally approved mechanisms.

10. Your Data Protection Rights

Under UK GDPR, you have important rights regarding your personal data. We are committed to upholding these rights:

  • The Right to be Informed: You have the right to be informed about the collection and use of your personal data. This Privacy Policy serves to fulfil this right.

  • The Right of Access: You have the right to request a copy of the personal data we hold about you (commonly known as a Subject Access Request or SAR.)

  • The Right to Rectification: You have the right to request that we correct any inaccurate or incomplete personal data we hold about you.

  • The Right to Erasure (also known as the ‘right to be forgotten’): You have the right to request the deletion or removal of your personal data where there is no compelling reason for its continued processing.

  • The Right to Restrict Processing: You have the right to request that we limit the way we use your personal data in certain circumstances (e.g., if you contest its accuracy).

  • The Right to Data Portability: You have the right to obtain and reuse your personal data for your own purposes across different services. This applies to data you have provided to us and that we process by automated means based on your consent or for the performance of a contract.

  • The Right to Object: You have the right to object to the processing of your personal data in certain circumstances, particularly where we are relying on legitimate interests as the lawful basis for processing.

  • Rights in Relation to Automated Decision Making and Profiling: You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. We do not currently engage in automated decision-making or profiling that would have such effects.

To exercise any of these rights, please contact our Data Protection Officer (DPO) using the contact details provided below. We will respond to all legitimate requests within one month. If your request is complex or you have made a number of requests, it may take us longer than one month. In this case, we will notify you and keep you updated.

11. Data Protection Officer (DPO) Contact Details

BIGLITTLE Theatre School has appointed a Data Protection Officer (DPO) who is responsible for overseeing our data protection strategy and implementation to ensure compliance with UK GDPR requirements. The DPO is your primary contact for any questions or concerns regarding your personal data and this Privacy Policy.

Data Protection Officer: Colin Billing
Email: colin@biglittle.biz
Telephone: 01202 434499
Postal Address: BIGLITTLE Theatre School, Unit 11 Somerford Business Park, Wilverley Road, Christchurch, BH23 3RU

12. Complaints and Queries

If you have any concerns or queries about how your personal data is handled by BIGLITTLE Theatre School, we encourage you to contact our Data Protection Officer in the first instance. We are committed to resolving any issues you may have.

If you are not satisfied with our response, or believe we are not processing your personal data in accordance with the law, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues.

Information Commissioner’s Office (ICO) Contact Details:

Website: https://ico.org.uk Helpline: 0303 123 1113 Address: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. Any changes will be posted on our website and, where appropriate, notified to you directly. We encourage you to review this Privacy Policy periodically to stay informed about how we are protecting your information.

References

[1] UK General Data Protection Regulation (UK GDPR). (2016). Retrieved from https://gdpr-info.eu/

[2] Data Protection Act 2018. Retrieved from https://www.legislation.gov.uk/ukpga/2018/12/contents/enacted

[3] Information Commissioner’s Office (ICO). (n.d.). Your right to be informed. Retrieved from https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-to-be-informed/

[4] Information Commissioner’s Office (ICO). (n.d.). Lawful basis for processing. Retrieved from https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/

[5] Information Commissioner’s Office (ICO). (n.d.). The data protection principles. Retrieved from https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/principles/