Data Protection Policy

Organisation: West Oxfordshire Performing Arts Foundation (WOXPAF) & Oxfordshire Festival of Speech, Drama & Musical Theatre (OFSDMT)

1. PURPOSE

 

This policy ensures that WOXPAF and OFSDMT comply with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 in handling personal data responsibly, lawfully, and transparently.

 

2. SCOPE

 

Applies to all trustees, staff, volunteers, contractors, and third parties who process personal data on behalf of WOXPAF or OFSDMT.

 

3. DATA COLLECTED

 

  • Names, contact details, and emergency contacts of participants, volunteers, and staff.
  • Age and school details (for youth participants).
  • Medical or access needs (where relevant).
  • Media (photos/videos) for promotional use (with consent).
  • Financial information (for payments, scholarships, or donations).

 

4. LAWFUL BASIS FOR PROCESSING

 

Data is processed under:

  • Consent (e.g. marketing, photography).
  • Contractual necessity (e.g. event registration).
  • Legal obligation (e.g. safeguarding).
  • Legitimate interest (e.g. festival administration).

 

5. CONSENT MECHANISMS

 

Consent is obtained through written or digital forms, with clear options to opt-in. For minors, consent is obtained from a parent or legal guardian. All consent records are securely stored and can be withdrawn at any time.

 

6. DATA STORAGE & SECURITY

 

  • Data is stored securely (password-protected digital systems or locked physical files).
  • Access is restricted to authorised personnel.
  • Data is retained only as long as necessary (e.g. 3 years for festival records, 6 years for financial data).

 

7. RIGHTS OF INDIVIDUALS

 

Individuals have the right to:

  • Access their data.
  • Request correction or deletion.
  • Withdraw consent.
  • Lodge a complaint with the ICO.

 

8. DATA SHARING

 

Data is not shared with third parties unless:

  • Required by law.
  • Necessary for event delivery (e.g. adjudicators, venues).
  • Explicit consent is given.

 

9. BREACH MANAGEMENT

 

Any data breach will be reported to the Chair and, if necessary, to the ICO within 72 hours.

 

 

10. POLICY REVIEW

 

This policy will be reviewed annually by the Board of Trustees and updated as necessary.

 

v1.0

We need your consent to load the translations

We use a third-party service to translate the website content that may collect data about your activity. Please review the details in the privacy policy and accept the service to view the translations.