Cookies
We use analytics to help us understand how people use our site.
This means we set a cookie. See our cookie policy.

An actor wearing over-ear headphones holds their finger to their lips in a "Shush" gesture

acta Information and Data Protection & Privacy Policy

  1. Home
  2. /
  3. About Us
  4. /
  5. Policies
  6. /
  7. acta Information and Data...

Last updated April 2026

acta Information and Data Protection & Privacy Policy

Acta is committed to protecting your privacy and safeguarding your personal information. Whenever you provide such information, we are legally obliged to use your information in line with all applicable laws concerning the protection of personal information, including the Data Protection Act 1998 and the General Data Protection Regulation 2018.

The purpose of the policy is to ensure that acta:

  • Complies with the latest Data Protection Legislation
  • Follows good practice
  • Protects clients, staff and other individuals
  • Protects the organisation

The Policy of acta is:

that all personal and sensitive organisational information, however received, is treated as confidential with regard to the terms of the Data Protection Act 1998, the Human Rights Act 1998 and General Data Protection Regulation [GDPR] 2018. This includes:

  • Anything of a personal nature that is not a matter of public record about a service user, partner organisation, member of staff, volunteer or trustee.
  • sensitive organisational information.

to comply with the law in obtaining, processing and using personal information and in the protection and disclosure of that information, as defined in the General Data Protection Regulation [GDPR] 2018.

  The eight Data Protection Principles are that data is:  
1. processed fairly and lawfully
2. obtained and processed for a specific purpose
3. adequate, relevant and not excessive
4. accurate and up to date
5. held for no longer than necessary
6. processed in accordance with the rights of the data subjects
7. kept secure from unauthorised processing or disclosure
8. not transferred outside the EEC area unless the same safeguards apply  

In addition we outline [GDPR 2018]  
How we obtain your personal information
What personal information we collect
How we use your personal information
Legal bases for collecting and using your personal information
Legitimate interests
How long we keep your information
Security
Links to other websites
Communicating with you
Sharing of your personal information
Your Rights
Changes to this policy
Contact details and complaints

that sensitive personal information will not be disclosed to a third party without the prior, informed consent of the individual including family members concerned other than in exceptional circumstances. These include:

  • to comply with the law or a court order.
  • where there is a clear health or safety risk (or evidence of fraud)
  • anonymously, for statistical research purposes.

not to gain or seek to gain access to information other than that for which Acta has authority. In general:

  • staff and volunteers will have access to the information they need to know to carry out their work and have a duty to respect the confidentiality of that information.
  • Team managers should be responsible for ensuring that the data Protection policy and procedures are followed within each team.
  • the purpose and the people likely to have access to sensitive personal information will, where possible, be explained and informed consent obtained, before such information is recorded.
  • references to service users in meetings and reports will, normally, be anonymous rather than by name or address.
  •  IT workers and volunteers will work in collaboration with the trustees and staff to ensure that the organisations IT systems work efficiently and effectively and are secure and protected.
  • Trustees have overall responsibility for ensuring that the organisation complies with its legal obligations.

that a breach of this policy will be treated as a serious disciplinary matter.

The Information Commissioner

acta is registered with the ICO. Registration number: ZA143051

Performance Standards

  • Compliance with the policy will be reviewed annually by the Trustees

Data Protection – Requests for Information from service users

1. Requests for Information/ Subject Access:

  • Will only be accepted either in writing or by e-mail and will be passed to the Data Protection Officer who, in consultation with the Manager, will action the request. You will need to provide:
  • Full name, address, email address, phone number, so that your identity can be verified against our records and your information located
  • Copy of photographic ID
  • An indication of what information you are requesting to enable us to locate this in an efficient manner
  • You request will be recorded in a log of Data Protection Information Requests and there is no fee for Subject Access Requests. acta reserves the right in certain situations to refuse the request; otherwise we will comply within one calendar month.

2. Providing Information:

  • Information may be in paper or computer form (both are covered by the 1998 and 2018 Act) emailed to info@acta-bristol.com and will be provided within one calendar month).
  • A copy of all information provided will be kept with the log.
  • A description will be given of the personal data held, the purpose for which it is being processed and those to whom the data is or may be disclosed.
  • A copy of the actual personal data held will be given whenever possible (e.g. extracts from the database).
  • The source of personal data held will be supplied with the omission of information which will identify third parties unless their permission has been obtained. (See guide to information that may identify a Third Party.).
  • acta will ensure that all relevant information is located and provided.

3. Procedure

The Data Protection Officer will:

  • Maintain a log of all information requests and all subsequent actions.
  • Acknowledge receipt of the request in writing and give the date by which the information will be provided.
  • Contact relevant staff within acta in order to collect the required information which may be obtained.
  • Collate the information provided and forward it to the individual making the request. An accompanying letter will state that a personal meeting can be arranged if further detail/explanation of the data is required.
  • Arrange a personal meeting on receipt of a request in writing or by e-mail. The meeting will be attended by all relevant personnel including the Data Protection Officer.
  • Keep a copy of all information provided and take minutes at any personal meeting. This information will be retained with the log in case of subsequent court action.

4. Amending Personal Data:

  • Requests for amendment or correction of the personal data held should be in writing.
  • Where appropriate, the Data Protection Officer may request evidence in support of the amendment or correction.
  • In deciding whether an amendment or correction should be made, the Data Protection Officer will liaise with the relevant staff members.
  • Where an amendment or correction is refused, a letter explaining the reasons for refusal is sent. A note of the request and reasons for refusal is appended to the file.

Data Protection – Requests for Information from Third Parties (Other than the Data Subject)

1. Requests for Information:

  • Will only be accepted if made in writing

2. Providing Information:

In general, information about an individual can only be given out with the consent of that individual.

  • The Data Protection Officer should be informed and asked to log the request.
  • The person or organisation seeking the information should be informed that consent will be obtained from the data subject before the information is disclosed.
  • Write to the person concerned and ask for their written consent, explaining the nature of the information sought.
  • If consent is received, the information can be disclosed.

The exception to this is where information is requested for the purposes of the prevention or detection of crime or the apprehension or prosecution of offenders. The request must be in writing and must clearly state:

  • The reason for the request.
  • The implications of our failure to disclose.

It should be passed to the Data Protection Officer who will:

  • Log the request.
  • In consultation with the Manager action the request, if appropriate.

Any questions with regard to the disclosure of information should be referred to the Data Protection Officer.

Working from home

1. Acta will keep note of which staff take work home with them.

Home computers should have records removed once project/work records are no longer needed for home working

2. Staff agree to keep work taken home secure, to return all work-related material upon the completion /termination of their contract; and that Acta be immediately informed if information happens to get in to the wrong hands.

3. Laptops will be encrypted

Security Statement

1. Acta has taken measures to guard against unauthorised or unlawful processing of personal data and against accidental loss, destruction or damage.

This includes:

  • Adopting an information security policy
  • Taking steps to control physical security (projects and staff records are all kept in a locked filing cabinet)
  • Putting in place controls on access to information (password protection on files and server access)
  • Establishing a business continuity/disaster recovery plan.
  • Take regular back-ups from computer data files and this is stored in a safe location.  
  • Training all staff on security systems and procedures
  • Detecting and investigating breaches of security should they occur


Recording Personal Information

This Procedure relates to all records of personal information.

 The Data Protection Act gives the individual rights regarding personal data held about them by others.
The Act does not distinguish between paper and computer records.
Individuals have the right to see either type of record provided they apply in writing.
These records will include diary entries made on acta’s database system
If an individual objects to the records held or to actions taken as a result of these records, they have the right to take acta to court under the Act.
Certain types of personal information are classified as ‘sensitive’ and acta needs the individual’s express permission to hold this data. The types of sensitive data as defined under the Act are:  
– Racial or ethnic origin
– Political opinions
– Religious beliefs
– Trade Union membership
– Physical or mental health
– Sex Life
– Offences alleged or committed

When making entries in the Database system and for inclusion in paper files, ensure that the entry conforms to the following:

  • Relevant & Brief – Use the minimum number of words needed to explain what you want to say.
  • Factual & Accurate – Always ensure that you can prove what you write down. Do not record hearsay from a third party. Record information only if you would be willing to repeat it in court.
  • Do not record ‘sensitive’ information as defined in the list above unless you know we have written permission from the individual to record that information.

Marketing campaigns

  1. All methods used to collect data will include an explanation of what the data will be used for.  There are clear opt out systems for marketing in all data collection methods.  Marketing campaigns will always be limited to those who have given their permission for their details to be used for marketing purposes.  
  1. Unsolicited electronic mail will only be sent if the person has explicitly given prior permission unless the following conditions have been met:
  1. the person’s details have been secured in the course of a sale or negotiations for a sale of a product or service; e.g the purchase of a ticket for a show or event
  2. the messages are only marketing similar products or services; and
  3. the person is given a simple opportunity to refuse marketing when their details are collected, and if they don’t opt out at this point, are given a simple way to do so in future messages.

Unsolicited emails must identify the sender and address of sender.

  1. Mail based and telephone marketing

    Prior to unsolicited contact, checks will be made to ensure that individuals and organisations who have registered their details with the TPS The (Telephone Preference Service), the FPS (Fax Preference Service) or the MPS (Mailing Preference Service) are not contacted.  

    If the person or organisation targeted asks to be taken off the mailing list, complying is essential.  Failure to comply can lead to an order from the courts under section 11 of the Data Protection Act.

In addition we outline [GDPR 2018]

  1. How we obtain your personal information

Directly from you: We collect personal information when you communicate with us using any media or in person. You may give us information to sign up for one of our workshops or events, ask about our activities, make a donation to us, or fundraise on our behalf.

From other organisations or sources: your information may be shared with us by partner healthcare providers. These health care providers and third party payment providers will only do so when they have told you your personal information will be shared and, generally, when you have indicated that you wish to support Acta.

You should check these organisations’ privacy policies when you provide your personal information to understand how they will use and share it.

When information is publicly available: we may collect and combine information that is publicly available with information we already hold to better understand you. This may include:

  • a. Information publicly available on social media platforms like Facebook (please see below for the Facebook’s ‘Custom Audience’ programme), Twitter or Instagram: we may collect personal information when you have used social media platforms to contact us. Please check your privacy settings or their privacy policies as you might have given us permission to access information from those accounts.
  • b. Information publicly available on newspapers, articles or other websites such as Companies House and Land Registry.
  • c. Information publicly available when researching/ analysis supporters as explained in section 3 below.

When you visit our websites: we automatically collect technical information from your computer or device such as IP address via google analytics.

We may combine your personal information from one or more of these sources for the purposes set out in this policy.

2. What personal information we collect

We may collect, store and use the following kinds of personal information:

a. Identity data, including your name, address, mobile number, date of birth and sometimes including sensitive data relating to your medical requirements as required for our projects supporting vulnerable adults. This data is held under the ‘sensitive data’ protection outlined in this policy (for example, sign up for a group or project).

b. Contact data, including your email address, postal address, and phone number (for example, if you sign up to receive updates from us, make a donation or make a payment via Donorbox , Link or Eventbrite to attend one of our Elevate workshops or buy one of our products – e.g theatre books

e. Technical data such as your IP address, when you browse our website via Google Analytics and our WordPress Website.

f. Marketing data such as your preferences for receiving communications from us.

g. Media data such as photographs, video and audio recordings which will only be used if we have your consent.

h. Any other information you provide us as above (see How we obtain your personal information)

3. How we use your personal information

As a charity we rely on a variety of methods to keep our participants, partners and supporters engaged and informed about our work. We may use data collected for different purposes. Acta processes your personal data for the following purposes:

  • to keep you informed and obtain your views of our activities;
  • to provide you with information about services available to you through Acta, and third parties connected with us either as directed communications or newsletters;
  • to process your payments/ donations and keep our records updated
  • to process and respond to requests, enquiries and complaints received from you or about you;
  • to provide services or information requested by you and any related communications;
  • to report to the Arts Council as part of our NPO funding. This is analysed and anonymised and helps us to report on the results and impact of our work;
  • to administer our website;
  • to process employment applications;
  • to transfer to service suppliers who undertake processing on our behalf, at our direction or otherwise to transfer any personal information to any other regulator or government body as required;
  • for legal obligations (including those arising under contracts) and regulatory compliance;
  • for audit purposes and to administer our accounts;
  • to detect or prevent fraud, misuse of services or money laundering;
  • the enforcement of legal claims;
  • for any other purposes which we will notify you about.

4. Legal bases for collecting and using your personal information

In order to lawfully collect, hold and use your personal information, we must rely on one or more of six grounds set out in data privacy law. We consider the following to be relevant to our use:

  • Where you have given consent (for example, to send you our newsletter by email, and we may ask for your explicit consent to collect certain types of sensitive information).
  • Where it is necessary to comply with a legal obligation
  • Where is it necessary to comply with our NPO status from The Arts Council
  • Where it is necessary for the performance of a contract with you or take steps at your request prior to entering into a contract (for example if you pay to book on one of our courses).
  • Where it is necessary to protect someone’s vital interests. Whilst we are not able to advise people directly on their personal circumstances, and do not provide a helpline service, as an arts charity focused on health and wellbeing we may from time to time receive enquires from individuals in distress. We may refer these enquiries on to those better equipped to assist if we feel yours or another’s vital interests are at risk.
  • Where there is a ‘legitimate interest’ in us doing so.

Legitimate interests

The law allows us to collect and use personal information if it is reasonably necessary to achieve our or others’ legitimate interests (as long as to do so it is fair, balanced and does not unduly impact on your rights). In general, our legitimate interests are the running of a charitable entity and pursuing our mission and vision. This may include charity governance, administration and operational management, and fundraising and campaigning (including sending marketing by email, and analysis in order to develop effective communication strategies). When we rely in this lawful basis, we consider and balance any potential impact on you (positive and negative) and on your privacy rights.

5. How long we keep your information

Whatever your relationship with us, we only keep your personal information as long as necessary to fulfil the purposes we hold it for, including satisfying any legal, accounting or reporting requirements.

This will be for a specified amount of time in accordance with our internal retention policy.

That length of time may vary depending on the reasons for which we are processing the personal information and whether we have a legal (for example under financial regulations) or contractual obligation to keep it for a certain amount of time.

Once the retention period has expired, personal information will be confidentially disposed of or permanently deleted.

If you object to further contact from us, we will keep some basic information about you on a ‘suppression list’ in order to comply with your request in the future.

6. Security

At Acta we undertake proportionate and appropriate measures to ensure security and confidentiality of your personal information. We make sure that your personal information is only accessible by trained staff, volunteers and contractors e.g Freelance Artists working on specific projects and only giving them access to what they need to perform the task.

Access to sensitive personal information will be restricted to only those individuals that need this data in order to carry out their functions. We also use password protections. These are examples – we ensure appropriate measures are in place proportionate to the risk involved.

The transmission of information via the internet is never completely secure, and we cannot guarantee the security of personal information transmitted via the internet unless via a secure site such as link when booking on a course or purchasing a product from us.

International transfers

In general, the personal information that we collect is stored at a destination within the UK or European Economic Area (EEA).

7. Links to other websites

Our website and newsletter include links to other websites which you may find useful. This policy does not cover their privacy practices and we are not responsible for the content of other sites or their privacy policies and practices. We encourage you to read the privacy policies of any external sites you visit via links on our websites

8. Communicating with you

Marketing and any fundraising communications

We may use your contact details to provide you with information about our work (including our campaigns), events, services and/or activities which we consider may be of interest to you.

Where we do this via email, SMS, telephone, or post (where you are registered with the Telephone Preference Service), we will not do so without your prior consent (unless allowed to do so via applicable law).

Where you do not wish to be contacted by us about our work, events, services and/or activities in the future, please let us know by email at info@acta-bristol.com . You can opt out of receiving emails from acta at any time by clicking the “unsubscribe” link at the bottom of our emails.

Social media/digital

Depending on your settings or the privacy policies for social media sites like Facebook and Twitter you may receive targeted advertisements about acta through our use of social media audience tools.

Facebook

We may participate in Facebook’s ‘Custom Audience’ programme, which enables us to display adverts to our existing supporters, or people with similar interests, when the

provide your email address, mobile number and address, to Facebook so they can determine whether you are a registered account holder with them (or so they can create a ‘lookalike’ audience). Our adverts may then appear when you access Facebook. Your details are sent in an encrypted format that is deleted by Facebook if it does not match with a Facebook account. For more information about this, please see Facebook’s relevant guidance and policies.

Administrative communications

We will also communicate with you for other purposes using the contact details you have provided. For example, if you have signed up to participate in an event, have made a donation.

Please be aware we may still need to contact you for administrative purposes even where you have opted-out of receiving marketing from us.

9. Sharing of your personal information

That sensitive personal information will not be disclosed to a third party without the prior, informed consent of the individual including family members concerned other than in exceptional circumstances. These include:

–           to comply with the law or a court order.

–           where there is a clear health or safety risk (or evidence of fraud)

–           anonymously, for statistical research purposes.

10. Your Rights

    Where we rely on your consent to use your personal information, you can withdraw that consent at any time. This includes the right to ask us to stop using your personal information for marketing purposes (change your communication preferences at any time by contacting us). You also have the following rights:

    • Right of access – You can request access to personal information we hold about you. Provided we are satisfied that you are entitled to a copy and we have confirmed your identity, we will provide the information subject to any applicable exemptions. If you wish to make the request, please see how to apply at the top of this policy.
    • Right of rectification – You have the right to request that we correct inaccurate personal information concerning you. You can ask us to check if you are unsure.
    • Right of erasure – In some circumstances you may request we delete your personal information. Note that in many cases we will need to keep limited personal information about you in order to ensure we don’t send you further communications (This is sometimes call the ‘right to be forgotten’).
    • Right to restrict processing – You may ask for our use of your personal information to be restricted if there is disagreement about its accuracy or legitimate usage.
    • Right to object – You can ask us not to use your personal information for direct marketing purposes, or where we are using it on the basis of our legitimate interests or for research or statistical purposes. You may opt-out from email marketing by clicking the ‘unsubscribe’ link in our emails.
    • We may ask you for additional information to confirm your identity before disclosing personal information to you.
    • Please note that these rights may only apply in limited circumstances. For more detailed information, we suggest you consult guidance from the Information Commissioner’s Office (ICO).

      11. Changes to this policy

      We may need to update this policy from time to time, including to reflect changes in the relevant law or in the way we collect, process and store your data. We will notify you when significant changes will be made to this policy.

      Contact details and complaints

      If you have any queries or complaints relating to this policy, please contact us either by email at info@acta-bristol.com  or by writing to us at acta, Gladstone Street, Bedminster, Bristol, BS3 3AY.

      Acta Data Protection Officer: Rosa Martyn, Marketing and Communications Coordinator

      rosa@acta-bristol.com

      Last reviewed: February 2026

      Next review: February 2027

      Donate to acta

      acta is a registered charity and relies on the generous support of donors to continue our work making theatre each year. We are currently seeking additional donations for our wide ranging community theatre programme over the year ahead.

      Make a donation

      Gladstone Street
      Bedminster
      Bristol BS3 3AY

      0117 953 2448

      info@acta-bristol.com

      acta © 2026 Company Number: 02157661. Charity Number: 800174