1. PURPOSE

This policy defines the requirements and responsibilities for safeguarding personal, confidential,and sensitive data collected, processed, stored, or transmitted by Theatre Under the Stars 

(TUTS). It ensures compliance with applicable data protection laws and supports the 

organization’s commitment to responsible data privacy, especially for minors participating in 

TUTS programs.

2. APPLICABILITY

This policy applies to all TUTS personnel, including employees, contractors, interns, volunteers, 

and authorized third-party users who handle or process sensitive or personally identifiable 

information (PII) within TUTS systems, including data related to children enrolled in TUTS 

camps, classes, and educational programming.

3. POLICY

TUTS shall implement and enforce the following data protection measures:

• Data Collection: Only collect data necessary for legitimate business or educational 

purposes. Parents or guardians must be informed of the purpose of data collection and 

provide consent when required.

• Data Classification: Data shall be classified according to its sensitivity (e.g., Public, 

Internal, Confidential, Restricted). Handling requirements must align with classification 

level.

• Consent: Parental or guardian consent is required before collecting personal data from 

children under 13, in accordance with COPPA.

• Access Controls: Access to sensitive data must be role-based and limited to personnel 

with a business need. Logging and audit trails must be maintained.

• Data Minimization: Retain only the minimum amount of personal data necessary to 

fulfill business obligations. Unneeded or outdated data must be securely disposed of.

• Data Storage & Transfer: All sensitive data must be encrypted in storage and during 

transmission. Transfers outside the organization must use secure, approved methods.

• Third-Party Processors: Vendors handling TUTS data must sign data protection 

agreements and demonstrate compliance with TUTS security and privacy standards.

• User Rights: Where applicable by law, individuals (or parents/guardians of minors) have 

the right to access, correct, or request deletion of their personal data held by TUTS.

• Training: All users handling personal or sensitive data must complete annual data 

privacy training.

4. ROLES AND RESPONSIBILITIES

4.1 All Personnel

• Shall follow procedures for secure handling, storage, and transmission of sensitive data.

• Shall report any suspected data breach or unauthorized disclosure immediately.

4.2 IT Department

• Shall implement technical measures to protect data (e.g., encryption, access controls).

• Shall monitor for unauthorized access or exfiltration of sensitive information.

4.3 Human Resources and Program Managers

• Shall ensure proper consent processes are in place for minors.

• Shall manage data privacy notices and support regulatory compliance efforts.

5. ENFORCEMENT

Violations of this policy may lead to disciplinary action, revocation of access rights, employment 

termination, and potential legal liability under state or federal privacy laws.