One important aspect of theatre law relates to the data held by performance companies and venues. The ownership and sharing of this data has been seen to be difficult in the past.

Up to now, many cases have been dealt with by informal undertaking (including in February the Alzheimer’s Society following three security breaches). The National Theatre has admitted that they have been subject to a failure in their data security too.

From 6 April 2010, the Information Commissioner may issue monetary penalty notices of up to £500,000 for serous data protection breaches.

It may be tempting for the Information Commissioner to view this new power as a valuable income stream. I  would therefore recommend that all data controllers:

• Take steps to identify the risks of handing personal data (conduct risk assessments, become accredited, or adopt “privacy by design” systems);
• Make sure you can demonstrate the steps taken;
• Take more care of sensitive data;
• Refer to data protection in your disaster recovery plan, establish clear lines of responsibility and stick to the agreed policies;
• The Commissioner provides updated guidance, so audit your policies regularly;
• Act quickly if a problem arises;
• Learn from past mistakes.