ALDERSHOT & FARNBOROUGH FESTIVAL OF MUSIC AND ART
DATA PROTECTION POLICY - MARCH 2018

  • This document describes the means by which the Aldershot & Farnborough Festival of Music & Art will comply with new EU regulations known as the General Data Protection Regulation (GDPR), which came into force on 25th May 2018 and updated the UK Data Protection Act 1998.
  • The lawful basis for the collection and storing of data under GDPR is legitimate interest; the Festival organisers need to know, for each competitor, their name, age, associated school or teacher, classes entered and (when available) marks gained. In addition, the Festival organisers need to know the contact details of persons managing the entries. Without the above information the Festival cannot take place. In addition, Festival organisers may need to communicate with schools or private entrants from time to time (for example, to send a Syllabus) for which explicit consent will be sought. The Festival is not required to register any of its data with the Information Commissioner (on the grounds that its use is recreational).
  • To comply with the GDPR the Festival will:
    1. Appoint a Data Controller responsible to the Festival Committee for implementation of this Policy.
    2. Provide all Festival entrants with a GDPR Privacy Notice explaining why data is being collected and what will be done with it. This Notice varies slightly between the Dance and Piano Sections to reflect the different data each section needs to collect.
    3. Ensure that all entrants positively ‘opt in’ to their data being collected.
    4. Ensure that electronically-held personal data is password-protected.
    5. Ensure that reasonable and proportionate measures are taken to prevent unauthorised viewing or theft of hard-copy personal data.
    6. Respond to any subject access request within the statutory 30 days. The Data Controller is responsible for responding to subject access requests.
    7. Normally retain data indefinitely for the purpose of maintaining a historical record, but remove an individual’s data if asked to do so via a subject access request.
    8. Only collect personal data that is necessary for the running of the Festival, as follows:
      • contact details of schools, teachers or persons managing entries;
      • details of entrants necessary for them to be entered in the competition, for example, name, date of birth, classes entered and associated school or teacher;
      • for private entries, the contact details of the parent or guardian of the entrant in addition to the other entrant data;
      • basic contact details (name, address, phone number and next of kin) of volunteer helpers.
    9. From time to time, process post hoc aggregated data for the purpose of managing the Festival (for example, estimating how much time must be allocated for performances).
    10. Place this policy and the GDPR on the Festival website.
  • The Festival will not:
    1. Place any personal data online, including in the Cloud or on the Festival website, other than posting the names of cup or award winners on the Festival website. Cup and award winners will be asked to ‘opt in’ prior to having their names placed online. Awards will not be conditional on giving such consent.
    2. Share personal data with any other organisation, other than to communicate the marks of competitors who have qualified for the All-England Dance competition to All-England.
    3. Be responsible for data relating to the Festival which has been collected by other persons or agencies (for example, for the Dance Section, the official photographer or All-England Dance).
  • This policy has been approved by the Festival Committee. All questions regarding this policy should be addressed to the Data Controller.

Festival Committee
Aldershot & Farnborough Farnborough festival of Music & Art
March 2018