Article Index

ALDERSHOT & FARNBOROUGH FESTIVAL OF MUSIC AND ART
DATA PROTECTION POLICY - MARCH 2018

  • This document describes the means by which the Aldershot & Farnborough Festival of Music & Art will comply with new EU regulations known as the General Data Protection Regulation (GDPR), which came into force on 25th May 2018 and updated the UK Data Protection Act 1998.
  • The lawful basis for the collection and storing of data under GDPR is legitimate interest; the Festival organisers need to know, for each competitor, their name, age, associated school or teacher, classes entered and (when available) marks gained. In addition, the Festival organisers need to know the contact details of persons managing the entries. Without the above information the Festival cannot take place. In addition, Festival organisers may need to communicate with schools or private entrants from time to time (for example, to send a Syllabus) for which explicit consent will be sought. The Festival is not required to register any of its data with the Information Commissioner (on the grounds that its use is recreational).
  • To comply with the GDPR the Festival will:
    1. Appoint a Data Controller responsible to the Festival Committee for implementation of this Policy.
    2. Provide all Festival entrants with a GDPR Privacy Notice explaining why data is being collected and what will be done with it. This Notice varies slightly between the Dance and Piano Sections to reflect the different data each section needs to collect.
    3. Ensure that all entrants positively ‘opt in’ to their data being collected.
    4. Ensure that electronically-held personal data is password-protected.
    5. Ensure that reasonable and proportionate measures are taken to prevent unauthorised viewing or theft of hard-copy personal data.
    6. Respond to any subject access request within the statutory 30 days. The Data Controller is responsible for responding to subject access requests.
    7. Normally retain data indefinitely for the purpose of maintaining a historical record, but remove an individual’s data if asked to do so via a subject access request.
    8. Only collect personal data that is necessary for the running of the Festival, as follows:
      • contact details of schools, teachers or persons managing entries;
      • details of entrants necessary for them to be entered in the competition, for example, name, date of birth, classes entered and associated school or teacher;
      • for private entries, the contact details of the parent or guardian of the entrant in addition to the other entrant data;
      • basic contact details (name, address, phone number and next of kin) of volunteer helpers.
    9. From time to time, process post hoc aggregated data for the purpose of managing the Festival (for example, estimating how much time must be allocated for performances).
    10. Place this policy and the GDPR on the Festival website.
  • The Festival will not:
    1. Place any personal data online, including in the Cloud or on the Festival website, other than posting the names of cup or award winners on the Festival website. Cup and award winners will be asked to ‘opt in’ prior to having their names placed online. Awards will not be conditional on giving such consent.
    2. Share personal data with any other organisation, other than to communicate the marks of competitors who have qualified for the All-England Dance competition to All-England.
    3. Be responsible for data relating to the Festival which has been collected by other persons or agencies (for example, for the Dance Section, the official photographer or All-England Dance).
  • This policy has been approved by the Festival Committee. All questions regarding this policy should be addressed to the Data Controller.

Festival Committee
Aldershot & Farnborough Farnborough festival of Music & Art
March 2018


ALDERSHOT & FARNBOROUGH FESTIVAL OF MUSIC AND ART
GDPR PRIVACY NOTICE – DANCE SECTION

[This is the document to be given to persons who are providing the data to explain why it is being collected]

Introduction. New EU regulations known as the General Data Protection Regulation (GDPR) will come into force on 25th May 2018. The GDPR places significant additional responsibilities, over and above those defined in the Data Protection Act 1998, on those who collect and process personal data to ensure that providers of personal data understand the lawful basis for the collection and processing of their data. The document which explains this basis is known as a ‘Privacy Notice’. The present document constitutes the Aldershot & Farnborough Festival Privacy Notice.

What personal data does the Festival need to collect? For each competitor in the Dance Section, the Festival collects the name, date of birth, affiliated school, classes entered, marks awarded (when available) and any cups or awards gained. For each school, the Festival collects the name and contact details of the school, and the name and contact details of the principal and of the person managing the entries. The Festival does not hold any contact details for individual competitors unless they are entered privately rather than through a school.

Who is collecting the data? The data will be collected by the Festival organisers.

How is the data collected? Data is mainly collected by means of paper entry forms, although some entries are sent electronically by e-mail.

Why does the Festival need to collect this data? Self-evidently, the Festival must know the names of competitors in order to organise the event, their ages (the classes are segregated by age), the affiliated school (in order to communicate information about the Festival) and marks gained (so that competitors can determine how well they have done and so that, in the case of the Dance Section, the names of All-England qualifiers can be sent to the All-England Dance).

How will the data be used? Entries data will be input to an electronic Access database. This is used to generate a confirmatory summary for each school, generate the Festival ‘running order’, print various lists which are used by volunteers to ensure that competitors are available in the right place at the right time, print marksheets and certificates, enter marks awarded and identify the winners of those cups whose award depends on aggregated marks. It will also be used, in combination with data from past Festivals, to aid management planning, and particularly the timing of the programme. The Festival will not undertake to process entries non-electronically.

With whom will the data be shared? The database itself will routinely be accessible to three of the Festival organisers, although from time to time others within the organisation may be given access as and when required. None of the data will be placed online, stored in the Cloud or shared with any outside agency or organisation. Names and classes entered will be published in the Festival Programme. The names and ages of competitors gaining All-England qualifying marks will be sent to All-England after the Festival in All-England years (even-numbered years). None of the data will be sold to or shared with any other organisation. The Festival does not receive commercial sponsorship.

Does anyone else associated with the Festival collect data? The Festival appoints a professional photographer to photograph competitors’ performances (except where individuals request that this not be done). The photographer clearly needs to collect data from anyone ordering photos, but this is entirely a matter between the photographer and customer. The Festival accepts no responsibility for any data provided or collected for that purpose.

What will be the effect of sharing data? The sharing of marks data with All-England will enable anyone qualifying to enter the quarter finals of the competition.

Is the intended use likely to cause individuals to object or complain? No. On the contrary, failure to communicate marks to All-England is likely to be a cause for complaint.

Can I see my data or ask for it to be deleted? You have the right to see your personal data, and to ask for it to be deleted. A request to view your data is known as a ‘subject access request’. Such requests should be made to the Festival organisers, and the Festival is legally obliged to respond to your request within 30 days.

How long will my data be kept? Paper entry forms will normally be kept for approximately one year (after the following year’s Festival) and then destroyed either by shredding or burning. The Festival has no timescale for the erasing of electronically held data. These data form a historical record of the Festival, and the aim is to preserve that record. The Festival has been running continuously since 1941 but very little information is available about it before about 1998. We would therefore like to maintain a reasonable historical record from then on. If you would like your details erased from the historic record you should make a subject access request. Your data will then be anonymised in the database.

How secure is my data? Electronic data is held in a password-protected database and a backup copy maintained. None of the data is accessible online or stored in the Cloud. Paper documents (e.g entry forms) are kept in a private dwelling with normal domestic security measures in place; the Festival will take reasonable measures to ensure that the paper data is not lost or stolen or viewed by unauthorised persons, and when not being processed will be stored under lock and key. E-mail communications are not subject to special encryption measures. The GDPR mandates procedures which must be followed for reporting a breach or suspected breach of data security.

How will the new measures affect the entry process in future years? You will need to tick a lot more boxes in future to make it clear that you understand data collection issues and have ‘opted in’. A requirement of the GDPR is that providers of personal data must positively ‘opt in’ to having their data collected; it is no longer sufficient to assume that ‘silence gives consent’. Entry forms will contain suitable ‘opt-in’ statements, but it is the responsibility of entrants to ensure that these are completed. Entries made by e-mail which do not use the entry forms are not encouraged, and will need to be accompanied by clear statements about opting-in to data collection. Further details will be available in time for the 2019 Festival.

Dance Section Organisers
Aldershot & Farnborough Festival of Music & Art
March 2018


ALDERSHOT & FARNBOROUGH FESTIVAL OF MUSIC AND ART
GDPR PRIVACY NOTICE – PIANO SECTION

[This is the document to be given to persons who are providing the data to explain why it is being collected]

Introduction. New EU regulations known as the General Data Protection Regulation (GDPR) will come into force on 25th May 2018. The GDPR places significant additional responsibilities, over and above those defined in the Data Protection Act 1998, on those who collect and process personal data to ensure that providers of personal data understand the lawful basis for the collection and processing of their data. The document which explains this basis is known as a ‘Privacy Notice’. The present document constitutes the Aldershot & Farnborough Festival Privacy Notice.

What personal data does the Festival need to collect? For each competitor in the Piano Section, the Festival collects name, date of birth, address, phone and mobile contact, school attended, grade achieved, teacher’s name and contact details. Payment details are offered as BACS transfer or cheque but not recorded electronically. Details of Trophies awarded are kept in a Festival note book and not recorded electronically.

Who is collecting the data? The data will be collected by the Festival organisers.

How is the data collected? Data is mainly collected by means of paper entry forms, although some entries are sent electronically by e-mail.

Why does the Festival need to collect this data? Self-evidently, the Festival must know the names of competitors in order to organise the event and place the competitor in the correct class.

How will the data be used? Data is mainly collected by means of paper entry forms, although some entries are sent electronically by e-mail.

With whom will the data be shared? Details will be shared between committee members when putting together the programme, and placed on a spreadsheet. None of the data will be placed online, stored in the Cloud or shared with any outside agency or organisation. None of the data will be sold to or shared with any other organisation. The Festival does not receive commercial sponsorship.

Does anyone else associated with the Festival collect data? No.

What will be the effect of sharing data? No data is shared.

Is the intended use likely to cause individuals to object or complain? No.

Can I see my data or ask for it to be deleted? You have the right to see your personal data, and to ask for it to be deleted. If your data is deleted it may not be possible for you to perform in the Festival. A request to view your data is known as a ‘subject access request’. The Festival is legally obliged to respond to your request within 30 days. Subject access requests should be made in writing via the Secretary to the Data Access Controller.

How long will my data be kept? Paper entry forms will normally be kept for approximately one year (after the following year’s Festival) and then destroyed either by shredding or burning. Data from 1964 onwards is held in handwritten note books and preserves the historic record of the Festival.

How secure is my data? Electronic data is held in a password-protected database and a backup copy maintained. None of the data is accessible online or stored in the Cloud. Paper documents (e.g entry forms) are kept under lock and key in a private dwelling with normal domestic security measures in place; the Festival will take reasonable measures to ensure that the paper data is not lost or stolen or viewed by unauthorised persons, but does not guarantee to store it under lock and key. E-mail communications are not subject to special encryption measures. The GDPR mandates procedures which must be followed for reporting a breach or suspected breach of data security, and these will be followed by the Festival if such a breach occurs.

How will the new measures affect the entry process in future years? You will need to tick a lot more boxes in future to make it clear that you understand data collection issues and have ‘opted in’. A requirement of the GDPR is that providers of personal data must positively ‘opt in’ to having their data collected; it is no longer permissible to assume that ‘silence gives consent’.

Piano Section Organisers
Aldershot & Farnborough Festival of Music & Art
March 2018