Data Protection Policy

Why is a Data Protection Policy Needed?

There are important changes to data protection legislation with the introduction of the General Data Protection Regulation (GDPR) which comes into force on 25th May 2018. It updates the previous position on data protection which was contained in the Data Protection Act 1998 (DPA 1998). The Festival will comply with the principles of the DPA 1998 and the 2018 GDPR updates concerning transparency and accountability when managing personal data. 

The Watford Festival acknowledges that there are changes to how the law is enforced, and that greater fines can be issued for non-compliance. Personal data kept by the Festival will be looked after, used properly and kept safe, in line with GDPR regulations.

What is ‘personal data’? 

This is defined as ‘any information relating to the identity of a natural person which can identify them directly or indirectly’. This can be a name, a photo, an email address, bank details, computer IP addresses etc. It includes data that could be put together with other information to identify a person.

The Watford Festival handles personal data regularly through paper entry forms, online entry forms, volunteer details, and possibly sponsor or donor information. Names, addresses, date of birth, email addresses are all personal data which we process as part of Festival planning. 

Some personal data is considered to be more sensitive (including information that the Festival does not require, such as ethnicity, religion etc.) but the Festival will have personal data about children under 16, which is regarded as sensitive information.

What is meant by ‘processing data’?

Processing is the collection, recording, transmission or storing of data. It covers, for example, collecting or creating a list of names, addresses or emails for the Watford Festival competitors, teachers or volunteers, which is something that the organisers of the Festival do.  

To comply with GDPR the Festival will ensure that such data is only used in a way that the person whose data we hold (The Data Subject) has agreed to.

Data Controller

The Festival has an appointed Data Controller who will have overall responsibility, along with the Trustees, to

  1. Ensure that as an organisation, the Festival and Data Processors (those who process the data such as section heads, child protection officer, secretary, friend’s secretary, website coordinator etc.) implement a data protection strategy compliant with GDPR regulations.
  2. Update the trustees, committee members and data processors of any changes to future regulatory GDPR requirements.

Rights of an individual concerning the data held about them

The Festival will respect the rights of the individual concerning the data held about them. As set out by GDPR, each individual for whom the Festival holds information has:

  1. The right to access any information held about them: at any time, that individual has the right to be provided, free of charge, with the personal information that the Festival holds about them. They can make a written request (called a subject access request) and, as required legally, the Festival will provide that information to them within one month of the request being made.
  2. The right to be informed about
    • What the Festival intends to do with their information
    • How the Festival processes and stores that information
    • Who else (if anyone) can see that information
    • How long that information will be held for
    • Where that information will be processed and stored
    • The right to withdraw their consent to the Festival using or holding that information
  3. The right to rectification: at any time, the individual can ask to have any mistakes in the information held about them changed.  In the unlikely event that that information is disclosed to third parties (such as a nominated entry from Watford Festival being put forward for the North London Emmanuel Piano Competition), then those third parties would also be informed.
  4. The right to erasure, to be forgotten: at any time, that individual has the right to have their data deleted
    • If the data is no longer required by the Festival and it is no longer relevant to the original purpose of processing
    • If they withdraw their consent
    • If their data has been processed unlawfully
  5. The right to restrict processing: the individual has the right
    • To prevent the Festival from further processing their data and to make sure that that restriction is respected in the future
    • To ensure that the Festival holds just enough information for the functioning of the Festival and no information that is not relevant to that process
  6. The right to data portability: upon request, the Festival must
    • Provide a machine readable, structured copy of the person’s data
    • Transfer that information to another organisation
  7. Concerning the right to object: the Festival will only be using an individual person’s data for the functioning of the Festival. It will not use that information
    • For any marketing purposes
    • For any historical or scientific research
  8. Concerning the right to automated decision making and profiling: the Festival will not automatically be making any important profiling or legal decisions about any individual.

Festival Data Protection Policy Procedures

The Festival will have policies and procedures in place specific to the needs of the Festival and which support the principles of GDPR, namely lawfulness, fairness and transparency.

The collecting, holding, using, retrieving and organising of data will follow these principles. Information will be used in a way that is fair to the individual concerned.  Demonstrable, specific and unambiguous consent will be obtained from any individual whose data is collected, processed and stored by the Festival.

The principles of GDPR will be upheld by each individual in the Festival who is responsible for keeping personal data safe and secure. Namely:

  • Data will only be used for the purpose for which it was obtained and for which the individual’s unambiguous and clear consent was freely given.
  • Children under 16 cannot give consent (In the UK this may be changed at a later date to children under 13) and their parent or guardians’ consent will be obtained; additionally the parent or guardian will need to verify that they are able to do so.
  • Data will only be asked for on a ‘need to know’ basis.
  • Reasonable steps will be taken to ensure that the details and information taken are correct.
  • Reasonable steps will be taken to ensure that data is up to date.
  • Data will only be kept for as long as it is needed and reasonable steps will be taken to check if the data held is still needed.
  • Reasonable steps will be taken to ensure good day to day practice - namely that
    • Personal data is kept safe and secure from accidental or deliberate loss, destruction, damage or unauthorized access.
    • Security arrangements are continually monitored.
    • Electronic devices will use encryption or password protection to protect devices and documents.
    • Computer security is maintained through the use of a firewall, anti-malware, antispyware, virus protection.
    • When computers are disposed of, all personal data information has been removed and cannot be accessed.
    • Personal data is not passed to other individuals.
    • Computers containing personal data cannot be accessed by other individuals.
    • Files are password protected.
    • Laptops containing personal data are not left unattended in cars or elsewhere.
    • Papers containing personal data that is no longer required are shredded.
    • Posted documents are correctly addressed.

Data Breach

If any Personal Data is lost or misused, the matter will be reported straight away. This could include

  • Losing a phone
  • Leaving a list of names and addresses on a train
  • Emailing a list of personal data to the wrong individual