Privacy and Data Protection Policy
This policy details how Manchester International Festival (MIF) collects, processes, stores and secures personal data.
We will always aim to be clear and transparent regarding all our requests for personal data and are legally bound to only use that data for the express purpose(s) agreed at the point the data is submitted to us.
Please note, customers are under no obligation to share personal data with us. However, the provision of certain pieces of personal data will help us to give our customers the best possible service we can.
This policy was last updated in May 2018 in accordance with the EU General Data Protection Regulation (GDPR).
For reference, GDPR is an EU law on data protection and privacy for individuals in the EU. It applies to any company processing personal data of EU citizens and aims to give EU citizens more control over their personal data.
What is Personal Data?
Personal Data is anything that can be used to identify an individual directly or indirectly.
In many situations, this can be as simple as their name and contact details (such as address, phone number or email) but may sometimes include more detailed information depending on the nature of their engagement with us.
MIF is legally defined as a Data Controller
Employees of MIF are legally defined as Data Processors
The individuals MIF engage with that provide personal data are legally defined as Data Subjects
When and How do we collect personal data?
All of the following are common situations where we might request personal data from individuals:
• When purchasing tickets for our events
• When signing up to our mailing lists
• When signing up to any of our engagement, participation or volunteering programmes
• When submitting an application for a job at MIF
• When becoming a supporter/member/donor
We will always make it clear what data we are collecting from you during these transactions and why we are requesting it.
We may also capture your image in the photography or video recording of an event for promotional purposes. If you would prefer not to be included in any image recording, please speak to a member of MIF staff or a volunteer. They will be wearing a staff pass at the event and will provide information on how to make sure you are not included. Notices will be posted at the entrance to any venue where photography or video recording is planned, with similar information.
We also use CCTV recording equipment in and around our premises and site-specific events during the Festival itself. This is to safeguard our staff, customers, and visitors to MIF sites (both temporary and fixed). Images from the CCTV are securely held for 30 days and (in the event of an incident) may be shared with the police. After this time period, this footage will be erased.
For any interviews on camera, we will ask for consent using a form to be signed by the interviewee which will be kept on file for as long as the resulting footage is in circulation.
In addition, the following data may also be collected automatically when you visit our website:
• IP address • Referring website (if you followed a link to get to our website) • Web browser and device • Cookies (see below) • Time and date of visit • Web pages visited • Geographical location
This statistical data is collected with the express purpose of aiding our understanding of the areas of interest on our site and is kept only for as long as is required for this purpose.
A cookie is a small file which asks for permission to be placed on your device’s hard drive. If you agree, the file is added and the cookie helps analyse web traffic or records when you visit a particular site. Cookies allow web applications to respond to
you as an individual. The web application can tailor its operations to your needs, likes and dislikes by gathering and remembering information about your preferences.
You can choose to accept or decline cookies. Most web browsers automatically accept cookies, but you can usually modify your browser setting to decline cookies if you prefer. This may prevent you from taking full advantage of the website.
All of the above are standard online identifiers which can be detected by Google Analytics – which, like many other organisations we use to monitor the activity on our website. Please visit Google Analytics Terms Of Service for further details.
Third party website links
Our website and associated electronic communications may contain links to other websites not operated or controlled by us (“Third Party Sites”). The policies and procedures detailed in this policy do not apply to such sites. MIF takes no responsibility for the content or data processing activities and policies of third-party sites.
How we use personal data
All personal data collected, processed and stored by MIF is only collected with the prior notification of the scope and nature of the processing activity (i.e. how it will be used).
In relation to the personal data listed above, this will include ‘Opt in’ and/or ‘Permission’ on online forms regarding mailing lists, participation sign up or the provision of details on a job application or engagement with us contractually.
In advance of any data processing activities, we complete and log an internal data activity. This document details the scope of activity and how and why the data is being processed.
This then forms the basis of a Privacy Notice – which is included on any digital or paper form which requests the submission of personal data.
Security and storage of Personal Data
All of MIF’s electronic and physical storage facilities have been reviewed to comply with GDPR in May 2018.
In the case of electronic systems, this has meant a phased move to a secure, cloud based and closed IT system – with access being controlled by a centralised IT Administrator.
We then encrypt all MIF devices to enable us to deal with any breaches of data security quickly and responsibly. We also have both IT and reporting processes in place in order to comply with breach notification obligations to the Information Commissioner’s Office (ICO), and to our CRM system provider.
In the case of physical storage, we have reviewed this to ensure that all printed data is audited and maintained in secure storage units, with access restricted to ensure that employees only have access to the data sets that are relevant to their area(s) of work.
We have set a four-year retention limit on Personal Data from the last point of engagement with a data subject. The only exception to this is Employee records (which we are obliged by law to maintain for seven years) .
From summer 2018 onwards MIF will operate its own internally managed ticketing and customer relationship management system. This will ensure that key elements of our audience development are not run via a third party and will remain the responsibility for direct processing by our employees.
Why we use Personal Data
We process personal data to
• Fulfil a Contract (e.g. to provide a ticket for an event). This sort of processing includes name, address, phone, email and credit card details and any access-specific information that a purchaser may choose to share with us in advance of attending one of our events.
• Communicate on a Consent basis. This includes some elements of direct marketing (e.g. signing up to and having granular access to different strands of e-communication from us or using such emails to communicate additional offers/opportunities to members or participants who have signed up to receive them).
• Fulfil Legal Obligations, which covers employment/engagement details for those working for, with and in association with us. It also covers data capture relating to safeguarding (e.g. children and vulnerable adults).
• Convey Legitimate Interest. This reflects elements of outward facing communication which we have assessed and determined is reasonable, proportionate, clearly defined and justifiable within the scope of GDPR. As part of the work we do to help us understand the individuals, businesses and trusts or foundations who might be interested in supporting the work of MIF, we might, from time to time, seek additional information relating to a small number of individuals. This could include MIF booking information and connections, business network information, and publicly available information
relating to place of residence, wealth and assets, family*, career, donations to other organisations, and other interests.
* This does not include information about children unless given personally by the individual concerned
As a Data Subject, individuals have legal rights regarding the information we hold about them
• Access – the right to know what personal data is being processed and how. Individuals can therefore request access to the personal data we process.
• Rectification – the right to ask us to amend, update or correct any personal information we have
• Portability – the right to receive their personal data held by us in a format that can be transferred to another data controller
• Erasure – the right to be forgotten – i.e. for us to erase any personal data we possess (with the exception of employee records and records of financial transactions which are detailed in our audited accounts).
If you would like to request Access, Rectification, Portability or Erasure of information we hold about you, please contact us using the details in the ‘Contact’ section at the end of this policy. You will need to provide us with a description of the information you would like to see, together with proof of your identity.
If you are unhappy with the way we have processed your personal data you also have the right to lodge a complaint with the Information Commissioner’s Office.
Exclusions (Legal & Regulatory)
On rare occasions we may disclose Personal Data if required to do so by law in order to (for example) respond to a legal challenge, a court or government agency, or in the good faith belief that such action is necessary to:
- • comply with a legal obligation
- • protect or defend our rights in a court of law
- • protect against legal liability
- • co-operate with the Police or a regulatory or government authority investigating illegal activities
Third Party Contractors
In some instances, we use established and accountable third party service providers who work on our behalf for the fulfilment of a contract we enter into
• Card payment processing of transactions relating to payment for goods and services (e.g. online ticket sales)
• Third party mailing houses, email providers (e.g. MailChimp) and marketing agencies
• Our Website hosting and ticketing/CRM system providers
• Research Companies who help us to understand our audience to enable us to improve our service
• Third party advertisers (such as Facebook or Google)
Anyone who provides a service such as these on our behalf will enter into an agreement with us and will meet our data security standards. They will only use your data for the clearly defined service that they are providing on our behalf and are, in effect accountable in terms of complying with this policy
As MIF is partially funded by Public Sector bodies (including the Arts Council and Manchester City Council) we also need to provide a range of quantitative and qualitative data in order to support such funding. The majority of this data is anonymised and for the express purpose of meeting our conditions of funding.
If you have any questions or concerns about the way in which we handle your personal information or would like to request Access, Rectification, Portal or Erasure please address your query via:
Or call: 0161 817 4500
Or write to: Manchester International Festival, Blackfriars House, Parsonage, Manchester M3 2JA
Under the terms of GDPR we are then obliged to respond to you within 30 days.
For further, detailed information on the General Data Protection Legislation please refer to the website of the Information Commissioner’s Office.
This Policy was last updated on May 2018
Privacy + Data Protection Policy