Last updated: 2021-07-09
Who is collecting my personal data?
The Department for Digital, Culture, Media & Sport (DCMS) is facilitating the collection of your personal data as part of the UK Government’s Events Research Programme (“ERP”). We are a controller of this personal data for the purposes of data protection laws.
When you participate in the ERP, there are a number of other organisations who will be controllers or processors of your personal data. Set out below is a summary of the organisations involved in the ERP and their roles in collecting your personal data. Where an organisation processes your personal data as a controller, they will provide you with a separate privacy notice setting out how they use your data.
Event organiser(s) or ticketing agent(s)
When you purchase tickets for the event, the event organiser or the ticketing agent will be a controller of your personal data.
Department for Health and Social Care (DHSC)
If you request a PCR test or subsequently test positive for Covid-19, your data will be a part of NHS Test and Trace. The DHSC is the controller responsible for NHS Test and Trace.
Public Health England (PHE)
PHE is an executive branch of DHSC. PHE will have access to the data available through NHS Test and Trace.
Movement Strategies have been engaged by DCMS to record the Event to better understand ventilations flows and human behaviours at large events. Movement Strategies will be processor of your personal data.
Anonymous data will be used by other university research programmes (please see the Information Sheet for the Events Research Programme for more information).
In relation to group bookings, please ensure that all individuals in your booking party have been made aware of the contents of this privacy notice.
We are organising the collection of your personal data in order to assess and monitor the risks associated with COVID-19 transmission for participants attending mass events, and to understand the extent to which mitigation measures can effectively address these risks.
The event organiser or ticket agent will initially collect your personal data to allow them to permit you entry to the event. We organise the sharing of this personal data by the event organiser or ticket agent directly to the DHSC and PHE in our capacity as the facilitator of the ERP.
DHSC will collect your personal data via NHS Test and Trace when you complete COVID-19 Tests and when you use the NHS App or the NHS Covid-19 app. When you take a lateral flow test or test positive for COVID-19, the data will remain with DHSC (as the controller for NHS Test and Trace). This personal data includes health data. DHSC will use the personal data shared by the event organiser or ticket agent to cross-reference personal data in NHS Test and Trace to identify any transmission links between attending an ERP event and contracting Covid-19. You can find out more about the personal data collected by NHS Test and Trace and how it is used by viewing their privacy notice at: Test and Trace: overarching privacy notice - GOV.UK (www.gov.uk)
PHE will analyse the records of attendees who subsequently request a test from Test and Trace, and identify those attendees who tested positive for COVID-19 following an ERP event. In relation to these attendees, PHE will share an anonymised version of this data with the London School of Hygiene & Tropical Medicine for the purposes of the self-controlled case series study (please see information sheet for more detail on this study).
We may also use your data to send you surveys following your attendance at an event to ask about your experiences of using the NHSx app. The data generated from the survey will be anonymous and will be used to help inform our understanding of the use of the NHSx app.
DCMS may collect your personal data if you contact us directly (for example, if you have any concerns or queries regarding the study, or if you wish to withdraw your participation at any time). DCMS will only use your personal data to respond to your query or to action your request.
Movement Strategies will be undertaking observations at and around the venue, and recording the Event to better understand ventilations flows and human behaviours at large events.
What is the lawful basis for processing my personal data?
As the organiser of the collection of personal data for the ERP, we are the controller because we exercise overall control over the personal data being processed.
When we process your personal data (for example, directing the event organiser or ticket agent to share your name, date of birth or address with DHSC or to send you surveys about your experience of the NHSx app), the following lawful basis will apply:
To secure admission to the event, you will need to demonstrate via the NHS App that either you have had a negative lateral flow test result or proof of full COVID-19 vaccination or natural immunity. This is classed as health data and categorised as special category data under data protection laws. Although we do not collect this data directly, the fact that you have attended an ERP event may infer that you have had a negative lateral flow test result, full vaccination or natural immunity. When processing special category data, we need an additional lawful basis and have determined that the following legal basis may apply:
When processing special category data for reasons of substantial public interest, we also need a condition for processing under the Data Protection Act 2018 and the following condition applies:
The lawful basis that we rely on to process your personal data will determine which of the rights are available to you (please see section “What are your data protection rights?”). If we hold personal data about you in different parts of DCMS for different purposes, then the lawful basis we rely on in each case may not be the same
What personal data do we collect?
Unless you contact us directly (for example, because you want to exercise your data subject rights or you have queries regarding the study) we will not directly collect or see any of your personal data.
Your personal data is collected directly by the event organisers or ticketing agents. This personal data includes first name, last name, address, postcode, date of birth, ticket order number, phone number, email addresses and whether your ticket was scanned.
At our request, the event organiser or ticketing agent will then share that personal data directly with the Department for Health and Social Care, NHS Test and Trace and Public Health England.
If, following your attendance at an ERP event, you request a PCR test kit, you will be asked to confirm if you have recently attended an ERP event. If you check this box and subsequently test positive, this data will remain with DHSC (as the controller for NHS Test and Trace) who will then match your data against the event attendee data that has been provided to them by the event organiser. Please see the section ‘Why are we collecting your data?’ for more information.
The personal data DHSC collects as a controller includes health data. You can find out more about what data is collected by NHS Test and Test by viewing their Privacy Notice at: Test and Trace: overarching privacy notice - GOV.UK (www.gov.uk)
When you attend an event, a visual check will be carried out by one of the event stewards to verify the evidence you provide to enter the event. We will not collect or process your personal data and no record will be retained of the evidence provided to enter the event.
As explained above, the Event will be recorded by a third party, Movement Strategies, to better understand ventilation and human behaviours at large events. DCMS will not have access to any of the underlying footage. Movement Strategies will process your personal data on our behalf as a processor and acting only on our instructions.
What is personal data?
Personal data is any information relating to an identified or identifiable natural living person, otherwise known as a ‘data subject’. A data subject is someone who can be recognised, directly or indirectly, by information such as a name, an identification number, location data, an online identifier, or data relating to their physical, physiological, genetic, mental, economic, cultural, or social identity. These types of identifying information are known as ‘personal data’. Data protection law applies to the processing of personal data, including its collection, use, and storage.
Once an event has completed, PHE will analyse the records of attendees who subsequently request a test from Test and Trace. For those who test positive for COVID-19 following the event, PHE will share this data in an anonymised form with the London School of Hygiene & Tropical Medicine for research purposes only. Once the data is anonymised, it will no longer be personal data.
How long is your personal data retained for?
Where DHSC and PHE process your personal data as a controller, they will retain your data in accordance with their own retention policies. Please refer to the links below to the respective privacy notices of DHSC (in relation to NHS Test and Trace) and PHE for information on how long your data is retained for by DHSC and PHE:
Where DCMS is the controller of your personal data as set out in this privacy notice, personal data will be retained for as long as needed to fulfil the purposes outlined above, in line with our public task or for a period specifically required by applicable regulations or laws.
When determining the relevant retention periods, the following factors may be taken into account:
Anonymous data may be retained for longer periods (personal data which has been anonymised will no longer be personal data).
What will happen if I do not provide this data?
If you are aged 11 and over and you cannot present with proof of a negative LFD test or proof of full COVID-19 vaccination, or proof of natural immunity, you will not be permitted entry to the event.
Automated decision making
We will not use your data for any automated decision making.
Data transfers outside of the UK
We will not send your personal data outside the U.K.
What are your data protection rights?
You have rights over your personal data under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA 2018). These include:
Our contact details for questions, complaints or if you’d like to exercise your data protection rights
If you wish to exercise any of the above rights, you can do so by contacting our Data Protection Officer (DPO) using the details below:
Data Protection Officer
The Department for Digital, Culture, Media & Sport
100 Parliament Street
Email: [email protected]
If you’re unhappy with the way we have handled your personal data and want to make a complaint, please write to the DCMS Data Protection Officer or the Data Protection Manager at the relevant agency in the first instance. You can contact the DCMS Data Protection Officer using the details above.
Contact details for the UK’s Information Commissioner’s Office
If you are not satisfied or your complaint is unresolved, you can contact the Information Commissioner's Office (ICO). The ICO is the supervisory authority for data protection legislation and maintains a full explanation of these rights on their website using the details below:
Information Commissioner's Office
More information can be found at https://ico.org.uk/