The purpose of this Privacy Notice is to explain how and for what purposes we process your personal data. It applies to personal data that is processed electronically and on paper.

Please read the following Privacy Notice carefully.

Who we are

The Creative-Tech Festival is co-ordinated by Basildon Borough Council, with our head office address being Basildon Centre, St. Martin's Square, Basildon. SS14 1DL.

Data privacy key terms

• Personal data: 'Personal data' means any information relating to a living person or 'data subject' that can be used to directly or indirectly identify the person. This can include information that when put together with other information can then identify a person. For example, this could be:
  • Identity information (e.g. name, address, telephone number, credit card number)
  • Health and genetic records and biometric data
  • Racial and ethical data
  • Data on political opinions
  • Data on sexual orientation
  • Web data (e.g. location data, IP address, cookies).
• Processing: 'Processing' means any operation or set of operations which is performed upon personal data or sets of personal data, whether or not by automated means.
• UK-GDPR: This Privacy Policy relates to Article 13 of the UK-GDPR

If you are allowing your child to use the Creative-Tech Festival website, references in this Policy to ‘your personal data will mean your child’s personal data. If you are under the age of 13, please get permission from your parent before you provide personal data through the Creative-Tech Festival website.

The Creative-Tech Festival website is controlled by us from our offices in the United Kingdom (UK). Personal data collected by Basildon Council via the website or otherwise is processed in compliance with the UK General Data Protection Regulation (UK GDPR), tailored by the Data Protection Act 2018. For the purpose of the UK GDPR, we are registered as a Controller (our registration number is Z5361180) and details of our Data Protection Officer (DPO) is set out below.

We do not deliberately target users overseas but if you choose to visit the Creative-Tech Festival website from outside the UK, you do so with the understanding that any personal data collected from the website will be processed in compliance with the UK data protection laws.

Why we process your personal data

The personal data that we collect, and process is primarily used to enable us to provide our services to you. For example, we may use your personal data for the following purposes:

• To provide you with information requested from us (such as event invitations, publications or e-newsletters) or information on other products or services (including general updates about the Creative Tech Festival website, our partner organisations or carefully selected third parties) where you have consented to receive such information.
• To meet our contractual commitments to you.
• To display your profile in our directories and elsewhere on the Creative Tech Festival website.
• To notify you about any changes to the Creative Tech Festival website, such as improvements or service/product changes, that may affect our service.
• To deal with your comment or query, and to contact you for more information regarding a comment or query you have made.
• To arrange and deliver services you have requested, whether online, one-to-one or via the telephone.
• To administer our site and for internal operations including troubleshooting, data analysis, testing, research, and surveys.
• To generate anonymous statistics to help us improve the services we offer to you (these statistics will not include information that can identify you as an individual)
• To ensure that the Equal Opportunities Policy is effective, a monitoring of applications, approvals and placements is carried out. The collected personal and special category data regarding your gender, age, ethnic group, sexual orientation, caring responsibilities and in some cases socio-economic background, and any disability you may have, is used solely for monitoring purposes and will be treated as confidential and will not be used for individual decision-making.
• To pre-populate forms on the Creative Tech Festival website requesting information you have already provided, for your convenience and ease-of-use (please see our Cookie Policy for more information on our use of cookies).
• To assess your professional needs and attributes in order to match you with other Users, and to identify content, resources and vacancies appropriate for you and those other Users.
• Where you have provided consent to share your personal data with training and placement providers, so that they can send you updates.
• To administer our site and for internal operations including troubleshooting, data analysis, testing, research, and surveys.
• To link your YouTube, Vimeo, Twitter, Facebook, LinkedIn, Instagram, IMDB profiles or your website to your Creative Tech Festival profile if you choose to do so.

We will not make any decisions about you using automated means to process your personal data, and we will notify you in writing if this position changes.

Direct marketing communications

Occasionally, we may wish to send you information about our products, services and activities. We will only process your personal data for direct marketing purposes with your consent. You can withdraw your consent at any time by contacting us by email at dataprotectionofficer@basildon.gov.uk.

How the law allows us to use your personal data

There are a number of legal reasons why we need to collect and use your personal data. Generally we collect and use personal information where:

• You, or your legal representative, have given consent
• You have entered into a contract with us
• It is necessary to perform our statutory duties
• It is necessary to protect someone in an emergency
• It is required by law
• It is necessary for employment purposes
• You have made your information publicly available
• It is necessary for legal cases
• It is to the benefit of society as a whole
• It is necessary to protect public health
• It is necessary for archiving, research, or statistical purposes.
• It is necessary to deliver a particular service (for example, running an event in partnership with a third party organisation)

The use of your personal data for the purposes set out above is lawful because one or more of the following applies:

• Where you have provided your personal data to us for the purposes of requesting information, we will process your personal data on the basis of legitimate interests (i.e. the proper administration of our website and business and providing you with the information or service requested. Given that you have made the request, we will presume that there is no prejudice to you in our fulfilling your request).
• Where you have created a profile on the Creative-Tech Festival website we will process your personal data on the basis of legitimate interests (i.e. the proper administration of our website and business and providing you with the information or service requested).

The processing of your personal data may also be necessary:

• to take steps you ask us to prior to entering into a contract and
• for the performance of a contract with you. The performance of a contract with you may sometimes require the provision of information to a third party to enable them to fulfil or assist with a part of a contract, for example a third party training provider or specific skills funding body (e.g. the Department for Levelling Up, Housing and Communities).
• to comply with our legal obligations.

To send you our direct marketing communications (or where relevant, direct communications on behalf of a third party), we will rely on your consent or, where appropriate in some circumstances, on legitimate interest. If you want to withdraw your consent, please contact our Data Protection Officer (DPO) explaining which service you are using so we can deal with your request. This will not affect the lawfulness of processing of your personal data prior to your withdrawal of consent being received.

If we ask you for your consent, we will always make it clear that the provision of your personal data is optional.

Additional conditions for the processing of special category data

Where we need to process certain categories of personal data, which are regarded in data protection law as more sensitive and are known as ‘special category data’ (i.e. your health data or diversity data - please see more information below), in addition to an appropriate lawful basis, our processing complies with Article 9 of the UK GDPR and, where relevant, meets a condition in Section 10 and Schedule 1 of the Data Protection Act 2018, for example where:

• our processing is necessary to ensure meaningful equal opportunity monitoring and reporting; or
• you have given us your explicit consent to the processing for a specified purpose; or
• our processing relates to personal data that have been manifestly made public by the data subject; or
• our processing is necessary to protect the vital interests of an individual who is physically or legally incapable of giving consent (for example in an emergency situation); or
• our processing is necessary for the establishment, exercise or defence of legal claims or in connection with any legal proceedings or obtaining legal advice; or
• our processing is necessary for the purpose of safeguarding individuals at risk; or
• our processing is necessary for the prevention or detection of an unlawful act or compliance with regulatory requirements relating to unlawful acts.

Personal data that we may collect

When you visit the Creative-Tech Festival website, we may collect and process the following personal data:

• Information you provide to us directly – You may provide us with information by completing forms on or otherwise submitting information to the Creative-Tech Festival website, or by corresponding with us via email, telephone, post or otherwise. This might include information you give us when you register to use the Creative-Tech Festival website, create an account, post comments, apply for a training programme delivered by us or one of our partners, make purchases, ask or answer questions, “follow” other Users, update your profile, apply for vacancies, search for courses, or other functions of the Creative-Tech Festival website, report offensive content or another problem with the Creative-Tech Festival website, or when you respond to specific questions from us. The information you give us may include your name, address, email address, photograph, date of birth, geographic location, nationality, gender, employment status, socio-economic background, portfolio, employment details, education details, skills, audience, industry sector(s) and other details about your professional life that you provide to us. The personal information you give to us in setting up your account will remain private and confidential at all times. In the optional ‘my profile’ section of the website you can give more details. If you enter display name, add an avatar image and complete at least one of the following; ‘about’, ‘career history’, or ‘education history’, then information you add to your profile in the ‘my profile’ section will be publicly visible on the Creative-Tech Festival website, and may be displayed in search engine results and in recommendations to other Users.
• Information about you that we collect – Each time you access the Creative-Tech Festival website we may collect the following technical information about the way in which you accessed the Creative-Tech Festival website: the Internet protocol (IP) address used to connect your computer to the Internet; your login information; your browser type and version; your time zone setting; your browser plug-in types and versions; your operating system and platform, traffic data, location data, page interaction information (such as scrolling, clicks, and mouseovers); weblogs and other communications data.
• Information about your use of the Creative-Tech Festival website – Each time you access the Creative-Tech Festival website we may collect the following technical information about your use of the Creative-Tech Festival website: the full Uniform Resource Locators (URL) clickstream to, through and from the Creative-Tech Festival website (including date and time); page response times; download errors; length of visits to certain pages; page interaction information (such as scrolling, clicks, and mouse-overs); and methods used to browse away from the last page visited. We may also keep a record of any telephone number that you call us from.
• Information we receive from other sources – If you give us permission, we may also embed video feeds from your YouTube or Vimeo accounts when you register on the Creative-Tech Festival website. Some or all of this information may be publicly visible and may be displayed in search engine results.
• Information provided to us when you communicate with us for any reason, whether via email, letter, through the Creative-Tech Festival website or via our helpline.
• Immersive Experience on the Oculus store – Creative-Tech Festival does not collect or process any data from this experience.
• Personal data collected by Basildon Council, through our website or otherwise, is often limited to contact details and some basic information about your area of work and employment status, but may include other information necessary to provide a particular service you have requested. For example, if you are applying for a service for which government funding is available, you may need to answer certain additional questions, such as your age and your current education and employment status, in order for us to evaluate whether you are eligible for that funding.

Special category data

We may also need to process certain categories of personal data, which are regarded in data protection law as more sensitive and are known as ‘special category data’. Special category data might include information about your health (for example, details of any disabilities), or data revealing your racial or ethnic origin or trade union membership, where you shared this information with us. Where Positive Action is being used for particular services or opportunities, those cases will be clearly noted on the application, and you will be asked for your consent.

Your rights

You have the right to request confirmation if we are processing your personal data, and where it is the case, access to your data and some additional information about the way we’ve been processing it. You can exercise your right through making a Subject Access Request. You can make a request in writing or orally, but we encourage you to email us at dataprotectionofficer@basildon.gov.uk, whenever possible.

In addition to your right of access, in certain circumstances you also have the following rights:

• The right to access the personal data we are holding about you
• The right to have your personal data rectified where it is inaccurate or incomplete
• The right to have your personal data erased in certain circumstances, for example where the personal data is no longer necessary in relation to the purposes for which we have collected them as set out above
• The right to obtain restriction of processing in certain circumstances, for example where you have contested the accuracy of the personal data, for the period enabling us to verify the accuracy of the personal data
• The right to lodge a complaint to the Information Commissioners Office (ICO) that acts as the UK regulator
• The right to object to processing
• The right to data portability, i.e. to receive your personal data in a structured, commonly used machine readable format, and to have that personal data transmitted directly to another data controller
• The right to withdraw your consent, at any time, for the processing of your personal data.
• When we receive a request from you in writing, (which is called a Subject Access Request) we must give you access to all the personal data we hold about you.

However, we cannot let you see any parts of your record which contain:

• Confidential information about other people
• Data we believe will cause serious harm to you or someone else's physical or mental wellbeing
• Data we believe would enable you to stop us from preventing or detecting a crime.
• Where your personal data has been shared with other individuals or organisations, we will do what we can to make sure that those parties also comply with data privacy laws.

Please note that all of these rights are subject to certain safeguards or exemptions, and we will always respond to your request in accordance with data protection law. To exercise any of these rights, please contact us.

Retention of your personal data

We will retain your personal data for as long as necessary for the purposes already set out above, or for as long as it is required by law. Please note that we cannot delete your information where:

• We are required to retain it by law
• It is used for freedom of expression
• It is in the public interest or processed for public health purposes
• It is needed for scientific or historical research, or statistical purposes
• It is necessary for ongoing legal claims

If you cannot ask for your records in writing, you can submit a query about access to your personal data by contacting our Data Protection Officer (DPO) using the methods set out below.

Sharing your personal data

For each of the purposes set out above, we are relying on your explicit consent, and may share your details with other third party individuals or organisations such as fraud prevention agencies, the police, hospitals, the fire brigade, courts etc.

Many of the Creative Tech Festival events and activities that are delivered as part of the festival are delivered by third party organisations and we need to share your data with these organisations for the purposes of running these events and activities safely and professionally (i.e., registers of attendance, fire marshalling arrangements etc.). Where this happens, the terms and conditions of the event booking will clearly state who your data is being shared with.

We share with our service providers only that data that is strictly necessary to provide the service and we have appropriate agreements in place that require them to comply with data protection laws and protect your personal data with the same care as we do. Your personal data will only be shared with partners or funders connected with the event/training opportunity you have applied for. Where we need to share it with a specific organisation, e.g. the Department for Levelling Up, Housing and Communities or our training provider partner, we will ask your (or, if you are a child, your parent’s) permission to do so.

We also use a range of organisations to either store personal data or help deliver our services to you. Where we have these arrangements, there is always an agreement in place to make sure that the external organisation complies with data protection law. We will complete a Privacy Impact Assessment (PIA) before we share personal data to make sure we protect your privacy and to comply with the law.

We may disclose your personal data if we are required to do so under a legal obligation and may use external data for the purposes of fraud prevention and credit risk reduction.

Other than this, we will not share your personal data with other organisations without your consent.

Protecting your personal data

We do all that we can to make sure we hold your personal data in a secure way, and we only share personal data with those who have a right to see it. Examples of our security measures include:

• Encryption, meaning that information is hidden so that it cannot be read without special knowledge (such as a password). This is done with a secret code or what's called a 'cypher'. The hidden information is said to then be 'encrypted'
• Pseudonymisation, meaning that we'll use a different name so we can hide parts of your personal information from view. This means that someone outside of the council could work on your information for us without ever knowing it was yours
• Controlling access to systems and networks allows us to stop people who are not allowed to view your personal information from getting access to it
• Training for our staff allows us to make them aware of how to handle information and how and when to report incidents when something goes wrong
• Regular testing of our technology and ways of working; including keeping up to date on the latest security updates (commonly called patches).

Where we store your personal information

All information you provide to us is stored, usually within the UK or the European Economic Area (EEA), on secure servers hosted by us or third parties providing hosting or other services for us.

We store application details including personal, sensitive data in electronic forms which are filed on our secure intranet. Hard copies of application forms are stored in lockable cabinets in a secure office environment.

Owing to matters such as financial or technical considerations the information you provide to us may be transferred to countries outside the European Economic Area (EEA), which are not subject to the same data protection regulations as apply in the UK. We may do this as some corporate systems are hosted on servers outside of EEA e.g. USA, Switzerland etc.

We meet our obligations under the UK GDPR by ensuring that the information has equivalent protection as if it were being held within the EEA. This will usually be because the country either benefits from an adequacy determination and/or, where appropriate, we have entered into a Data Processing Agreement with the third party which contains model EU clauses recognised as a valid data transfer mechanism in the UK.

We will take all practical steps to ensure that your personal data is not sent to a country that is not seen as 'safe' either by the UK or EU Governments. If we need to send your information to an 'unsafe' location, we will always seek advice from the Information Commissioner's Office (ICO) first.

Information security

We take every reasonable precaution to protect against the loss, misuse or alteration of your personal data and to ensure that it will be processed in accordance with this Policy. Unfortunately, the transmission of data via the internet is not completely secure and therefore we cannot guarantee the security of data sent to us electronically.

You acknowledge and accept that, despite our efforts to protect your personal data, there is a risk that others may try to intercept the information you provide to us. Transmission of your personal data is entirely at your own risk. Once we have received your personal data, we use strict procedures and security features to prevent unauthorised access. Where we have given you (or where you have chosen) a password so that you can access certain parts of our site, you are responsible for keeping this password confidential.

Third party links

We have taken care to ensure that the information on the Creative-Tech Festival website is correct. However, no warranty, express or implied, is given as to its accuracy and the Creative-Tech Festival website does not accept any liability for error or omission. The Creative-Tech Festival website is not responsible for how the information is used, how it is interpreted or what reliance is placed on it. We do not guarantee that the information on the Creative-Tech Festival website is fit for any particular purpose. You should also be aware that the availability of courses of study is subject to conditions applied by individual institutions at their sole discretion.

You will find links to third party websites on the Creative-Tech Festival website. These third party websites should have their own privacy policies which you should check before you submit any personal data to them. We are not responsible and do not accept any liability for the privacy practices or content of such websites. The Creative-Tech Festival website does not endorse any of the products or services of third party organisations contained within its sites unless expressly stated.

Changes to this Privacy Policy

We keep this Privacy Policy under regular review and we may, from time to time, update or otherwise modify this Privacy Policy. We will notify you of any changes to this Privacy Policy by posting the modified Privacy Policy on the Creative Tech Festival website, or if these changes are substantial, we would bring it to your attention directly.

Help and advice

If you have any enquiries or concerns about how your personal information is handled, please contact our Data Protection Officer (DPO) by emailing dataprotectionofficer@basildon.gov.uk, telephoning 01268 533333 or writing to The Data Protection Officer, Basildon Borough Council, Basildon Centre, St. Martin's Square, Basildon SS14 1DL.

For independent advice about data protection, privacy and data sharing issues, you can contact the Information Commissioner's Office (ICO) by emailing casework@ico.org.uk, phoning 0303 123 1113 or writing to Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF

Further independent advice about data protection, privacy and data sharing issues is available from the Information Commissioner's Office, see Information Commissioner's Office (ICO).