Information on the accepted submission and management of events is detailed in the events policy.
University events – Public Entertainment Licences
The following information is provided for the attention of any person(s) planning or organising a licenced event which includes entertainment (disco, live band, dance) on University property:
- In terms of the Civic Government (Scotland) Act 1982, a Public Entertainment Licence is required for the use of premises for the provision of public entertainment. Exemptions to this include, amongst others: licensed premises where public entertainment is being provided during the permitted hours of a premises licence or occasional licence. So, on that basis, there has not been a requirement to apply for a Public Entertainment Licence where the entertainment is being provided in premises operating under an alcohol licence, be it a full licence or an occasional licence.
The Air Weapons & Licensing (Scotland) Act 2015, Section 75 has, since November 2016, restricted the exemption from the requirement to apply for a Public Entertainment Licence to those sites with a premises licence only, or to a temporary site which has been specified in the original premises licence application as a ‘temporary premises’ (for instance, where there is a fire or some other event making the original premises unfit for use and there is a need to decant to an alternative).
Consequently, the exemption is now much narrower and does not extend to events being run external to the premises covered by the premises licence under an occasional licence. For example, for every student event in the form of a ball, whether live or DJ music is provided, there is now a requirement for a Public Entertainment Licence in addition to the Union’s Occasional Licence.
It is the responsibility of the society or other organiser to apply and pay for the licence from Fife Council. Fife Council estimate a three month lead time for applications, though initially they will accept applications with a shorter lead time. An application pack can be found online.
Your data and privacy notice
The University of St Andrews runs hundreds of events each year, open to staff, students, alumni and the wider St Andrews community. The University wishes to ensure that all users are able to find events, reserve a place on relevant events and receive updates on events of interest. This requires that, in some cases, the University makes use of your personal data, including your name and contact email address.
The protection of personal information collected and processed by the University is legislated through the European and UK legislation, notably through the General Data Protection Regulations (more commonly known as the GDPR), the Data Protection Act 2018 (“the DPA”) and through rules on direct marketing activities as provided by Privacy and Electronic Communication Regulations 2003 (“the PECR”). The University takes its obligations to protect personal information and to uphold the rights and freedoms of individuals seriously.
One of the core principles of data protection legislation is that personal data is processed fairly. Fairly, in this context, is concerned with individuals being informed as to how their personal information will be used. It is important that the University is clear about how personal data will be used to communicate events information, so that you can let us know if you wish for the University to act differently.
The purpose of this statement is therefore to inform all those who use the University events calendar how their personal information will be used by the University, and to set out our promise to you that –
The University will work at all times to protect your privacy. We will only make use of your personal data for clearly stated purposes and we will always respect and uphold your rights.
The University events calendar exists to hold, publish and promote events which staff and students at the University run; both students and staff are able to upload their events to the events calendar. Some events are ticketed and require users to reserve a place at an event. The events calendar allows users to reserve a place on these events, receiving updates as to the time, duration and location of such events. For all events the event organiser is able to view the names of attendees in advance of the event, in order to confirm that event attendees have reserved a place. For events organised by members of University staff, the event organiser is also able to send event updates via the submitted email address. For events organised by students, any event update emails will only be sent by the University events administrator and students will have no access to your email address.
In order for you to reserve a place at a ticketed event, we ask for you to submit your name and contact email address into the events system in order to reserve a place at an event. This information is held from the point that you submit the booking, and your details will be automatically deleted from the system seven days after the end of the event. No other personal details are held other than the name and contact details that you have submitted.
This Privacy Notice:
- Introduces the University’s responsibilities and obligations as a data controller – the organisation responsible for protecting and determining how your personal data will be used to allow event reservations and event communications in regards to St Andrews events;
- Explains how your personal data will be used and the legal basis which the University will draw upon when using your personal data responsibly;
- Provides an overview as to how your personal data will be used;
- Informs you who has access to your personal data and the limited conditions under which your personal data may be made available to a third party;
- Identifies other organisations and/or individuals that personal data may be shared with (recipients);
- States how long personal data will be retained, or, where that is not possible, the criteria used to determine this;
- Explains your privacy rights and the steps you can take to exercise these; and
- Explains how the University will protect your personal data, keeping this safe and secure.
4 Who collects and decides how your personal data will be used: the identity and contact details of the data controller
It is important that individuals understand the identity of the organisations/entities who collect and decide how personal data are to be used, as without that understanding it can be difficult for people to exercise their rights. In data protection terms, the organisation that determines the purposes for which personal data is to be used is the data controller. The data controller is also responsible for upholding your privacy rights, as provided for in European and UK data protection legislation. In this instance, the identity and contact details of the data controller are:
- University of St Andrews, College Gate, North Street, St Andrews, KY16 9AJ, Fife, Scotland, UK. The University is a charity registered in Scotland, No SC013532.
5 The contact details of the University data protection officer
Some organisations are required to appoint a Data Protection Officer (DPO). A DPO is an independent position; tasked with supporting organisations in complying with data protection legislation. The contact details for the University’s DPO are:
Christopher Milne, Head of Information Assurance and Governance, University of St Andrews, Butts Wynd, North Street, St Andrews, KY16 9AJ, Fife. Email firstname.lastname@example.org
6 How do we collect your personal data?
Your data is collected when you request to reserve a place on a ticketed event. The University also allows individuals to reserve places for guests, at which point we will also collect the name of any guests who wish to attend.
For more information on log files, see data protection and privacy server
7 The purposes for which the University will make use of your data
If you request to book a place at an event which requires a reservation, you will be asked to provide a contact email address, to send out an email ticket. We will also request your first name and surname, to ensure that the people who attend events match the people who have booked onto the events.
The University may use your personal data, to support the following activities:
- Ensure that those who have reserved a place at an event are admitted
For events with limited places, the event organiser will ask attendees to bring their ticket or provide their name (and for events organised by staff members, email address) to check that they have booked places to that event.
- Communicate with you regarding changes to an event
If an event is cancelled, or key information such as location, time, duration or event information changes after you have reserved a place at an event, the event organiser (for events organised by University staff) or University event administrator (for events run by students) will communicate the changes to you via email.
- Communicate with you regarding event feedback
After some events, the event administrator may send a link to an anonymous feedback survey to event attendees to allow them to give feedback on events.
8 Using your data lawfully: the legal bases for processing personal data
The University can only make use of personal data with reference to one of the stated legal bases for processing, as listed in the GDPR and the DPA. The most common legal bases that the University will rely upon for the lawful processing of alumni/donor personal data for the purposes/activities introduced, above, are outlined below:
The University will only use your contact details to book you onto events which you have reserved a place upon and to communicate with you regarding these events.
The University maintains a catalogue of the purposes of processing personal data and the corresponding legal basis. For full details please see the data protection webpage, or email email@example.com.
9 Who will make use of your personal data?
9.1 Within the University
On a day to day basis your personal data will be used by the event organiser of the events which you have requested to attend.
9.2 Outwith the University i.e. to third parties
The University will never share your personal data with another charity or similar third party to use for their own purposes, unless we are required to do so by law, e.g. where served with a court order or for the purposes of prevention of fraud or other crime. The University will never sell your personal data.
The University events calendar is hosted upon a third-party hosting service, WP Engine. The University does not pass any data on to WP Engine, but it is technically possible for WP Engine to access the personal data of those who reserve a place at an event.
The contract with WP Engine states that we will only disclose the minimum information necessary to support the events calendar and there is a contract in place to ensure that WP Engine to only make use of your information for the purposes set out by the University and that they have in place measures to protect and keep your details secure.
In addition to the above, the University may disclose certain personal data to external bodies as categorised below. At all times, the amount of information disclosed and the manner in which it is disclosed will be in accordance with the provisions and obligations of European and UK data protection legislation. Please note this is not an exhaustive list.
- Courts of law and Tribunals
The University will provide personal data to a named entity or person, when instructed to do so by Court Order or decree, unless a successful challenge to such an order is made.
- Law enforcement agencies
The University may provide personal data to law enforcement agencies, where there is just cause, for the: prevention and detection of crime; apprehension and prosecution of offenders; assessment or collection of any tax or duty or imposition of a similar nature; or any matters pertinent to national security.Prior to the release of personal data to the Police or a relevant authority, for the purposes noted, above, the University will first satisfy itself that a request is legitimate and that the disclosure of the personal data is lawful. In this regard, the University will make reference to the provisions from relevant data protection legislation.
10 Details of transfers of personal data to countries outwith the EEA
The University will not transfer contact details outwith the EEA.
11 How long will the University make use of your personal data in regards to events?
Your data will be held from the point that you submit a request to reserve a place at an event, and will be automatically deleted from the system seven days after the end of the event.
The University follows best practice records retention periods, notably those published by the Joint Information Systems Committee (“the JISC”) to help determine the relevant storage times. See details of JISC recommended retention periods
12 How will the University protect and secure your personal data?
The University puts in place a series of technical and organisational measures to protect and safeguard all data it holds. For example, data is securely stored in dedicated data centres, where appropriate data and devices are encrypted, staff receive training and briefings on information security and data handling. The effectiveness of those measures is routinely tested by the University Court (via its Audit and Risk Committee), and through internal and external audit.
13 Your rights
European and UK data protection legislation provides individuals with a number of rights regarding the management of their personal data, these rights are:
- The right of access to your personal data, commonly referred to as a subject access request, which involves the following being carried out within a calendar month:
- Confirmation that personal data is being processed.
- Access being given to your personal data (provision of a copy), unless an exemption(s) applies; and
- The provision of supplementary information e.g. an explanation of how your personal data is processed and who this is shared with.
- The right to rectification, which may involve:
- The University working to correct any inaccuracies in personal data or to address any omissions, which may require personal data to be annotated to acknowledge that this is incomplete.
- The right to erasure (the deletion of personal data, in specific circumstances), which is commonly referred to as “the right to be forgotten”, which may involve:
- The University destroying specific personal data.
- The right to restrict processing, which may involve:
- The University agreeing to stop making use of specified personal data e.g. where those data are contested, in terms of accuracy.
- The right to data portability, which may involve:
- The University providing you with a copy of elements of your personal data that exist in machine readable form that you have given to the University.
- The right to object. Individuals have the right to object to the University making use of personal data where:
- Either legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling) is the legal basis that the University has relied on for making use of the said data; and
- The data in question is used for direct marketing (including profiling) – in such circumstances the use of personal data must stop when an objection is received.
- Further details on the right to object are available from the University website.
In many instances, the rights introduced above are qualified i.e. in certain circumstances they are limited or they may not be available, and these may be further constrained by UK legislation, e.g. where personal data is only used for research or statistical purposes. Details of note include:
- The right of subject access can be refused or an administrative fee charged, where a request is found to be manifestly unreasonable or excessive. In addition, where a request is found to be complex or numerous requests are made, then the University can extend the time for compliance by 2 months.
- The right of erasure does not provide an absolute right to be forgotten. This right is only available in limited circumstances – notably where the legal basis for processing personal data is for the performance of a contract or linked to a statutory requirement, then the said right is not available. The University does not have to comply with a request for erasure where personal data is processed for the following reasons:
- To exercise the right of freedom of expression and information;
- To comply with a legal obligation for the performance of a public interest task or exercise of official authority;
- In many instances the University processes personal data for the performance of its public tasks e.g. teaching, learning and research.
- For public health purposes in the public interest;
- Archiving purposes in the public interest, scientific research, historical or statistical purposes; or
- The exercise or defence of legal claims.
- The data portability right is only available to personal data which an individual has directly provided to the University and where the legal basis for processing that data is either contract or consent, and where the said personal data are processed by automatic means.
These rights have to be met by the University and any other organisation that takes decisions about how or why your personal data is used. Details on how to access those rights are available from the University website, or you can contact firstname.lastname@example.org.
14 The right to lodge a complaint with a supervisory authority
If you believe that the University has not made use of your personal data, in line with the requirements of data protection law, you have the right to raise this with the regulator i.e. the UK Information Commissioner Office’s (the ICO).
See details on how to contact the ICO
15 Revision of the privacy notice
The details as to how personal data are used to run the events calendar for the University will be reviewed annually – the University may make changes to the associated Privacy Notice from time to time. Any significant change to relevant legislation, University policy or procedures primarily concerned with the protection of personal data may trigger an earlier review. If we make any significant changes in the way we work with your personal information we will make this clear on the University events calendar webpages.
This Privacy Notice will be published on the University website and events calendar.
Should a copy of this Privacy Notice be required in another form, including orally i.e. an audio recording, please contact email@example.com.
17 Further information
If you have enquiries about this Privacy Notice, or wish to exercise any of your privacy rights, please contact the Digital Communications team or direct these to Mr Christopher Milne, University Data Protection Officer by e-mailing firstname.lastname@example.org.