How we use your personal information

Preface

This statement explains how the First and Third Trinity Boat Club May Ball Committee (“the Committee”, “we”, and “our”) and Trinity College (“the College”) collects, handles, and uses information we collect about attendees, performers, workers, and contractors (“you” and “your”) through your use of our website and ticket managing platform, or in the relation to the operation and production of the Trinity May Ball (“the Event”).

When changes are made to this statement, we will publish the updated version on our website and notify you by other communications channels as we deem appropriate or necessary.

The controller for your personal data is the Committee, located at Trinity College, Cambridge, CB2 1TQ. The Data Protection Officers for the Committee are the Presidents (president@trinityball.co.uk) and IT Officer(s) (it@trinityball.co.uk). If you have any concerns about how the Committee is managing your personal information, or if you require advice on how to exercise your rights as outlined in this statement, please make an enquiry via email to president@trinityball.co.uk or in writing, ensuring that you provide us with enough information to identify you, to our mailing address:

Trinity May Ball President Trinity College Trinity Street Cambridge CB2 1TQ

For further advice, the person within the College otherwise responsible for data protection at the time of issue, and the person who is responsible for monitoring compliance with relevant legislation in relation to the protection of personal data, may be contacted via email at data.protection@trin.cam.ac.uk.

We try to respond to all legitimate requests within one month. However, if your request is particularly complex or you have made several requests, it may take us longer than a month. In this case, we will notify you and keep you updated.

The normal legal basis for processing your personal information is that it is necessary in the performance of one or more contracts with us, which include:

1. the allocation of tickets;

2. the provision of goods and services for the Event;

3. the performance of your employment contract or agreement we hold with you, and;

4. statutory purposes, which may include processing your salary, tax returns, and payment of invoices.

For some specific purposes, we may rely on another legal basis, including where we are required for compliance with a legal obligation, or where we believe it is in our legitimate interest to do so. If you have specific concerns, you may ask us for further information on these matters at any time by contacting the Presidents (president@trinityball.co.uk) or data.protection@trin.cam.ac.uk.

1. How your information is used by the Committee

We collect and process your personal information, as specified below, for a number of purposes, as described below:

1. Maintaining information for the booking and allocation of tickets for the Event.

   1. We will hold your personal details and those of your guests, ensuring effective communications with you. These will include:

      1. full name;
      2. contact email address;
      3. matriculation year;
      4. ticket delivery address;
      5. dietary requirements, and;
      6. University of Cambridge and College affiliation or alumni status.

   2. Personal data we collect for Dining Upgrade guests will include your personal details (as in 1.1 above), together with any dietary requirements, your guest’s name, and their dietary requirements.

   3. We may also use your personal information for the following purposes:

      1. to send transactional and service messages in relation to your ticket;
      2. to provide customer service and support;
      3. to comply with legal or regulatory requirements, and;
      4. to help us establish, exercise, or defend legal claims.

   4. We also collect and store transaction data, which includes information about payments and details of purchases you have made.

   5. We also collect and store internet protocol (IP) addresses and user-agent (UA) strings for the devices you use to access our website and ticket managing platform.

2. Maintaining information on the Contractors providing a service for the production of the Event, including, but not limited to: external service companies, stall providers, and security providers.

   1. We will collect your details, which will include:
      1. names of the primary contact and all staff present on the Site on the night of the Event;
      2. copies of driving licences or passports for all staff who will be present on the Site on the night of the Event;
      3. company addresses and registration details;
      4. vehicle number plates for any vehicles used to deliver goods or transport staff in the lead up to the Event;
      5. preferred contact details, and;
      6. bank details for funds transferred for the provision of goods and, or services.

3. Maintaining information necessary for the registration and processing of casual workers, including student workers.

   1. We will collect your details, which will include your:
      1. full name;
      2. address;
      3. date of birth;
      4. contact details, which may include a phone number and, or email address;
      5. National Insurance number;
      6. tax codes and other relevant information required by HMRC;
      7. proof of eligibility to work, which may include a passport or photograph;
      8. bank details for funds transferred for the provision of goods and, or services, and;
      9. details of any relevant work experience.

4. Maintaining information necessary for the processing and payment of bands and performers.

   1. We will collect details relevant to your performance, including your:
      1. stage name or name of act;
      2. name and preferred contact details of your agent and, or manager;
      3. bank details for funds transferred for the provision of goods and, or services, and;
      4. Information relevant to the assessment of artists and performers, which may include information about fan base, sales and attendance figures, past performances, and upcoming events.

5. Maintaining a record, where appropriate, of any particular personal needs you require to participate fully in the Event, including information about your general health and wellbeing.

   1. We will collect personal information, provided by you or created by us, including:

      1. University Student Support Documents (SSDs), and;
      2. copies of statements from professional medical advisers.

   2. We recognise that much of the personal information outlined above is of a sensitive nature and requires a high degree of discretion. Wherever possible, we will discuss and agree with you in advance with whom and when we share this information, but we reserve the right to disclose information to others in matters relating to significant risks to your health and safety, or the health and safety of other attendees.

We use social media channels (including Facebook, Instagram, and LinkTree) to publish information relating to the Event.

1. If you follow, or otherwise engage with, our social media channels, we will collect usage data to analyse how users interact with these channels.

2. If you use social media to send us messages or posts, we may use your social media handle(s) to communicate with you.

3. When you interact with our social media accounts, the social media service providers will also process your personal data for the purposes set out above as joint controllers. For further information, we direct you to review the privacy notices published by the social media service providers.

The College also operates closed-circuit television (CCTV) throughout the premises, which will capture footage and may record your image as you move throughout the site, as well as a SALTO lock system, which uses user-ID technology. The CCTV policy is available at: https://www.trin.cam.ac.uk/dpn/.

In the event that a first aid or medical incident occurs during the Event, limited personal and health information may be collected and recorded about you, or any other affected individual by either us, our appointed third-party first aid provider, St John Ambulance, a company registered in England (with the company registration number 3866129) and a registered charity, or both; in order to deliver appropriate medical care and comply with health and safety obligations.

1. This may include:

   1. the name and contact details of the individual(s) involved;
   2. the nature of the illness or injury;
   3. details of treatment administered;
   4. the date, time, and location of the incident, and;
   5. any witness information (where relevant).

2. Initial data collection is carried out by our third-party medical services provider, who operates as an independent data controller for the purposes of providing medical care. Subject to our arrangements with St John Ambulance, information about first aid or medical incidents may be securely shared with the Committee, who will act as a separate data controller when retaining the information for health and safety, legal, or insurance purposes under this Privacy Policy. Those arrangements are as follows:

   1. St John Ambulance may, at their discretion, provide the Committee with information requested by us in order to assist us in complying with our reporting obligations under RIDDOR 2013 for work-related injuries, and such information may include patient personal data. St John Ambulance will not otherwise provide us with any personal data of patients treated by St John Ambulance without evidence that this is with their consent.

   2. Following the Event, St John Ambulance will provide us, upon request, with information regarding the services St John Ambulance have provided at the Event, which will be in a summarised form, in order to protect patient confidentiality.

   3. If we receive any request for patient information from another person or organisation, we will ask them to request this from the St John’s Ambulance Data Protection Officer directly by email at data-protection@sja.org.uk.

If you have concerns or queries about any of these purposes, please contact the Presidents (president@trinityball.co.uk) or data.protection@trin.cam.ac.uk.

2. How long we keep your information for

Personal data collected in 1.1, 1.4, and 1.5.1 will not be retained for longer than 12 months after the Event, unless retention is required for legal, accounting, or reporting purposes.

Data collected in 1.3 will be retained and updated by the Committee for up to three consecutive Balls; written contracts for services are destroyed six years after the Event.

For staff, including students employed as casual workers by the Committee, your data (as outlined in 1.3.1) is held as part of your employment record by Trinity College. For further details, including how long the College retains your information, please contact the Director of Human Resources at Trinity College (hr@trin.cam.ac.uk).

3. How we share your personal data

Personal data is not normally shared outside of the Committee and its members. We share some of your personal information with the College, who acts as a data processor for the Committee, and only where there is a specific need to, including:

1. to verify your eligibility for Discounted Internal tickets through the Cambridge Bursary Scheme;

2. to enable verification of the attendance list by the Dean of Trinity College;

3. to process payments of casual workers via Cascade, the College’s payroll management system;

4. to generate and disseminate P45 forms and payslips to casual workers via Cascade, and;

5. to monitor and manage attendance at the Event and event security.

We may disclose personal information to our professional advisers, such as lawyers, auditors, accountants, and insurers, if necessary, as part of the professional services they are providing.

The Committee also hires photographers to take photographers of attendees to the Event, either individually and, or as a group. By purchasing a ticket to the Event, you consent to being photographed, filmed, and, or recorded. This media may be put on public display on the official social media accounts of the Ball for promotional purposes.

We may use third-party services to process and store your personal information, where the service they provide is directly relevant to the operation of the Event. We use commercial secure cloud services such as, but not limited to:

1. Microsoft SharePoint;

2. Google Drive;

3. Apple Mail;

4. Thunderbird;

5. Outlook;

6. Cascade;

7. University email accounts (i.e. CRSid emails), and;

8. the personal devices of members of the Committee.

Where we manage your data within College and our ticketing management platform, we use cloud-based storage systems such as Microsoft SharePoint, and hosted within European borders, where personal data is routinely handled by a third party. Microsoft complies with European General Data Protection Regulation (GDPR) legislation and maintains multiple security and governance accreditations.

We have implemented generally accepted standards of technology and operational security to prevent personal information from being accidentally lost, used, or accessed in an unauthorised or unlawful way. We limit access to your personal information to those who have a genuine business need to know it. Those processing your information will do so only in an authorised manner and are subject to a duty of confidentiality. We also have procedures in place to deal with any suspected data security breach. We will notify you promptly in the event of any breach of your personal data which might expose you to serious risk.

We may also be subject to a legal requirement, with or without your consent, to share your personal information with the College or a government agency, such as the police or other statutory authorities with investigatory powers, under special circumstances (e.g. relating to taxation, crime, or health and safety). Where possible, we will notify you of our intention to share such information in advance.

4. Lawful basis for processing your data

Under UK GDPR Article 6(1)(f), the processing is necessary for the purposes of our legitimate interests in ensuring the safety of attendees and fulfilling our legal and insurance obligations. For special category data (including health-related information), the lawful basis under UK GDPR Article 9(2)(c) (processing necessary to protect the vital interests of the data subject) and, or Article 9(2)(f) (establishment, exercise or defence of legal claims) may apply. For recognized legitimate interests (national security, public security and defence; emergencies; crime; safeguarding vulnerable individuals) DUAA Section 112 read with Schedule 12 map apply.

5. Publication of your personal information

You are urged to be careful when sharing personal information about other attendees in public social media sites and other similar environments. We would not normally make your personal information publicly available without your consent.

Please also note the University’s people search function may also be widened to be accessible to the general public by changing the settings at http://www.lookup.cam.ac.uk/self. The Committee may use this service to verify the collected information as described in Section 1.1.

6. Your Rights

You have the right to:

1. ask us for access to, rectification, or erasure of your personal information;

2. ask us to restrict the processing of your personal information (pending correction or deletion);

3. receive the personal information concerning you which you have provided to us in a structured, common-used, and machine-readable format;

4. withdraw your consent to our processing of your personal information, where we have collected and processed it with your consent;

5. object to communications, and;

6. to ask for the transfer of your personal information electronically to a third party (data portability).

You will not have to pay a fee to access your personal information (or to exercise any of your other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive, or excessive. Alternatively, we may refuse to comply with your request in these circumstances.

Some of these rights are not automatic, and we reserve the right to discuss with you why we might not comply with a request from you to exercise them.

If you have questions or concerns about your personal information, or how it is used and stored, please contact us using the details at the start of this document.

If you remain unhappy with the way your information is being handled, or with the response received from us, you have the right to lodge a complaint with the Information Commissioner’s Office at Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF (https://ico.org.uk/concerns/).

Trinity May Ball Committee and Trinity College Data Protection Team

Version Control

This version was last updated on 31st December 2025. To ensure that you are always aware of how we use your personal data, we will update this Privacy Policy periodically to reflect any changes to our use of your personal information and, as required, to comply with changes in applicable law or regulatory requirements. However, we encourage you to review this Privacy Policy regularly to be informed of how we use your personal data.

It is important that the personal information we hold about you is accurate and current. Please keep us informed if your personal information changes.