The Heights Ballet and Theatre School Data Protection PolicyINTRODUCTION
The Heights is committed to protecting you and your dependents’ personal information. We are committed to providing a safe environment for all our customers, pupils, self-employed staff, and everybody that comes into contact with us, whether physically or online.
This Privacy Statement relates to the use of any personal information provided to us online, or via application forms, telephone, email exchange, letters, or other correspondence.
Whenever you provide such information, we are legally obliged to use your information in line with the current legislation concerning the protection of personal information, including the Data Protections Act 1998, and the General Data Protection Regulation 2018 (GDPR).
This policy is effective from May 2018 and has been reviewed and updated August 2020.
DATA PROTECTION PRINCIPLES
The legislation sets out various data protection principles. These include that personal information is:
· Used fairly and lawfully
· Used for limited, specifically stated purposes Used in a way that is adequate, relevant and not excessive
· Kept for no longer than is absolutely necessary
· Kept safe and secure
· Not transferred outside the European economic area without adequate protection
The legislation conveys various individual rights. These include the following:
· The right to be informed
· The right of access
· The right to rectification
· The right to erase
· The right to restrict processing
· The right to data portability
· The right to object
· Rights in relation to automated decision making and profiling
WHAT INFORMATION DO WE COLLECT?
The legislation requires that there is a clear legal basis for processing personal information. In general The Heights relies on the individual’s consent in order to process their data.
When you participate in or sign up to any class, activity or workshop at The Heights, we may collect and store personal information about you. This can consist of information such as your (or your child’s) name, email address, postal address, telephone or mobile number and date of birth, depending on how you are engaging with us. By submitting your details, you enable us to provide you with the products or services that you have selected.
When taking pictures of students in class or filming performances, The Heights ask for parental permission. The Heights may use the images resulting from the photography/video filming, and any reproductions or adaptations of the images for fundraising, publicity or other purposes to help achieve the school’s aims. This might include (but is not limited to), the right to use them in their printed and online publicity, social media, press releases and funding applications.
The Heights does NOT share your personal information with third parties, unless clearly stated. We do NOT sell your data, and neither do we buy data from third parties.
A cookie is a small file which asks permission to be placed on your computer's hard drive. Once you agree, the file is added and the cookie helps analyse web traffic or lets you know when you visit a particular site. Cookies allow web applications to respond to you as an individual. The web application can tailor its operations to your needs, likes and dislikes by gathering and remembering information about your preferences.
We use traffic log cookies to identify which pages are being used. This helps us analyse data about web page traffic and improve our website in order to tailor it to customer needs. We only use this information for statistical analysis purposes and then the data is removed from the system.
Overall, cookies help us provide you with a better website, by enabling us to monitor which pages you find useful and which you do not. A cookie in no way gives us access to your computer or any information about you, other than the data you choose to share with us.
You can choose to accept or decline cookies. Most web browsers automatically accept cookies, but you can usually modify your browser setting to decline cookies if you prefer. This may prevent you from taking full advantage of the website.
LINKS TO OTHER WEBSITES
Our website may contain links to other websites of interest. However, once you have used these links to leave our site, you should note that we do not have any control over that other website. Therefore, we cannot be responsible for the protection and privacy of any information which you provide whilst visiting such sites and such sites are not governed by this privacy statement. You should exercise caution and look at the privacy statement applicable to the website in question.
HOW WE USE YOUR PERSONAL INFORMATION?
We will use your personal information for a number of purposes including:
· To provide you with information about our products, services and activities and to deal with your requests and enquiries, including complaints
· For "service administration purposes", which means that we may contact you for reasons related to the service or activity you signed up for (e.g., change of details regarding a class you attend, etc.)
· To contact you about an application you have made
· As and when we need to use your personal information for reasons other than the ones specified above, we will ensure that we notify you first. You will be given the opportunity to withhold or withdraw your consent for the use of your personal information for purposes other than those listed above.
USE OF DATA PROCESSORS
Data processors are third parties who provide services for us. We have contracts in place with our data processors. This means that they cannot do anything with your personal information unless we have instructed them to do it. They will not share your personal information with any organisation apart from us. They will hold it securely and retain it for the period we instruct. The following is a list of our main data processors.
When sending letters, parcels, publications and purchases we will share your postal address with the delivery service (Normally Royal Mail or Parcel Force).
We use a third party service, Vistaprint to host our website. Vistaprint are contractually obliged to treat any information on our private website as confidential and only use such information for the purpose of providing The Heights with web hosting.
INVOICING AND DATABASE
We use a third party service, ThinkSmart software to store your information and use it for administrative purposes such as timetables, registers, emailing and invoicing customers.
THE HEIGHTS MAY CONTACT YOU:
· To send you relevant communications for payment of fees and changes to classes
· In relation to any service or activity you have signed up for in order to ensure that we can deliver the services to you
· In relation to any correspondence we receive from you or any comment or complaint you make about our products or services
· To send you information you requested when you voluntarily contacted us via our website
HOW LONG WILL WE KEEP YOUR PERSONAL INFORMATION?
We keep the information we hold about our customers and students for as long as is necessary to deliver the services we are providing you with.
WHERE IS THE INFORMATION STORED?
We use secure technologies to help protect your personal information from unauthorised access, use or disclosure. We store personal information you provide on computer systems which have carefully controlled access and which are located in secure facilities.
The security measures described above ensure that all reasonable steps are taken to protect your personal information. However, the nature of the Internet means that an absolute guarantee of security cannot be offered, and, as with all Internet transactions, you should be aware that there may be a small security risk when disclosing information online
CAN I FIND OUT WHAT PERSONAL INFORMATION THE HEIGHTS HOLDS ABOUT ME?
You have the right to access certain personal information held about you. If you wish to make a Data Subject Access Request, please contact us via email.
We may disclose your information to governmental agencies or entities, regulatory authorities, or other persons in line with any applicable law, regulations, court order or official request.
GENERAL DATA PROTECTION REGULATION POLICY STATEMENT
GDPR stands for General Data Protection Regulation and replaces the previous Data Protection Directives that were in place.
It was approved by the EU Parliament in 2016 and comes into effect on 25th May 2018. GDPR states that personal data should be ‘processed fairly & lawfully’ and ‘collected for specified, explicit and legitimate purposes’ and that individuals data is not processed without their knowledge and are only processed with their ‘explicit’ consent. GDPR covers personal data relating to individuals.
The Heights is committed to protecting the rights and freedoms of individuals with respect to the processing of children's, parents, visitors and staff personal data. The Data Protection Act gives individuals the right to know what information is held about them. It provides a framework to ensure that personal information is handled properly.
GDPR INCLUDES 7 RIGHTS FOR INDIVIDUALS
1) THE RIGHT TO BE INFORMED
The Heights is required to collect and manage certain data. We need to know parent’s names, addresses, telephone numbers, email addresses. We need to know children’s’ full names, addresses, date of birth along with any SEN or medical requirements.
We are required to collect certain details of visitors and chaperones to our dance school. We need to know visitors and chaperones names, telephone numbers, and where appropriate company name. This is in respect of our Health and Safety and Safeguarding Policies.
Although our teachers are self-employed, The Heights is required to hold data on its Teachers; names, addresses, email addresses, telephone numbers, date of birth, National Insurance numbers and in some cases, photographic ID such as passport and driver’s license, bank details. This information is also required for Disclosure and Barring Service checks (DBS) and proof of eligibility to work in the UK. Copies of teachers DBS are shared with the respective schools in which the teachers work in for Safeguarding purposes.
2) THE RIGHT OF ACCESS
At any point an individual can make a request relating to their data and The Heights will need to provide a response (within 1 month). The Heights can refuse a request, if we have a lawful obligation to retain data but we will inform the individual of the reasons for the rejection. The individual will have the right to complain to the ICO if they are not happy with the decision.
3) THE RIGHT TO ERASURE
You have the right to request the deletion of your data where there is no compelling reason for its continued use. However The Heights has a legal duty to keep children’s and parents details for a reasonable time, The Heights retains these records for 3 years after leaving the dance school, children's accident and injury records for 19 years (or until the child reaches 21 years), and 22 years (or until the child reaches 24 years) for Child Protection records.
Teachers records must be kept for 6 years after the member of leaves, before they can be erased.
This data is archived securely onsite and shredded after the legal retention period.
4) THE RIGHT TO RESTRICT PROCESSING
Parents, visitors and staff can object to The Heights processing their data. This means that records can be stored but must not be used in any way, for example reports or for communications.
5) THE RIGHT TO DATA PORTABILITY
The Heights requires data to be transferred from one IT system to another; such as from The Heights to the Local Authority, for performance licences or to external associates/events schemes for applications purposes. These recipients use secure file transfer systems and have their own policies and procedures in place in relation to GDPR.
6) THE RIGHT TO OBJECT
Parents, visitors and staff can object to their data being used for certain activities like marketing or research.
7) THE RIGHT NOT TO BE SUBJECT TO AUTOMATED DECISION-MAKING INCLUDING PROFILING Automated decisions and profiling are used for marketing based organisations. The Heights does not use personal data for such purposes.
STORAGE AND USE OF PERSONAL INFORMATION
All information is stored via 3rd party digital software, Thinksmart.
Information about individual children is used in certain documents, such as, a weekly register, medication forms, referrals to external agencies and disclosure forms. These documents include data such as children's names, date of birth, contact numbers and sometimes address. Any paper copies of this information are shredded after the relevant retention period.
The Heights stores personal data held visually in photographs or video clips or as sound recordings, and written consent has been obtained via the registration form. No full names are stored with images in photo albums, displays, on the website or on The Heights social media sites. Access to all The Heights staff computers and the Dancebiz (Thinksmart) database for registers is password protected. When a teacher leaves the company these passwords are changed in line with this policy and our Safeguarding policy. Any portable data storage used to store personal data, e.g. USB memory stick, are password protected.
GDPR MEANS THAT THE HEIGHTS MUST:
· Manage and process personal data properly
· Protect the individual’s rights to privacy
· Provide an individual with access to all personal information held on them
IF YOU ANY QUESTIONS OR COMMENTS ABOUT THIS PRIVACY STATEMENT OR GDPR POLICY PLEASE EMAIL [email protected]