Privacy Policy
PRIVACY NOTICE
The General Data Protection Regulation (GDPR) comes into effect on 25th May 2018. It has been agreed that Shelley Barrett, will be appointed as Data Protection Officer (DPO) and is therefore responsible for the safe storage of information relating to our students and parents. This Notice will provide information on how we, The Talent Shack are complying with this Regulation.
Purpose and Statement:
The Talent Shack is committed to ensuring the data processed by our charity remains safe and secure.
This policy has been w
General Principles
The Talent Shack is committed to providing fair and understandable privacy policies in relation to personal data.
The Talent Shack will, at all times, keep data in secure locations (including, but not limited to, encrypted and access restricted files) and not retain data unnecessarily or past the retention length as set out in this policy.
In the rare instance a data processor that is not a Talent Shack employee is used, such as a third party, the data subject will either be asked for consent pre to supplying the data or be notified and have the right to object to processing.
The Talent Shack customers and participants supply their personal data when signing up for classes through our registration form either via the website, or via paper form.
This is either completed by a parent/guardian or the child themselves if they deemed able to do so.
Personal data may also come to us unsolicited via enquiries through our website and to our generic email account.
To attend any of The Talent Shack ’s activities participants/parents/guardians must agree to some processing of their personal data. This is due to Legitimate Interests – GDPR Article 6(1)(f), Legal Obligation GDPR Article 6(1)(c), Contract – Article 6(1)(b) and/or Consent – Article 6(1)(a).
Should The Talent Shack be unable to process participant’s data, we would be contravening both our Health & Safety and Child Safeguarding policies. We would also be ignoring best practice regarding working with children/vulnerable adults.
Our participants must remain safe at all times, therefore information about participants must be collected in order to create registers and accurate student records. This information is also used to provide students with appropriate classes, including dividing students into age groups.
Special category data is only collected with the consent of the data subject. Special category data The Talent Shack collects includes but is not limited to: Medical/Disability information, Income information, Ethnicity, Gender and Sexuality.
As physical activity providers it is essential that this consent is given should a participant have any medical/disability needs. This allows us to incorporate participants safely into classes. It is also used in assessing if we can incorporate participants safely into classes.
Income information is only collected in instances where a participant applies to attend our classes at a concessionary price, or on a bursary. This financial support is means tested, and therefore is subject to documented proof. Proofs of entitlement to concession are shredded after the entitlement has been noted.
The Talent Shack] transports data with all due diligence. Enrolment forms are sent to The Talent Shack through an encrypted email server directly from our website which has controlled access. Received enrolment forms are stored on an encrypted email server for no more than 6 months. Received paper enrolment forms are destroyed after no more than 4 weeks.
Data received through enrolment forms is uploaded manually into our database software. Our database is stored both in encrypted files on office-based hardware and backed up regularly in our encrypted cloud-based server. Access to these files is restricted through password protection and only available to authorised staff members.
Registers and emergency contact lists created from student data are stored in encrypted files on office-based hardware and backed up regularly in our encrypted cloud-based server. Access to these files is restricted through password protection and only available to authorised staff members.
Hard copies of registers and emergency contacts are carried by authorised staff members. They are locked away while not in use. When they are no longer in use or out-dated, they are destroyed thoroughly.
Waiting lists are stored on an encrypted cloud-based server.
Our standard retention policy (without the data subject’s right to access, rectification and erasure etc.) is THREE YEARS post final attendance.
Exceptions to our retention policy:
- Financial records are kept for 6 years due to legal obligation
- First Aid records are kept for 21 years due to legal obligation
- Photo consent may be kept indefinitely
- Child Safeguarding records are kept indefinitely on a case-by-case basis, the minimum these will stored for is 6 years due to legal obligation
- Bank details are deleted after the action concerning them is complete
- Enquiries that do not turn into bookings with current classes are deleted after they have been dealt with
- [SCHOOL NAME] does not actively share data with third parties, however there are certain instances where
Child Safeguarding Concerns:
In the unlikely event The Talent Shack has a safeguarding concern in relation to one of our participants, The Talent Shack are legally required to provide data to the safeguarding board at the local council. The Talent Shack is satisfied that their GDPR process are thorough and any data will be stored in a secure environment, and not unnecessarily retained.
Event Programmes:
The Talent Shack may occasionally produce programmes for events. These will only ever contain the first name and first initial of a child’s last name (unless otherwise consented to). The name of a child’s class may also be included. Participants/their Parent and/or Guardians may choose if they want to be included in the programme when they agree to participate at an event.
Examination Entry:
In order to enter examinations, The Talent Shack must provide some personal data to examination boards (currently The Talent Shack work with: LAMDA, RAD and ABRSM). This sharing of data is to be consented to by the data subject and/or parent/guardian upon being entered for the exam.
Schools:
The Talent Shack must sometimes share personal data with schools (names, DOB and payment information) when taking part in an internal class in order for them to check persons attending. This also helps the school work out The Talent Shack ’s payment in terms of renting space. The Talent Shack is satisfied that their GDPR process are thorough and any data will be stored in a secure environment, and not unnecessarily retained.
Restrict Processing
You may contact The Talent Shack at any time in order to restrict the data we process relating to you and/or your child(ren).The Talent Shack will ensure that we respond to a request to restrict processing without undue delay and within one month of receipt. However, due to our legitimate interest in most of the data collected- we may have to revoke your membership with The Talent Shack until the restriction is lifted. This is due to Health and Safety and Child Safeguarding.
Data Portability
You may contactThe Talent Shack at any time in order to obtain the data we process relating to you and/or your child(ren) and reuse it across different services. The Talent Shack will ensure that we respond to a request to restrict processing without undue delay and within one month of receipt. Please note, this does not apply to The Talent Shack ’s legal obligations.
Objection
You may contact The Talent Shack at any time in order to object to the processing of data relating to you and/or your child(ren). The talent Shack will ensure that we respond to a request to restrict processing without undue delay and within one month of receipt.
However, due to our legitimate interest in most of the data collected- we may have to revoke your membership with The Talent Shack until the restriction is lifted. This is due to Health and Safety and Child Safeguarding.
Rights related to automated decision making including profiling
You may contact The Talent Shack at any time in order to object to profiling relating to you and/or your child(ren). The Talent Shack will ensure that we respond to a request to restrict processing without undue delay and within one month of receipt. However, due to our legitimate interest in most of the data collected- we may have to revoke your membership with The talent Shack until the profiling restriction is lifted. This is due to Health and Safety and Child Safeguarding.The Talent Shack has a lawful reason for profiling; Legitimate Interests and consent. None of The talent Shack’s decision making is automated. Profiling is only used in circumstances where a participant may have certain health/disability needs which may prevent them from taking part in classes (as it would be unsafe to do so).
Any and all verbal requests are noted, and then contacted again either via phone or email to verify the request. Verbal requests will be responded to in the time frames mentioned above.
The Talent Shack often use footage/photos used from shows, performances and classes for marketing purposes both in print media and the website. Participants/their Parent and/or Guardians may choose if they do not wish themselves/their child to be depicted.
Some attendees at events may film/take photos for their own personal use (e.g. parents of other participants). Participants/their Parent and/or Guardians may choose if they do not wish themselves/their child to be depicted.
Social Media:
The Talent Shack regularly share photos/videos of students in workshops, events and performances through social media platforms including; Instagram, Facebook, Twitter, Email. These will never be shared with any identifying information (age, location etc.). There may be times where we will share first names, but only with the explicit consent of the parents. All members of staff (PAYE, Freelance and Voluntary) must agree to this Data Protection policy prior to accepting a contract of employment.
Training is supplied as part of management and supervision. It is also included in all induction and training periods.
The Talent Shack is registered as a Data Controller with the Independent Commissioners Office (ICO). The registered Data Protection Officer (DPO) is Director Shelley Barrett ([email protected]).
Complaints:
Complaints in regard to the handling of any personal data can be made directly to The Talent Shack’s DPO: (Shelley Barrett, Director.
Email: [email protected]
Telephone: 07886 020923
Address: The talent Shack, Unit 17, Freemans Parc, Penarth Road, Cardiff, CF11 8EQ
If you feel that your complaint was not handled in the correct manner, or still have concerns, you may escalate the complaint by either contacting The Talent Shack ’s Chair of Trustees (details upon application) or by contacting the Independent Commissioner’s Office (ICO).
ICO Telephone Number: 0303 123 1113
Data Breeches:
If The Talent Shack experiences a data breech of any kind, we have a legal obligation to report this to ICO within 72 hours. The data breech will be reported by the DPO. In the instance they are unavailable to report the breech, the next most senior staff member shall do so. The Talent Shack will also inform all the victims of the data breech as soon as possible if there is a high risk of adversely affecting individuals’ rights and freedoms. The Talent Shack will store and record all data breeches.