Data Protection policy ELEV8.pdf - Amy

Please enable JavaScript to view the full PDF

Elev8 Dance Academy (part of Classes with Kat) Privacy Policy (Updated August 2020) Elev8 Dance Academy Privacy Policy Introduction As a small business (run by a sole trader) it is necessary for us to collect, store and process personal data about customers, teachers, chaperones, and other third parties who we engage to provide services for us or do business with. With the introduction of the General Data Protection Regulation 2016 (GDPR) the way personal data is kept and used by businesses has come under much greater scrutiny. This policy is therefore very important as it sets out how we will process personal data we collect from, or is provided by, data subjects and others on their behalf. This policy will help all of us comply with our legal obligations and enable individuals about whom we hold data to have confidence in us. It is important that you take the time to read the policy carefully. Data Protection Contact The persons labelled as ‘Data Protection Contact’ is Kat Hendy, owner of Classes with Kat and Principal of Elev8 Dance Academy. Any questions regarding the policy should be referred to this person. What do terms used in the policy mean? Data Subject: means a living individual about whom we hold personal data Personal Data: means data relating to a data subject who can be identified (directly or indirectly) from that data (or from that data and other information in our possession or available to us). Personal data can be factual (e.g. a name, address or date of birth) or it can be an opinion about that data subject, their actions and behaviour. It can also include an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic (e.g. DNA or RNA), mental, economic, cultural or social identity of that individual. Data Controller: is a term used to describe the people who, or organisations which, determine the purpose and manner for which any personal data is processed. Kat Hendy on behalf of Classes with 1 Kat and Elev8 Dance Academy is a data controller of all personal data used in the business for her own commercial purposes. Data users: is the Academy’s Teachers, Assistants, suppliers and other persons connected with the business whose work involves processing personal data. Data users must protect the data they handle in accordance with this data protection policy and any applicable data security procedures. Data processors: are any person or organisation that processes personal data on the Academy’s behalf, or on Kat Hendy’s instructions. Teachers are data processors. Kat Hendy is both a data controller and a data processor. Processing: is a term that describes what we do with the data, such as collection, recording, organisation, storage, structure, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, erasure or destruction, or restriction. Processing can also include transferring (or disclosing) personal data to third parties where necessary. Special categories of personal data: is a term used to describe sensitive personal data such as information about a person’s racial or ethnic origin, political opinions, religious or similar beliefs, trade union membership, physical or mental health or condition or sexual life, genetic data and biometric data where processed to uniquely identify a person or about the commission of, or proceedings for, any offence committed or alleged to have been committed by that person, the disposal of such proceedings or the sentence of any court in such proceedings. Sensitive personal data can only be processed under strict instructions. Responsibility for data protection A data controller, is responsible for establishing practices and policies in line with the GDPR and any other laws governing data protection. It is important that Elev8 Dance Academy demonstrates compliance by:  Implementing processes and policies that enable the Academy to comply with data  protection laws, such as not collecting more data than we need, providing comprehensive,  clear and transparent privacy notices, and creating and improving security features on as  ongoing basis;  Undertaking data protection impact assessments, where appropriate, when using new  technologies where the processing is likely to result in high risk to the rights and freedoms of  data subjects;  Undertaking periodic in-house audits or personal data held by the Academy; and  Training Teachers, Assistants and appropriate connected persons. 2  How should personal data be processed?  Any personal data that the Academy processes must:  Be processed fairly, lawfully and in a transparent manner;  Be processed ONLY for specified, explicit and legitimate purposes;  Be relevant and limited to what is necessary to collect and process;  Be accurate and kept up to date, ensuring, where reasonably possible, that inaccurate  personal data is erased or rectified without delay;  Not be kept for any longer than is necessary to fulfil the purpose(s) for which is was  collected; and  Be processed in a manner that ensure appropriate security of the personal data, including  protection against unauthorised or unlawful processing and against accidental loss,  destruction or damage, using the appropriate technical or organisational measures. Lawfulness, fairness and transparency The GDPR is not intended to prevent the processing of personal data; rather, the GDPR aims to ensure that it is done lawfully, minimising any adverse effect on the rights of the data subject. For personal data to be processed lawfully, it must be processed for one of the specific reasons set out in the GDPR. The following are some of the reasons provided by the GDPR which the Academy will rely on as a business to process personal data: Processing is necessary:  For the performance of a contract to which the data subject is a party, or to take steps at the request of the data subject prior to entering in a contract;  For compliance with a legal obligation to which the Academy is subject; and/or  For the purposes of our legitimate interests, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data. In addition to the legal reasons set out above, we can also process a data subjects’ personal data where they have given consent to the processing for one or more specified purposes, provided that the consent is freely given, specific, informed and unambiguous indication of the data subject’s wishes. A data subject will have the right to withdraw any consent given. For special categories of personal data to be processed lawfully, there are additional conditions which must be met, in addition to satisfying one of the above reasons for processing personal data. Sensitive personal data must also be processed in accordance with one of the following legal grounds set out in the GDPR: 3  The data subject has given explicit consent to the processing of that personal data for one or more specified purposes;  The processing is necessary for carrying out obligations under employment law, social  security or social protection law, or a collective agreement;  The process relates to personal data which has been made public by the data subject;  The processing is necessary for establishing or defending legal claims; and/or  The processing is necessary for reasons of substantial public interest, in accordance with UK  or EU law which shall be proportionate to the aim pursued, respect the essence of the right  to data protection and provide for suitable and specific measures to safeguard the  fundamental rights and interests of the data subject. Elev8 Dance Academy Data Record Kat Hendy will maintain a record of what personal data has been collected. As a business the Academy will only process personal data for the specific purposes set out in this document or for other purposes specifically permitted by the GDPR. Kat Hendy will notify those purposes to the data subject when we first collect the data or as soon as possible thereafter. The Academy will only process personal data to the extent required for the purposes notified to the data subject. This means that the Academy will not ask for, or record on systems, more personal data than we need. Personal data that we no longer need will be erased/destroyed. Kat Hendy is responsible for ensuring that any personal data held is accurate and up to date. She will check the accuracy of any personal data at the point of collection and at regular intervals afterwards. Kat Hendy will take all reasonable steps to erase/destroy or amend inaccurate or out-of-date data without undue delay, and in any event within one month of the data subject’s request. Keeping personal data secure When the Academy processes personal data Kat Hendy will do her best to ensure that it remains secure and is protected against unauthorised or unlawful processing and accidental loss, destruction or damage. This should be done by:  Taking steps to encrypt personal data where possible and appropriate  Ensuring ongoing confidentiality, integrity, availability and resilience of systems and services used to process personal data  Ensure restoration and access to personal data in a timely manner in the event of a physical or technical incident; and 4  Facilitate regularly testing, assessing and evaluating technical measures for ensuring the security of the processing. In assessing the appropriate level of security, it is the responsibility of Kat Hendy to take into account the risks that are presented by processing, in particular, from accidental or unlawful destruction, loss, alteration, unauthorised disclosure or, or access to personal data transmitted, stored or otherwise processed. Desk and cupboards will be kept locked if they hold personal data, or confidential information of any kind. Data users must ensure that individual monitors do not show personal data or confidential information to passers-by and that they log off form their PC/Laptop/Mac when it is left unattended. Whenever Kat or a Teacher transfers personal data or confidential information outside their own systems or offices (for example when student information is transported between Kat’s home office and the Academy venue,) there is a risk that the personal data or confidential information may be lost, misappropriated or accidentally released. Kat will take steps to minimise the risk of theft, loss, destruction, damage or unauthorised use of personal data or other confidential information. Such steps include:  Taking only the personal data needed, ensuring that it is anonymised where possible and kept secure;  Ensuring that bags or cases containing paper records are not left visible in a vehicle or left unattended for longer than is necessary. If it is unavoidable to leave paper records in a vehicle (e.g. whilst filling up with petrol) they must be kept locked in the boot of the vehicle  Ensuring that paper records are not carried ‘loosely’ but instead kept in a file or folder;  Express permission should be given from Kat before allowing and team member (Teacher) to take personal data offsite. It must also be brought back at the earliest opportunity. Personal Data Breach A personal data breach may not be evident straight away. However there may be indicators of a personal data breach, system compromise, unauthorised activity, or signs of misuse. A personal data breach can happen in many ways, including:  loss of a mobile device or hard copy file which contains personal data (e.g. leaving it on a train);  theft of a mobile device or hard copy file which contains personal data (e.g. stolen from a car or a house);  human error (e.g. an administrator sending an email containing personal data to the wrong person or the accidental alteration or deletion of personal data);  cyber-attack (e.g. opening an attachment to an email from an unknown third party which contains ransomware); 5  inappropriate security permissions allowing unauthorised use (e.g. allowing an unauthorised third party to access secure areas of the setting);  excessive or unusual log-in and system activity, in particular from any active user accounts;  unusual remote access activity;  the presence of any spoof wireless (Wi-Fi) networks visible or accessible from our environment;  equipment failure;  hardware or software keyloggers found connected to or installed on our systems;  unforeseen circumstances such as a fire or flood; or  ‘blagging’ offences where information is obtained from The Academy by a third party deceiving them. Erasing or destroying personal data Paper records that contain personal data must be shredded and disposed of securely. Paper records containing personal data must not be disposed of in any other way. For electronically stored data, there is a significant difference between deleting personal data irretrievably, archiving it in a structured, retrievable manner or retaining it as random data in an unemptied electronic wastebasket. Personal data that is archived, for example, is subject to the same data protection rules as ‘live’ personal data. When deleting electronic data, all possible steps will be taken to put the data in question beyond use. Where it is impossible to delete data from the electronic ether altogether, personal data will only be deemed to be deleted if we have no intention of using or accessing the personal data again. Transferring personal data outside the EEA There should be no need to transfer personal data outside the European Economic Area (EEA). Transferring data to third parties If the Academy need to use third parties to process personal data on their behalf, these providers must be approved by fully vetted by Kat Hendy. She will request all approved third parties to provide her with sufficient guarantees that they have appropriate technical and organisational measures to comply with the GDPR and ensure the protection of the rights of the data subjects. Notifying data subjects As a data controller Kat Hendy is required to provide information to data subjects about the personal data collected about them on request. This can be:  the purpose and the legal basis for processing their personal data;  whether the collected personal data will be disclosed to any third parties; 6  whether the personal data will be transferred to any other country and, if so, what safeguards will be put in place;  how long she will process the personal data for or, if that is not possible, the criteria we will use to determine that period;  how the data subject can obtain a copy of the personal data held about them;  details of their rights, including how to make a complaint;  if the personal data has to be provided to comply with a law or a contract, the possible consequences of failing to provide the data;  the existence and details of any automated decision making.  If she has received personal data about a data subject from other sources, she will also provide the data subject with the following information:  the type of personal data she has received; and the source of the data and whether it came from publicly accessible source (e.g. a website). Rights of data subjects If Kat Hendy/The Academy process personal data, the data subjects will have the right to:  request access to any data we hold about them;  have any inaccurate personal data about them corrected and incomplete personal data completed;  object to us processing their personal data for The Academy’s legitimate interests. She can refuse this request if our legitimate interests outweigh those of the data subject or if she needs to continue processing for the establishment or defence of legal claims;  ask her to destroy personal data about them. She can refuse this request if the personal data is still necessary in relation to the purposes for which it was being processed and there is a legal ground for us to continue processing;  ask her to restrict processing of their personal data to merely storing it. This can only be requested if the accuracy of personal data has been contested and this is being verified, or if she no longer requires the personal data but the data subject needs it to establish or defend a legal claim, or if the data subject has objected to the processing of personal data and she is deciding whether our legitimate interest override theirs, or if her processing is unlawful. If a data subject exercises these rights and Kat Hendy has disclosed the personal data in question to a third party, she will do her best to ensure that the third party complies with the wishes of the data subject. Subject access requests Data subjects who wish to request information that is held about them must do so in writing. Anyone else requesting information (whether in paper form or in an email or other electronic format) will be thoroughly vetted by Kat Hendy to determine whether the request is legitimate and legal. Personal data breach response plan 7 In the event of a personal data breach, Kat Hendy and Elev8 Dance Academy will take quick action to stop the breach from continuing and, in certain circumstances, must report the breach within 72 hours of it occurring. Therefore, any personal data breach occurring, or uncertainty as to whether a personal data breach has occurred, whether by Kat Hendy or someone else, she will  investigate the personal data breach to determine the nature and cause of the breach and the extent of the damage or harm that could result from it;  implement the necessary steps to stop the data breach from continuing or recurring and limiting the harm to data subjects as a result of the breach;  assess whether there is an obligation to notify other parties, in particular, the Information Commissioner’s Office (ICO) and the affected data subjects and, if so, making those notifications. If a notification to the ICO is required, this will normally need to be done within 72 hours of becoming aware of the personal data breach and therefore it is essential that it is reported immediately;  recording the personal data breach and the steps taken. Elev8 Dance Academy (part of Classes with Kat) General Data Protection Policy Declaration Team Members: I can confirm that I have read and understood the General Data Protection Policy Name________________________________________________Sign___________________ Date__________________________________ Name________________________________________________Sign___________________ Date__________________________________ Name________________________________________________Sign___________________ Date__________________________________ Name________________________________________________Sign___________________ Date__________________________________ 8