The General Data Protection Regulation (GDPR) comes into effect on 25th May 2018.
It has been agreed that Amy & Matt Charles will be appointed as Data Protection Officers (DPO) for Charles Academy of Dance and are therefore responsible for the safe storage of information relating to our students and parents.
This Notice will provide information on how we, Charles Academy of Dance are complying with this Regulation.
Charles Academy of Dance takes the security and use of the information you give us very seriously.
Here is a summary of our data privacy principles in simple language:
- We will collect the information we need from you to get the job done.
- We will use your email and postal address details to provide you will essential paperwork – school newsletters, invoices and other notifications.
- We will use the phone number(s) you provide to contact you when we need to get hold of you urgently.
- We take just as much care over information relating to people under the age of 18.
- We pledge to keep our contact information up to date – and we would ask that you help us by informing us of any changes to your contact information in a timely manner so we can update our records.
- Personal Data is only stored for a limited period, as detailed below, past current use.
- We will take care to protect and secure the information you give us – in electronic format, this means we will back it up and ensure that access is only given to authorised people in the course of School business. In paper format, this means that anyone who is given personal information is also charged with keeping that information safe and returning it to the appropriate person for filing in a secure location.
Purpose and Statement:
Charles Academy of Dance is committed to ensuring the data processed by our company remains safe and secure.
This policy has been written in line with legislative change, including both the Data Protection Act (1998) and the EU’s General Data Protection Regulation (GDPR).
CHARLES ACADEMY OF DANCE has determined the lawful reasons with which it processes personal data:
- Legal obligation – GDPR Article 6(1)(c)
- Legitimate interest – GDPR Article 6(1)(f)
- Contract – GDPR Article 6(1)(b)
There is also some limited data we process with consent from the Data Subject; Consent – GDPR Article 6(1)(a).
While CHARLES ACADEMY OF DANCE avoids sharing data with third parties at most times, some data is shared in accordance with our business practices. The sharing of data with third parties will always be consensual with the data subject and/or their parent/guardian, and only if CHARLES ACADEMY OF DANCE is satisfied that their Data Protection policy is GDPR compliant.
Main aims for the policy:
- Specify the data CHARLES ACADEMY OF DANCE collect, how it is stored/protected and the reason for collecting it
- State how CHARLES ACADEMY OF DANCE use personal data in processing
- Disclose who has access to the data and how long we retain information for
- Explain Data Subject’s rights with CHARLES ACADEMY OF DANCE data including access, rectification and erasure
The GDPR includes the following rights for individuals:
- the right to be informed
- the right of access
- the right to rectification
- the right to erasure
- the right to restrict processing
- the right to data portability
- the right to object
- the right not to be subject to automated decision-making including profiling
CHARLES ACADEMY OF DANCE is committed to providing fair and understandable privacy policies in relation to personal data.
CHARLES ACADEMY OF DANCE will, at all times, keep data in secure locations (including, but not limited to password protected and access restricted files) and not retain data unnecessarily or past the retention length as set out in this policy.
In the rare instance a data processor that is not a CHARLES ACADEMY OF DANCE employee is used, such as a third party, the data subject will either be asked for consent pre to supplying the data or be notified and have the right to object to processing.
How CHARLES ACADEMY OF DANCE collect personal data
CHARLES ACADEMY OF DANCE customers and participants supply their personal data when signing up for classes through our registration form either via the website, email address, telephone enquiry, Charles Academy Facebook group/page enquiry via Facebook messenger or via paper registration form. This is either completed by a parent/guardian or the child themselves if they are deemed able to do so.
Why CHARLES ACADEMY OF DANCE collect personal data
To attend any of CHARLES ACADEMY OF DANCE’s activities participants/parents/guardians must agree to some processing of their personal data. This is due to Legitimate Interests – GDPR Article 6(1)(f), Legal Obligation GDPR Article 6(1)(c), Contract – Article 6(1)(b) and/or Consent – Article 6(1)(a).
Should CHARLES ACADEMY OF DANCE be unable to process participant’s data, we would be contravening both our Health & Safety and Child Safeguarding policies. We would also be ignoring best practice regarding working with children/vulnerable adults.
Our participants must remain safe at all times therefore information about participants must be collected in order to create registers and accurate student records. This information is also used to provide students with appropriate classes, including dividing students into age groups.
Personal and special category data is only collected with the consent of the data subject. Example data that CHARLES ACADEMY OF DANCE collects includes but is not limited to: Medical/Disability information, Address, Tel.no, Mobile and Email, Gender, Emergency contact details (second contact), Exam pin numbers, Information re. previous dance experience, Doctor’s details, School attended, Information re. Performance experience/grades attended.
As physical activity providers it is essential that this consent is given should a participant have any medical/disability needs. This allows us to incorporate participants safely into classes. Doctor’s details, emergency contact details and information such as address, telephone number, email etc are required not only to be able to keep regular communication about the student’s lessons, exams and events but also to be used in the event of an emergency. Information regarding previous performance experience, dance schools attended, grades achieved allows us to ascertain which would be the best class to attend. Previous pin numbers are required by the exam boards for entry.
Summary of reasons Charles Academy of Dance collect personal data:
- Business Administration.
- Monitoring marketing effectiveness.
- Facilitate a response to queries.
- Pre-entering data to office systems to expedite sign up processes.
- Improving our services and systems, as well as to allow us to provide requested services.
- To improve customer service.
- Information you provide helps us respond to your customer service requests and support needs more efficiently.
- To process payments.
- We may use the information Users provide about themselves when placing an order only to provide service to that order. We do not share this information with outside parties except to the extent necessary to provide the service.
- Marketing: Use of images collected by Charles Academy of Dance with express consent.
- To run a promotion, contest, survey or other Site feature.
- To send Users information they agreed to receive about topics we think will be of interest to them.
- To send emails and newsletters.
What data we collect
Personal data and some special category is collected.
It is essential to our primary function (providing classes to participants) that we are provided, and allowed to process and store the following:
Participant Personal Data:
- Full Name – GDPR Article 6(1)(f)
- Date of Birth – GDPR Article 6(1)(f)
- Home Address – GDPR Article 6(1)(f)
- School/Educational Institution – GDPR Article 6(1)(f)
- Exam results – GDPR Article 6(1)(f)
- Classes attended/Price paid – GDPR Article 6(1)(f)
Participant Special Category Data:
- Medical Information/History – GDPR Article 9 (a)
- Disability Information – GDPR Article 9 (a)
- Ethnicity – GDPR Article 9 (a & j) – further explicate consent sought
- Gender/Sex – GDPR Article 9 (a & j) – further explicate consent sought
- Previous dance experience, grades/exams achieved, exam pin numbers
- Doctor’s details
- Student code of conduct agreement
Parent/Guardian Personal Data:
- Name – GDPR Article 6(1)(f)
- Address – GDPR Article 6(1)(f)
- Email Address – GDPR Article 6(1)(f)
- Mobile Telephone Number – GDPR Article 6(1)(f)
- Work/Home Number – GDPR Article 6(1)(f)
- Emergency Contact Number – GDPR Article 6(1)(f)
Parent/Guardian Special Category Data:
- Concession Type – further explicate consent sought
- Bank Details – further explicate consent sought in the instance of refunds etc.
- Photography/video consent for social media/communication/publicity purposes
- Payment agreement
- Confirmation of receipt of relevant policies to Charles Academy: Health & Safety, Safeguarding, Social Media, Anti-Bullying, Code of Conduct
How data collected is sent internally:
CHARLES ACADEMY OF DANCE transports data with all due diligence. All of our main student/parent data gets stored on a GDPR compliant data-base ‘Dancebiz’ managed by Thinksmart Software, who take their commitment to data protection very seriously.
Our email server – Microsoft Outlook Hotmail is used for email contact as well as Facebook Messenger and Vodaphone Telephone for text communication. All of these methods have controlled, password protected access. Whilst Hotmail are improving all processes to ensure GDPR compliance, we recommend that any highly confidential/ high data loaded emails are sent with the encryption facility added.
Charles Academy staff receive data via our official email, post or through the encrypted mobile app. ‘Signal’ chosen for its security features. This data is only relevant to the classes they teach and they are not permitted to share or retain details for any other purpose than relevant to their teaching. It is necessary to share certain data with staff to ensure the safety and effective teaching of our students.
Storage/Retention of data:
Personal Data stored online or offline is protected by password and encrypted.
Data received through enrolment forms is uploaded manually into our database managed by GDPR compliant ‘Dancebiz’ Thinksmart software. Our database is stored both in encrypted files on office-based hardware and backed up regularly in our encrypted cloud-based server. Access to these files is restricted through password protection and only available to authorised staff members.
Registers and emergency contact lists created from student data are stored in our GDPR compliant Dancebiz software with encrypted files on office-based hardware and backed up regularly in our encrypted cloud-based server. Access to these files is restricted through password protection and only available to authorised staff members. Hard copies of registers and emergency contacts are carried by authorised staff members. They are locked away while not in use. When they are no longer in use or out-dated, they are destroyed.
Our standard retention policy (without the data subject’s right to access, rectification and erasure etc.) is THREE YEARS post final attendance.
Exceptions to our retention policy:
- Financial records are kept for 6 years due to legal obligation
- First Aid records are kept for 21 years due to legal obligation
- Child Safeguarding records are kept indefinitely on a case-by-case basis, the minimum these will stored for is 6 years due to legal obligation
- Bank details are deleted after the action concerning them is complete
Third Parties/Data Processors:
CHARLES ACADEMY OF DANCE does not actively share data with third parties, however there are certain instances where sharing information is crucial to our business processes.
Occasionally CHARLES ACADEMY OF DANCE teachers are freelance staff, we have confidentiality and data processor agreements in place.. Our main teachers are provided with only the data that is pertinent to the running of their specific class.
CHARLES ACADEMY OF DANCE is satisfied that their GDPR regulations are thorough, and the information stored in Dancebiz/Thinksmart Software (email addresses) is secure. We have a processor contract in place, and copies are available upon request.
Child Performance Licensing:
In order to process child performance licences, CHARLES ACADEMY OF DANCE are legally required to provide some personal data to local councils (including but not limited to: full name, date of birth and school details). This is an optional consent, which will be sought at the time of sending participation consent forms. CHARLES ACADEMY OF DANCE is satisfied that their GDPR process are thorough and any data will be stored in a secure environment, and not unnecessarily retained.
Child Safeguarding Concerns:
In the unlikely event CHARLES ACADEMY OF DANCE has a safeguarding concern in relation to one of its participants, CHARLES ACADEMY OF DANCE are legally required to provide data to the safeguarding board at the local council. CHARLES ACADEMY OF DANCE is satisfied that their GDPR process are thorough and any data will be stored in a secure environment, and not unnecessarily retained.
CHARLES ACADEMY OF DANCE may occasionally produce running orders, student listings, letters and programmes for specific events. The name of a child plus their class/dances may also be included. This could include dance festivals, showcases and other events where the listings are essential for the children to know which groupings / changing rooms / dance order they are in.
In order to enter examinations, CHARLES ACADEMY OF DANCE must provide some personal data to examination boards (currently CHARLES ACADEMY OF DANCE work with: RAD, ISTD, IDTA). This sharing of data is to be consented to by the data subject and/or parent/guardian upon being entered for the exam.
Show videographer, photographer, exam music operator or pianist, website designer, technical show staff, chaperones, costume fitter may at times require specific data. This will only be provided based on what is pertinent for them to achieve their role.
Rights of the data subject and CHARLES ACADEMY OF DANCE compliance with responses:
Any data subject with personal data stored within CHARLES ACADEMY OF DANCE is entitled to the rights of:
You may contact CHARLES ACADEMY OF DANCE at any time to access all data held relating to you and/or your child(ren). CHARLES ACADEMY OF DANCE will ensure that we respond to a subject access request without undue delay and within one month of receipt. If the information request will also include data regarding others, CHARLES ACADEMY OF DANCE has the right to refuse the request or take steps in order to obtain consent from other involved parties. The right of access does not apply to CHARLES ACADEMY OF DANCE’s legal obligations such as Child Safeguarding records.
You may contact CHARLES ACADEMY OF DANCE at any time in order to rectify data held relating to you and/or your child(ren). CHARLES ACADEMY OF DANCE will ensure that we respond to a rectification request without undue delay and within one month of receipt.
The right to rectification does not apply to CHARLES ACADEMY OF DANCE’s legal obligations such as payment record information.
You may contact CHARLES ACADEMY OF DANCE at any time in order to erase data held relating to you and/or your child(ren). CHARLES ACADEMY OF DANCE will ensure that we respond to an erasure request without undue delay and within one month of receipt. Should the right to withdraw consent relate to use of images please include as much information & URL Links as possible in order to help with the request. The right to erasure does not apply to CHARLES ACADEMY OF DANCE’s legal obligations such as First Aid records.
- Restrict Processing
You may contact CHARLES ACADEMY OF DANCE at any time in order to restrict the data we process relating to you and/or your child(ren). CHARLES ACADEMY OF DANCE will ensure that we respond to a request to restrict processing without undue delay and within one month of receipt. However, due to our legitimate interest in most of the data collected- we may have to revoke your membership with CHARLES ACADEMY OF DANCE until the restriction is lifted. This is due to Health and Safety and Child Safeguarding.
- Data Portability
You may contact CHARLES ACADEMY OF DANCE at any time in order to obtain the data we process relating to you and/or your child(ren) and reuse it across different services. CHARLES ACADEMY OF DANCE will ensure that we respond to a request to restrict processing without undue delay and within one month of receipt. Please note, this does not apply to CHARLES ACADEMY OF DANCE’s legal obligations.
You may contact CHARLES ACADEMY OF DANCE at any time in order to object to the processing of data relating to you and/or your child(ren). CHARLES ACADEMY OF DANCE will ensure that we respond to a request to restrict processing without undue delay and within one month of receipt. However, due to our legitimate interest in most of the data collected- we may have to revoke your membership with CHARLES ACADEMY OF DANCE until the restriction is lifted. This is due to Health and Safety and Child Safeguarding.
- Rights related to automated decision making including profiling
You may contact CHARLES ACADEMY OF DANCE at any time in order to object to profiling relating to you and/or your child(ren). CHARLES ACADEMY OF DANCE will ensure that we respond to a request to restrict processing without undue delay and within one month of receipt.
However, due to our legitimate interest in most of the data collected- we may have to revoke your membership with CHARLES ACADEMY OF DANCE until the profiling restriction is lifted. This is due to Health and Safety and Child Safeguarding. CHARLES ACADEMY OF DANCE has a lawful reason for profiling; Legitimate Interests and consent.
None of CHARLES ACADEMY OF DANCE’s decision making is automated. Profiling is only used in circumstances where a participant may have certain health/disability needs which may prevent them from taking part in classes (as it would be unsafe to do so).
Any and all verbal requests are noted, and then contacted again either via phone or email to verify the request. Verbal requests will be responded to in the time frames mentioned above.
Photos/Videos of Participants:
CHARLES ACADEMY OF DANCE often use footage/photos used from shows, performances and classes for marketing purposes both in print media and the website. As already included in our registration form, signed on enrolment, participants/their Parent and/or Guardians may choose if they do not wish themselves/their child to be depicted.
CHARLES ACADEMY OF DANCE regularly share student success stories via photos/videos of students in workshops, events and performances through social media platforms including; Instagram, Facebook, Email. We have a Charles Academy private Facebook group that can be joined on enrolment to our school and a Charles Academy Facebook and Instagram page for information, communication advertising purposes. Students and parents are required to read our Social Media Policy.
Training and Data Protection in Practise:
All members of staff (PAYE, Freelance and Voluntary) must agree to this Data Protection policy prior to accepting a contract of employment. Training is supplied as part of management and supervision. It is also included in all induction and training periods.
CHARLES ACADEMY OF DANCE is registered as a Data Controller with the Independent Commissioners Office (ICO). Amy Charles has completed the course ‘An Introduction to the General Data Protection’ by EduCare.
Complaints and Data Breeches:
Complaints in regard to the handling of any personal data can be made directly to CHARLES ACADEMY OF DANCE’s DPO.
Address: 2 Sanson Close, Stoke Canon, Exeter, Devon, EX5 4AQ
ICO Telephone Number: 0303 123 1113
If CHARLES ACADEMY OF DANCE experiences a data breech of any kind, we have a legal obligation to report this to ICO within 72 hours. The data breech will be reported by the DPO. In the instance they are unavailable to report the breech, the next most senior staff member shall do so.
CHARLES ACADEMY OF DANCE will also inform all the victims of the data breech as soon as possible if there is a high risk of adversely affecting individuals’ rights and freedoms.
CHARLES ACADEMY OF DANCE will store and record all data breeches.