Studio Privacy Policy

Private policy.

Apr 18, 2024 06:24 PM

Private Policy

Purpose and Statement:
One School of Performing Arts (OSPA) is committed to ensuring the data processed by our school remains safe and secure.

This policy has been written in line with legislative change, including both the Data Protection Act (1998) and the EU’s General Data Protection Regulation (GDPR).

OSPA has determined the lawful reasons with which it processes personal data:
• Legal obligation – GDPR Article 6(1)(c)
• Legitimate interest – GDPR Article 6(1)(f)
• Contract - GDPR Article 6(1)(b)

There is also some limited data we process with consent from the Data Subject; Consent – GDPR Article 6(1)(a).

While OSPA avoids sharing data with third parties at most times, some data is shared in accordance with our business practices. The sharing of data with third parties will always be consensual with the data subject and/or their parent/guardian, and only if OSPA is satisfied that their Data Protection policy is GDPR compliant.

Main Aims for the policy:
- Specify the data OSPA collect, how it is stored/protected and the reason for collecting it
- State how OSPA use personal data in processing
- Disclose who has access to the data and how long we retain information for
- Explain Data Subject’s rights with OSPA data including access, rectification and erasure

The following policy is based on the below principles:
The GDPR includes the following rights for individuals:
- the right to be informed
- the right of access
- the right to rectification
- the right to erasure
- the right to restrict processing
- the right to data portability
- the right to object
- the right not to be subject to automated decision-making including profiling

General Principles
OSPA is committed to providing fair and understandable privacy policies in relation to personal data.
OSPA will, at all times, keep data in secure locations (including, but not limited to, encrypted and access restricted files) and not retain data unnecessarily or past the retention length as set out in this policy.
In the rare instance a data processor that is not an OSPA employee is used, such as a third party, the data subject will either be asked for consent pre to supplying the data or be notified and have the right to object to processing.

Participants and Customers

How OSPA collect personal data:
OSPA customers and participants supply their personal data when signing up for classes through our registration form either via the website portal.
This is either completed by a parent/guardian or the child themselves if they deemed able to do so.
Personal data may also come to us unsolicited via enquiries through our website and to our generic email account or phones.

Why OSPA collect personal data:
To attend any of OSPA’s activities participants/parents/guardians must agree to some processing of their personal data. This is due to Legitimate Interests – GDPR Article 6(1)(f), Legal Obligation GDPR Article 6(1)(c), Contract - Article 6(1)(b) and/or Consent - Article 6(1)(a).

Should OSPA be unable to process participant’s data, we would be contravening both our Health & Safety and Child Safeguarding policies. We would also be ignoring best practice regarding working with children/vulnerable adults.

Our participants must remain safe at all times, therefore information about participants must be collected in order to create registers and accurate student records. This information is also used to provide students with appropriate classes, including dividing students into age groups.

Special category data is only collected with the consent of the data subject. Special category data OSPA collects includes but is not limited to: Medical/Disability information, Income information, Ethnicity, Gender.

As physical activity providers it is essential that this consent is given should a participant have any medical/disability needs. This allows us to incorporate participants safely into classes and events. It is also used in assessing if we can incorporate participants safely into classes/events.

Income information is only collected in instances where a participant applies to attend our classes/events at a concessionary price, or on a bursary. This financial support is means tested, and therefore is subject to documented proof.

Ethnicity and other sensitive data is to provide information to bodies for statistical purposes.

What data we collect:
Personal data and some special category is collected.
It is essential to our primary function (providing classes to participants) that we are provided, and allowed to process and store the following:
Participant Personal Data:
- Full Name - GDPR Article 6(1)(f)
- Date of Birth - GDPR Article 6(1)(f)
- Home Address - GDPR Article 6(1)(f)
- Sex/Gender - GDPR Article 6(1)(f)
- Permission to go home alone - GDPR Article 6(1)(f)
- School/Educational Institution - GDPR Article 6(1)(f)
- Exam results (vocational exams taken through SSS only) - GDPR Article 6(1)(f)
- Classes attended/Price paid - GDPR Article 6(1)(f)
Participant Special Category Data:
- Medical Information/History – GDPR Article 9 (a)
- Disability Information - GDPR Article 9 (a)
- Ethnicity – GDPR Article 9 (a & j) – further explicate consent sought
- Gender/Sex – GDPR Article 9 (a & j) – further explicate consent sought
Parent/Guardian Personal Data:
- Name - GDPR Article 6(1)(f)
- Address - GDPR Article 6(1)(f)
- Email Address - GDPR Article 6(1)(f)
- Mobile Telephone Number - GDPR Article 6(1)(f)
- Work/Home Number - GDPR Article 6(1)(f)
- Emergency Contact Number - GDPR Article 6(1)(f)
Parent/Guardian Special Category Data:
- Concession Type – further explicate consent sought
- Documented proof of financial need – further explicate consent sought
- Bank Details – further explicate consent sought in the instance of refunds etc.

How data collected is sent internally:
OSPA transports data with all due diligence.

Enrolment forms are sent to OSPA through an encrypted server directly from our portal which has controlled access.

Storage/Retention of data:
Data received through enrolment forms is uploaded into our database software. Our database is stored both in encrypted files on office-based hardware and backed up regularly in our encrypted cloud-based server. Access to these files is restricted through password protection and only available to authorised staff members.

Registers and emergency contact lists created from student data are stored in encrypted files on office-based hardware and backed up regularly in our encrypted cloud-based server. Access to these files is restricted through password protection and only available to authorised staff members.
Hard copies of registers and emergency contacts are carried by authorised staff members when access to online encrypted and password protected files are not available. When they are no longer in use or out-dated, they are destroyed thoroughly. We avoid the use of paper use for data where possible.

Waiting lists are stored on an encrypted cloud-based server.

Our standard retention policy (without the data subject’s right to access, rectification and erasure etc.) is THREE YEARS post final attendance.
Exceptions to our retention policy:
- Financial records are kept for 6 years due to legal obligation
- First Aid records are kept for 21 years due to legal obligation
- Child Safeguarding records are kept indefinitely on a case-by-case basis, the minimum these will stored for is 6 years due to legal obligation
- Bank details are deleted after the action concerning them is complete
- Unsolicited enquiries that do not turn into bookings with current classes are deleted after they have been dealt with.
- Image/Video rights are kept indefinitely, unless asked by the student or carer to be erased.

Third Parties/Data Processors:
OSPA does not actively share data with third parties, however there are certain instances where sharing information is crucial to our business processes.

Freelance Teachers:
As many of OSPA teachers are freelance staff, we have confidentiality and data processor agreements in place. Teachers will never be provided with personal details aside from participant’s names, ages, date of birth, examination results, phone numbers of carer and any medical information that is pertinent to the running of a class (subject to consent from the data subject)

MailChimp:
OSPA uses a USA based company ‘MailChimp’ to provide newsletters and marketing via email. This is an optional process, which people consent to during enrolment or sign-up directly through our website. Data Subjects can opt-out and erase/rectify their record stored with MailChimp at any time.
SSS is satisfied that their GDPR regulations are thorough, and the information stored in MailChimp (email addresses) is secure. We have a processor contract in place, and copies are available upon request.

Dance Studio Pro:
OSPA uses a USA based company ‘Dance Studio Pro’ for enrolment, and as the platform to house class, event and student informaiton. People consent to Dance Studio Pro storing their details during enrolment or sign-up directly through our website. Data Subjects can opt-out and erase/rectify their record stored with Dance Studio Pro at any time.
OSPA is satisfied that their GDPR regulations are thorough, and the information stored in Dance Studio Pro is secure.

Child Performance Licensing:
In order to process child performance licences, OSPA are legally required to provide some personal data to local councils (including but not limited to: full name, date of birth and school details). This is an optional consent, which will be sought at the time of sending participation consent forms.
OSPA is satisfied that their GDPR process are thorough and any data will be stored in a secure environment, and not unnecessarily retained.

Child Safeguarding Concerns:
In the unlikely event OSPA has a safeguarding concern in relation to one of our participants, OSPA are legally required to provide data to the safeguarding board at the local council.
OSPA is satisfied that their GDPR process are thorough and any data will be stored in a secure environment, and not unnecessarily retained.

Event Programmes:
OSPA may occasionally produce programmes for events. These will only ever contain the first name and last name of the performer. The name of a child’s class may also be included. Participants/their Parent and/or Guardians may choose if they want to be included in the programme when they agree to participate at an event.

Examination Entry:
In order to enter examinations, OSPA must provide some personal data to examination boards (currently OSPA work with: IDTA & ABRSM). This sharing of data is to be consented to by the data subject and/or parent/guardian upon being entered for the exam. The data is including but not limited to: full name, date of birth, ethnicity and previous examinations.

Schools:
OSPA must sometimes share personal data with schools (names, DOB and payment information) when taking part in an internal class in order for them to check persons attending. This also helps the school work out OSPA’s payment in terms of renting space.
OSPA is satisfied that their GDPR process are thorough and any data will be stored in a secure environment, and not unnecessarily retained.

Incident Reports:
Serious incidents will be noted in the first aid log, & also in a full incident report. These are normally requirements of insurance and helps should a claim ever be brought.
In the event of a serious incident, we will report it to our insurance provider immediately so that they are aware. You/we may also need to report it to RIDDOR.

We have to store incident reports for 21 years minimum withe below information:
Student details should include:
i. surname
ii. forename(s)
iii. date of birth
iv. permanent address, including post code
v. physical/medical conditions you should be aware of

Rights of the data subject and OSPA compliance with responses:
Any data subject with personal data stored within OSPA is entitled to the rights of:
- Access
You may contact OSPA at any time to access all data held relating to you and/or your child(ren). OSPA will ensure that we respond to a subject access request without undue delay and within one month of receipt. If the information request will also include data regarding others, OSPA has the right to refuse the request or take steps in order to obtain consent from other involved parties.
The right of access does not apply to OSPA’s legal obligations such as Child Safeguarding records.
- Rectification
You may contact OSPA at any time in order to rectify data held relating to you and/or your child(ren). OSPA will ensure that we respond to a rectification request without undue delay and within one month of receipt.
The right to rectification does not apply to OSPA’s legal obligations such as payment record information.
- Erasure
You may contact OSPA at any time in order to erase data held relating to you and/or your child(ren). OSPA will ensure that we respond to an erasure request without undue delay and within one month of receipt.
The right to erasure does not apply to OSPA’s legal obligations such as First Aid records.
- Restrict Processing
You may contact OSPA at any time in order to restrict the data we process relating to you and/or your child(ren). OSPA will ensure that we respond to a request to restrict processing without undue delay and within one month of receipt.
However, due to our legitimate interest in most of the data collected- we may have to revoke your membership with OSPA until the restriction is lifted. This is due to Health and Safety and Child Safeguarding.
- Data Portability
You may contact OSPA at any time in order to obtain the data we process relating to you and/or your child(ren) and reuse it across different services. OSPA will ensure that we respond to a request to restrict processing without undue delay and within one month of receipt.
Please note, this does not apply to OSPA’s legal obligations.
- Objection
You may contact OSPA at any time in order to object to the processing of data relating to you and/or your child(ren). OSPA will ensure that we respond to a request to restrict processing without undue delay and within one month of receipt.
However, due to our legitimate interest in most of the data collected- we may have to revoke your membership with OSPA until the restriction is lifted. This is due to Health and Safety and Child Safeguarding.
- Rights related to automated decision making including profiling
You may contact OSPA at any time in order to object to profiling relating to you and/or your child(ren). OSPA will ensure that we respond to a request to restrict processing without undue delay and within one month of receipt.
However, due to our legitimate interest in most of the data collected- we may have to revoke your membership with OSPA until the profiling restriction is lifted. This is due to Health and Safety and Child Safeguarding.
OSPA has a lawful reason for profiling; Legitimate Interests and consent.
None of OSPA’s decision making is automated. Profiling is only used in circumstances where a participant may have certain health/disability needs which may prevent them from taking part in classes (as it would be unsafe to do so).

Any and all verbal requests are noted, and then contacted again either via phone or email to verify the request. Verbal requests will be responded to in the time frames mentioned above.

Photos/Videos of Participants

OSPA often use footage/photos used from shows, performances and classes for marketing purposes both in print media and the website. Participants/their Parent and/or Guardians may choose if they do not wish themselves/their child to be depicted.

Some attendees at events may film/take photos for their own personal use (e.g. parents of other participants). Participants/their Parent and/or Guardians may choose if they do not wish themselves/their child to be depicted.

Social Media:
OSPA regularly share photos/videos of students in workshops, events and performances through social media platforms including; Instagram, Facebook, Twitter, Email There may be times where we will share first names, but only with the explicit consent of the parents.

References:
In order to supply references for staff members, some personal data must be divulged. This will only be done with the data subject’s consent, as OSPA may not be fully aware of the recipients GDPR policies.
Child Performance Licensing:
In order to process child performance licences, OSPA are legally required to provide some staff’s personal data to local councils (including but not limited to: full name and DBS details).
OSPA is satisfied that their GDPR process are thorough and any data will be stored in a secure environment, and not unnecessarily retained.

Child Safeguarding Concerns:
In the unlikely event OSPA has a safeguarding concern in relation to one of participants and/or staff members, OSPA are legally required to provide data to the safeguarding board at the local council and the Disclosure and Barring service.
OSPA is satisfied that their GDPR process are thorough and any data will be stored in a secure environment, and not unnecessarily retained.

Website Biography:
OSPA’s website includes staff biographies, these are available for public viewing. Consent it sought before any/all staff profiles are added to the website.
Rights of the data subject and OSPA compliance with responses:
Any data subject with personal data stored within OSPA is entitled to the rights of:
- Access
You may contact OSPA at any time to access all data held relating to you. OSPA will ensure that we respond to a subject access request without undue delay and within one month of receipt. If the information request will also include data regarding others, OSPA has the right to refuse the request or take steps in order to obtain consent from other involved parties.
The right of access does not apply to OSPA’s legal obligations such as confidential Child Safeguarding records.
- Rectification
You may contact OSPA at any time in order to rectify data held relating to you. OSPA will ensure that we respond to a rectification request without undue delay and within one month of receipt.
The right to rectification does not apply to OSPA’s legal obligations such as payment record information.
- Erasure
You may contact OSPA at any time in order to erase data held relating to you. OSPA will ensure that we respond to an erasure request without undue delay and within one month of receipt.
The right to erasure does not apply to OSPA’s legal obligations such as First Aid records.
- Restrict Processing
You may contact OSPA at any time in order to restrict the data we process relating to you. OSPA will ensure that we respond to a request to restrict processing without undue delay and within one month of receipt.
However, due to our legitimate interest and legal obligations in most of the data collected- we may not be able to restrict processing.
- Data Portability
You may contact OSPA at any time in order to obtain the data we process relating to you and reuse it across different services. OSPA will ensure that we respond to a request to restrict processing without undue delay and within one month of receipt.
Please note, this does not apply to OSPA’s legal obligations.
- Objection
You may contact OSPA at any time in order to object to the processing of data relating to you. OSPA will ensure that we respond to a request to restrict processing without undue delay and within one month of receipt.
However, due to our legitimate interest and legal obligations in most of the data collected- we may not be able to accept your objection.
- Rights related to automated decision making including profiling
You may contact OSPA at any time in order to object to profiling relating to you. OSPA will ensure that we respond to a request to restrict processing without undue delay and within one month of receipt.
Please note, this does not apply to OSPA’s legal obligations.
OSPA has a lawful reason for profiling; Legitimate Interests and consent.
None of OSPA’s decision making is automated. Profiling is only used in circumstances where a staff member has a criminal conviction.

Any and all verbal requests are noted, and then contacted again either via phone or email to verify the request. Verbal requests will be responded to in the time frames mentioned above.

Complaints and Data Breeches

Complaints:
Complaints in regard to the handling of any personal data can be made directly to OSPA’s DPO: Danielle Looker, Principal.
Email: info@ospa-academy.co.uk
Telephone: 07746423699

If you feel that your complaint was not handled in the correct manner, or still have concerns, you may escalate the complaint by contacting the Independent Commissioner’s Office (ICO).
ICO Telephone Number: 0303 123 1113

Data Breeches:
If OSPA experiences a data breech of any kind, we have a legal obligation to report this to ICO within 72 hours. The data breech will be reported by the DPO. In the instance they are unavailable to report the breech, the next most senior staff member shall do so.

OSPA will also inform all the victims of the data breech as soon as possible if there is a high risk of adversely affecting individuals’ rights and freedoms.

OSPA will store and record all data breeches.