Data Protection Policy


Aug 11, 2022 03:49 AM



Purpose and Statement:
Spencer Stage School (“SSS”) is committed to ensuring all information relating to individuals (“personal data”) is processed lawfully and fairly in accordance with legislation set out in the Data Protection Act 1998 (“DPA 1998”) and the EU’s General Data Protection Regulation (“GDPR”).

SSS has determined the lawful reasons with which it processes personal data relating to individuals:
Legal obligation – GDPR Article 6(1)(c)
Legitimate interest – GDPR Article 6(1)(f)
Contract - GDPR Article 6(1)(b)

SSS may also seek consent from individuals to process personal data for one or more specific purposes under GDPR Article 6(1)(a).

The sharing of personal data processed by SSS with third parties will only occur with consent of the individual, and only if SSS is satisfied that the third party’s Data Protection policy is GDPR compliant.

Main aims of the Data protection policy:

Specify the personal data SSS collect, how it is processed and the reason for collecting it.
Disclose who has access to any personal data processed by SSS and how long SSS retain the personal data for.
Explain an individual’s rights in relation to their personal data processed by SSS.


Distribution of the Data Protection policy:

The Data Protection policy will be displayed on the SSS website.
The Data Protection policy will be sent directly to any individual on request.
Recipients of a copy of the Data Protection policy will be asked to confirm receipt in writing. Written confirmation will be held on file by SSS.

Review and monitoring of the Data Protection policy:
The policy will be reviewed annually and/or in instances of legislative change.
Monitoring is part of management and supervision.

The Data Protection policy is based on the principles relating to processing of personal data as set out in Article 5 GDPR. The GDPR provides the following rights for individuals in relation to their personal data:

the right to be informed
the right of access
the right to rectification
the right to erasure
the right to restrict processing
the right to data portability
the right to object
the right not to be subject to automated decision-making including profiling

General Principles

SSS is committed to providing fair and understandable Data Protection policies in relation to personal data.
SSS will, at all times, keep personal data in secure locations (including, but not limited to, encrypted and access-restricted files) and not retain personal data unnecessarily or past the retention period as set out in this policy.
In the rare instance personal data collected by SSS is processed by a third party, the individual data subject will either be asked for consent before the data is supplied to the third party or notified of their right to object.

Students, parents and/or guardians

How SSS collects personal data:
SSS students and/or parents or guardians supply their personal data when signing up for classes either by completing our registration form or via the SSS online portal. Personal data may also come to SSS unsolicited via enquiries through our website and to our business email or telephones number.

Why SSS processes personal data:
To attend any of SSS’s activities students and/or parents or guardians must agree to some processing of their personal data. This is due to Legitimate Interests – GDPR Article 6(1)(f), Legal Obligation GDPR Article 6(1)(c), Contract - Article 6(1)(b) and/or Consent - Article 6(1)(a). Should SSS be unable to process students’ personal data, we would be contravening both our Health & Safety and Child Safeguarding policies. We would also be ignoring best practice regarding working with children/vulnerable adults. Our students must always remain safe, therefore personal data must be collected to create registers and accurate student records. This information is also used to provide students with appropriate classes, including dividing students into age groups.

SSS will only process special category data (as defined in Article 9 GDPR) with explicit consent of the individual. Special category data SSS collects includes but is not limited to medical/disability information, income information, ethnicity or gender.

As physical activity providers it is essential that SSS obtains information about a student’s medical/disability needs. This allows us to incorporate students safely into classes and events. Income information is only collected in circumstances where a student applies to attend SSS classes/events at a concessionary price, or on a bursary. This financial support is means tested, and therefore is subject to documented proof. Ethnicity and other sensitive data are processed to provide information to third parties for statistical purposes only.

Personal and special category data processed by SSS
It is essential to SSS’s primary function (providing classes to students) that we are provided, and allowed to process and store the following personal and special category data:

Student personal data:
Full name - GDPR Article 6(1)(f)
Date of birth - GDPR Article 6(1)(f)
Home address - GDPR Article 6(1)(f)
Sex - GDPR Article 6(1)(f)
Permission to go home alone - GDPR Article 6(1)(f)
School/educational Institution - GDPR Article 6(1)(f)
Exam results (vocational exams taken through SSS only) - GDPR Article 6(1)(f)
Classes attended/price paid - GDPR Article 6(1)(f)
Student special category data (subject to explicit consent):
Medical information/history – GDPR Article 9 (a)
Disability information - GDPR Article 9 (a)
Ethnicity – GDPR Article 9 (a & j)
Gender/sex – GDPR Article 9 (a & j)

Parent/Guardian personal data:
Full name - GDPR Article 6(1)(f)
Home address - GDPR Article 6(1)(f)
Email address - GDPR Article 6(1)(f)
Mobile telephone number - GDPR Article 6(1)(f)
Work/home number - GDPR Article 6(1)(f)
Emergency contact number - GDPR Article 6(1)(f)
Parent/Guardian special category data (subject to explicit consent):
(If applicable) concession type
Documented proof of financial need
Bank details

How SSS processes personal data
SSS processes personal data with all due diligence. Enrolment forms are sent to SSS through an encrypted server directly from our online portal which has controlled access by authorised SSS staff members. Personal data collected through enrolment forms is uploaded into SSS’s database software. The database is stored both in encrypted files on office-based hardware and backed up regularly in our encrypted cloud-based server. Access to these files is restricted through password protection and only available to authorised SSS staff members.

Registers and emergency contact lists created from personal data processed by SSS are stored in encrypted files on office-based hardware and backed up regularly in our encrypted cloud-based server. Access to these files is restricted through password protection and only available to authorised SSS staff members. Hard copies of registers and emergency contacts are carried by authorised SSS staff members when access to online encrypted and password protected files are not available. When they are no longer in use or out-dated, they are destroyed thoroughly. SSS avoids the storage of personal data in hard copy where possible. Waiting lists are stored on an encrypted cloud-based server.

Retention of personal data
SSS’s standard retention policy in relation to personal data (subject to the individual’s right to access, rectification, erasure etc.) is three years post final attendance.

Exceptions to our retention policy:
SSS is under a legal obligation to retain financial records for a minimum of 6 years.
SSS is under a legal obligation to retain first aid records for a minimum of 21 years.
Child Safeguarding records are kept indefinitely on a case-by-case basis. SSS is under a legal obligation to retain these records for a minimum of 6 years.
Bank details are erased after the action concerning them is complete.
Unsolicited enquiries that do not turn into bookings with current classes are deleted after they have been dealt with.
Image/video rights are kept indefinitely, unless requested by the student and/or parent or guardian to be erased.

Processing of personal data by third parties:
There are specific circumstances where sharing personal data with third parties is crucial to SSS’s business processes.

Freelance Teachers
As many of SSS teachers are freelance staff, we have Confidentiality and Data Processor agreements in place. Teachers will never be provided with personal data aside from students’ name, age, date of birth, examination results, contact details of parents or guardians and any medical information that is pertinent to the running of a class (subject to the explicit consent from the individual).

MailChimp
SSS uses a USA-based company ‘MailChimp’ to provide newsletters and marketing via email. This is an optional process, which individuals will be asked if they consent to during the enrolment process. Individuals can opt-out and erase/rectify their personal data stored with MailChimp at any time.
SSS is satisfied that MailChimp is GDPR compliant, and the personal data stored in MailChimp (email addresses) is secure. We have a Processor contract in place with MailChimp (copies available upon request).

Dance Studio Pro
SSS uses a USA-based company ‘Dance Studio Pro’ for enrolment, and as the platform to house class, event and student information. Individuals are required to consent to Dance Studio Pro storing their personal data during the enrolment process. Individuals can opt-out and erase/rectify their personal data stored with Dance Studio Pro at any time.
SSS is satisfied that Dance Studio Pro is GDPR compliant, and the personal data stored in Dance Studio Pro is secure.

Child performance licensing
To process child performance licences, SSS are legally required to provide personal data (including but not limited to full name, date of birth and school details) to local councils. This is an optional process for which explicit consent will be sought from the individual at the time of sending participation consent forms.
SSS is satisfied that the local councils are GDPR compliant, and any personal data will be stored in a secure environment and not unnecessarily retained.

Child safeguarding concerns
In the unlikely event SSS has a safeguarding concern in relation to one of its students, SSS are legally required to provide personal data to the safeguarding board at the local council.
SSS is satisfied that the local councils are GDPR compliant, and any personal data will be stored in a secure environment and not unnecessarily retained.

Event programmes
SSS may occasionally produce programmes for events containing the first and last name of the student performing and the name of the student’s class. Students and/or parents or guardians may choose if they want to be included in the programme when they agree to participate at an event.

Examination entry
To enter examinations, SSS must provide some personal data (including but not limited to full name, date of birth, ethnicity and previous examinations) to examination boards. SSS currently works with the London Academy of Music and Dramatic Arts (LAMDA) and the International Dance Teachers Association (IDTA). Explicit consent will be sought before any personal data is shared with examination boards.

Schools
When taking part in an internal class, SSS must share personal data with schools (including names, date of birth and payment information) for the schools to verify persons attending.
SSS is satisfied that such schools are GDPR compliant, and any data will be stored in a secure environment and not unnecessarily retained.

Rights of individuals under the GDPR:

Individuals have the following rights in relation to personal data processed by SSS:

The right to be informed
Individuals have the right to be informed about the collection and use of their personal data by SSS.

The right to access
Individuals may contact SSS at any time to access all personal data held relating to them or child(ren) in their care (“subject access request” or “SAR”). SSS will respond to a SAR without undue delay and within one month of receipt. If the SAR will also include personal data regarding others, SSS has the right to refuse the request or take steps to obtain consent from other involved parties.
Please note, SSS reserves the right to refuse a request for access where it conflicts with a legal obligation to which SSS is subject.

The right to rectification
Individuals may contact SSS at any time to rectify data held relating to them or child(ren) under their care. SSS will respond to a rectification request without undue delay and within one month of receipt.
The right to rectification does not apply to SSS’s legal obligations such as payment record information.

The right to erasure
Individuals may contact SSS at any time to request that SSS erase personal data held relating to them or child(ren) under their care. SSS will respond to an erasure request without undue delay and within one month of receipt.
Please note, SSS reserves the right to refuse a request for erasure where it conflicts with a legal obligation to retain certain records such as financial and first aid records to which SSS is subject.

The right to restrict processing
Individuals may contact SSS at any time to restrict the data SSS process relating to them or child(ren) under their care. SSS will respond to a request to restrict processing without undue delay and within one month of receipt.
However, due to our legitimate interest in the data collected- in particular due to Health and Safety and Child Safeguarding concerns -SSS may have to revoke a student’s membership with SSS until the restriction is lifted.

The right to data portability
Individuals may contact SSS at any time to obtain the personal data SSS process relating to them or child(ren) under their care and reuse it across different services. SSS will respond to a request to restrict processing without undue delay and within one month of receipt.
Please note, SSS reserves the right to refuse a request for data portability where it conflicts with a legal obligation to which SSS is subject.

The right to object
Individuals may contact SSS at any time to object to the processing of data relating to them or child(ren) under their care. SSS will respond to a request to restrict processing without undue delay and within one month of receipt.
However, due to our legitimate interest in the data collected- in particular due to Health and Safety and Child Safeguarding concerns -SSS may have to revoke a student’s membership with SSS until the restriction is lifted.

Rights related to automated decision-making including profiling
Individuals may contact SSS at any time to object to profiling relating to them or child(ren) under their care. SSS will respond to a request to restrict processing without undue delay and within one month of receipt.
None of SSS’s decision making is automated. Profiling is only used in circumstances where a student may have certain health/disability needs which may prevent them from taking part in classes (as it would be unsafe to do so).

Individuals may exercise their rights relating to personal data processed by SSS verbally or in writing. Verbal requests will be followed up by SSS by email to confirm the request in writing. All requests will be responded to in the time frames mentioned above.

Photos/videos of students
SSS often use footage/photos used from shows, performances and classes for marketing purposes both in print media and the website. Students and/or their parents or guardians may choose if they do not wish themselves/their child to be depicted. Some attendees at events may film/take photos for their own personal use (e.g., parents of other students). Students and/or their parents or guardians may choose if they do not wish themselves/their child to be depicted.

Social Media
SSS regularly share photos/videos of students in workshops, events and performances through social media platforms including but not limited to Instagram, Facebook and Twitter. SSS will not share personal data without the explicit consent of the student and/or parents or guardians.

Staff
For the purposes of this part of the Data Protection policy, the term “Staff” shall include current and prospective employees of SSS, persons engaging with SSS on a freelance basis and volunteers.

How SSS collects personal data:
Staff supply their personal data when applying for roles at SSS via an application form or submission of a CV. Further information is collected when applicants are considered successful. Unsolicited data may come to SSS in the form of applicants emailing regarding work/volunteer opportunities.

Why SSS processes personal data:
It is necessary for SSS to process Staff personal data in relation to their employment under Article 6(1)(c) GDPR (Legal obligation) and/or Article 6(1)(b) GDPR (Contract).

Should SSS be unable to process Staff’s personal data, we would be contravening UK Employment law, the terms of SSS’s contracts (both employee and freelance) and our own Health & Safety and Child Safeguarding policies.

Special category data is only collected with the explicit consent of the individual. Special category data SSS collects includes but is not limited to medical/disability information, ethnicity, and gender. SSS’s lawful purpose for collecting this data is both Article 6(1)(b) GDPR (Contract) and Article 9(2)(b) GDPR (Employment). This also ensures we are conforming to our Equal Opportunities policy.

SSS is also entitled to obtain and process personal data in relation to criminal convictions and Disclosure and Barring (DBS) checks. Most posts within SSS are exempt from the Rehabilitation of Offenders Act (1974) by the 1975 and 2001 Exceptions Amendment, as they involve working with vulnerable and/or young people. This is further supported by Article 10 GDPR.

Personal and special category data processed by SSS:
It is essential to SSS’s business that it is provided, and allowed to process and store the following personal and special category data:

Staff personal data:
Full name – GDPR Article 6(1)(c) Legal Obligation
Date of birth - GDPR Article 6(1)(c) Legal Obligation
Contact details - GDPR Article 6(1)(c) Legal Obligation
Pension information - GDPR Article 6(1)(c) Legal Obligation
NI number - GDPR Article 6(1)(c) Legal Obligation
UTR number - GDPR Article 6(1)(c) Legal Obligation
Right to work in the UK - GDPR Article 6(1)(c) Legal Obligation
References - GDPR Article 6(1)(c) Legal Obligation
Bank details - Article 6(1)(b) Contract
Tax details - GDPR Article 6(1)(c) Legal Obligation
Qualifications – GDPR Article 6(1)(b) Contract
Pay details - GDPR Article 6(1)(c) Legal Obligation
Performance details – GDPR Article 6(1)(b) Contract
Annual leave details – GDPR Article 6(1)(b) Contract
Sick/compassionate/maternity/paternity leave details – GDPR Article 6(1)(b) Contract
Safeguarding concerns - GDPR Article 6(1)(c) Legal Obligation
Emergency contact - GDPR Article 6(1)(b) Contract
Staff special category data (subject to explicit consent):
Criminal record/DBS checks - GDPR Article 6(1)(c) Legal Obligation & GDPR Article 10
Medical/disability - GDPR Article 6(2)(b) Contract & Article 9(2)(b)
Ethnicity – GDPR Article 9(2)(a & b)
Sexuality – GDPR Article 9(2)(a & b)

How personal data is processed:
Any transfer of personal data regarding Staff is conducted through emails and/or stored in SSS’s encrypted cloud-based server. Any unsolicited information is received to an encrypted email server.

Storage/retention of personal data:
All Staff personal data is stored on encrypted files in SSS’s cloud-based server. It is also stored on encrypted hardware. All these files have restricted access to authorised SSS staff only. SSS does not store paper copies.

Staff personal data is retained for six years post-employment, subject to the following exceptions:
SSS are under a legal obligation to retain pension details for 75 years (post-employment).
Child Safeguarding records are kept indefinitely on a case-by-case basis. SSS is under a legal obligation to retain these records for a minimum of 6 years.
SSS are under a legal obligation to retain first aid records for a minimum of 21 years.
Unsuccessful applicant data is stored 6-months post campaign, this includes unsolicited data from potential applicants.

Data processing by third parties:
There are specific circumstances where sharing Staff personal data with third parties is crucial to SSS’s business processes.

Barclays and Natwest Banks
to process payments by BACs, Staff’s bank details and names must be added to our online banking system. SSS is satisfied that the banks are GDPR compliant and any data will be stored in a secure environment and not unnecessarily retained.

HMRC
To fulfil our legal obligations to HMRC, SSS must supply personal data for Staff on SSS’s payroll each month and at the end of every financial year. SSS is satisfied that HMRC is GDPR compliant and any data will be stored in a secure environment and not unnecessarily retained.

Excel spreadsheets
To process finances relating to Staff on SSS’s payroll, SSS uses excel spreadsheets that are password protected. Any personal data will be stored in a secure environment and not unnecessarily retained.

References
to supply references for Staff, some personal data must be shared with third parties. This will only be done with the individual’s explicit consent, as SSS may not be fully aware of the recipient’s GDPR policies.

Child performance licensing
To process child performance licences, SSS are legally required to provide Staff’s personal data to local councils (including but not limited to their full name and DBS details).
SSS is satisfied that the local councils are GDPR compliant and any data will be stored in a secure environment and not unnecessarily retained.

Child safeguarding concerns
In the unlikely event SSS has a safeguarding concern in relation to a student or member of Staff, SSS are legally required to provide personal data to the safeguarding board at the local council and the DBS. SSS is satisfied that the local council and the DBS are GDPR compliant and any data will be stored in a secure environment and not unnecessarily retained.

Website Biographies
Staff biographies or profiles containing personal data are published on SSS’s website. Explicit consent is sought before any biographies/profiles are added to the website.

Rights of Staff under the GDPR:
Individuals have the following rights in relation to personal data processed by SSS:

The right to be informed
Individuals have the right to be informed about the collection and use of their personal data by SSS.

The right to access
Individuals may contact SSS at any time to access all personal data held relating to them. (“subject access request” or “SAR”). SSS will respond to a SAR without undue delay and within one month of receipt. If the SAR will also include personal data regarding others, SSS has the right to refuse the request or take steps to obtain consent from other involved parties.
Please note, SSS reserves the right to refuse a request for access where it conflicts with a legal obligation to which SSS is subject.

The right to rectification
Individuals may contact SSS at any time to rectify data held relating to them. SSS will respond to a rectification request without undue delay and within one month of receipt. The right to rectification does not apply to SSS’s legal obligations such as payment record information.

The right to erasure
Individuals may contact SSS at any time to request that SSS erase personal data held relating to them. SSS will respond to an erasure request without undue delay and within one month of receipt.
Please note, SSS reserves the right to refuse a request for erasure where it conflicts with a legal obligation to retain certain records such as financial and first aid records to which SSS is subject.

The right to restrict processing
Individuals may contact SSS at any time to restrict the data it processes relating to them. SSS will respond to a request to restrict processing without undue delay and within one month of receipt.
However, due to our legitimate interest in the data collected- in particular due to Health and Safety and Child Safeguarding concerns -SSS may not be able to restrict processing.

The right to data portability
Individuals may contact SSS at any time to obtain the personal data SSS process relating to them and reuse it across different services. SSS will respond to a request to restrict processing without undue delay and within one month of receipt.
Please note, SSS reserves the right to refuse a request for data portability where it conflicts with a legal obligation to which SSS is subject.

The right to object
Individuals may contact SSS at any time to object to the processing of data relating to them. SSS will respond to a request to restrict processing without undue delay and within one month of receipt.
However, due to our legitimate interest in the data collected SSS may not be able to accept your objection.

Rights related to automated decision-making including profiling
Individuals may contact SSS at any time to object to profiling relating to them. SSS will respond to a request to restrict processing without undue delay and within one month of receipt.
None of SSS’s decision making is automated. Profiling is only used in circumstances where a staff member has a criminal conviction.

Staff may exercise their rights relating to personal data processed by SSS verbally or in writing. Verbal requests will be followed up by SSS by email to confirm the request in writing. All requests will be responded to in the time frames mentioned above.

Training and Data Protection in Practise

All members of Staff must comply with this Data Protection policy.
Training is supplied as part of management and supervision. It is also included in all induction and training periods.
SSS is registered as a Data Controller with the Independent Commissioners Office (“ICO”). The registered Data Protection Officer (“DPO”) is Alys Ettenfield, Principal.

Complaints and Data Breaches

Complaints:
Complaints regarding the handling of any personal data can be made directly to SSS’s DPO: Alys Ettenfield, Principal.
Email: alys@spencerstageschool.com
Telephone: 07925839395
Address: Spencer Stage School, 28 Clement Close, London, NW6 7AL

If you feel that your complaint was not handled in the correct manner, or still have concerns, you may escalate the complaint by contacting the ICO (0303 123 1113).

Data Breaches:
If SSS experiences a data breach of any kind, it has a legal obligation to report this to the ICO within 72 hours. The data breach will be reported by the DPO. In the instance the DPO is unavailable to report the breach, the next most senior SSS staff member shall do so.

SSS will also inform all the victims of the data breach as soon as possible if there is a high risk of adversely affecting individuals’ rights and freedoms.

SSS will store and record all data breaches.