STATEMENT
GDPR stands for General Data Protection Regulation and replaces the previous Data Protection. It was approved by the EU Parliament in 2016 and comes into effect on 25th May 2018.
GDPR states that personal data should be ‘processed fairly & lawfully’ and ‘collected for specified, explicit and legitimate purposes’ and that individuals data is not processed without their knowledge and are only processed with their ‘explicit’ consent. GDPR covers personal data relating to individuals. Encore School of Performing Arts is committed to protecting the rights and freedoms of individuals with respect to the processing of children’s, parents, visitors and staff personal data.
The Data Protection Act gives individuals the right to know what information is held about them. It provides a framework to ensure that personal information is handled properly.
The legislation requires that there is a clear legal basis for processing personal information. Encore School of Performing Arts relies on individual’s consent in order to process the data. If consent is withdrawn, the level of service we can offer might be severely curtailed.
GDPR INCLUDES 7 RIGHTS FOR INDIVIDUALS
1) The right to be informed
Encore School of Performing Arts is a registered Performing Arts provider with the IDTA (see IDTA Privacy policy – www.idta.co.uk and LAMDA and as so, is required to collect and manage certain data. We need to know parent’s names, addresses, telephone numbers, email addresses. We need to know children’s’ full names, addresses, date of birth, along with any SEN requirements. We are also requested to provide this data (plus educational school) to Kent County Council for Children in Entertainment Licensing; This information is sent to these authorities via a secure electronic file transfer system.
This data is stored on a secure GDPR regulated online administrative programme, Membermeister.
As an employer Encore School of Performing Arts is required to hold data on its Teachers; names, addresses, email addresses, telephone numbers, date of birth, National Insurance numbers, Unique Tax Reference and bank details. This information is also required for Disclosure and Barring Service checks (DBS) and proof of eligibility to work in the UK. This information is sent via a secure file transfer system to Due Diligence checking for the processing of DBS. Numbers and date of issue are also held on a central staffing record.
Encore School of Performing Arts uses Cookies on its website to collect data for Google Analytics, this data is anonymous.
If an email address is provided, we assume consent to use it for administrative purposes of members.
2) THE RIGHT OF ACCESS
At any point an individual can make a request relating to their data and Encore School of Performing Arts will need to provide a response (within 1 month). Encore School of Performing Arts can refuse a request, if we have a lawful obligation to retain data but we will inform the individual of the reasons for the rejection. The individual will have the right to complain to the ICO if they are not happy with the decision.
3) THE RIGHT TO ERASURE
You have the right to request the deletion of your data where there is no compelling reason for its continued use. However Encore School of Performing Arts has a legal duty to keep children’s and parents details for a reasonable time*, Encore School of Performing Arts retain these records for 1 year after leaving and children’s accident and injury records for 19 years (or until the child reaches 21 years)for Child Protection records. Staff records must be kept for 6 years after the member of leaves employment, before they can be erased. This data is archived securely onsite and shredded after the legal retention period.
4) THE RIGHT TO RESTRICT PROCESSING
Parents, visitors and staff can object to Encore School of Performing Arts processing their data. This means that records can be stored but must not be used in any way, for example reports or for communications.
5) THE RIGHT TO DATA PORTABILITY
Encore School of Performing Arts requires data to be transferred from one IT system to another; such as from Encore School of Performing Arts to dance and drama Associations for examinations, or to the Kent County Council for performance BOPA licences. These recipients use secure file transfer systems and have their own policies and procedures in place in relation to GDPR.
When sending letters, the postal address is shared with the Royal Mail
6) THE RIGHT TO OBJECT
Parents, visitors and staff can object to their data being used for certain activities like marketing or research.
7) THE RIGHT NOT TO BE SUBJECT TO AUTOMATED DECISION-MAKING INCLUDING PROFILING
Automated decisions and profiling are used for marketing based organisations. Encore School of Performing Arts does not use personal data for such purposes.
STORAGE AND USE OF PERSONAL INFORMATION
Students records are stored electronically with Membermeister and Mailchimp which are GDPR regulated. Teaching staff have access only to registers of their classes which includes names and emergency numbers only.
Other Information stored on computer spreadsheets are password protected and encrypted.
Paper copies of students and staff used records are kept in a locked filing cabinet at the Principals home office. Paper copies of student data used at performance venues to be stored in a locked portable case if nowhere else suitable. All paper records are shredded after the retention period.
Information about individual students is used in certain documents, such as, a weekly register, medication information and disclosure forms. These documents include data such as children’s names, date of birth and sometimes address. These records are shredded after the relevant retention period.
Encore School of Performing Arts collects a large amount of personal data every year including; names and addresses of those on the waiting list. These records are shredded if the child does not attend or added to our files and stored appropriately if joined.
Subject to written consent, Encore School of Performing Arts stores personal data held visually in photographs or video clips. No names are stored with images in photo albums, displays, on the website or on Encore School of Performing Arts’s social media sites.
Further individual permission will be requested if images and videos are to be used for marketing/advertising in the form of printed fliers and posters , website or social media.
USE OF DATA PROCESSORS
Data Processors are third parties who provide services for us. We have contracts in place with the data processors which means they cannot do anything with your personal information with any organisation apart from us. They will hold it securely and retain it for the period we instruct.
GDPR means that Encore School of Performing Arts must;
* Manage and process personal data properly
* Protect the individual’s rights to privacy
This Policy was created in August 2019
Signed on behalf of Encore School of Performing Arts
……………………………………………………………………………………………………………………….
Policy review date: August 2020
Retention periods for records
|
Students records – including registers |
A reasonable period of time after children have left the provision
|
Requirement |
Childcare Act (2006) |
|
Accident record books pertaining to the children |
Until the child reaches the age of 21 – or until the child reaches the age of 24 for child protection records | Recommendation |
Limitation Act 1980 Normal limitation rules (which mean that an individual can claim for negligently caused personal injury up to 3 years after, or deliberately caused personal injury up to 6 years after the event) are postponed until a child reaches 18 years of age |
| Records of any reportable death, injury, disease or dangerous occurrence | 3 years after the date the record was made | Requirement |
The Reporting of Injuries, Diseases and Dangerous Occurrences Regulations 1995 (RIDDOR) (as amended)
|
| Personnel files and training records (including disciplinary records and working time records) | 6 years after employment ceases | Recommendation | Chartered Institute of Personnel and Development |
| Financial records | Retention period | Status | Authority |
| Staff accident records (for organisations with 10 or more employees) | 3 years after the date the record was made (there are separate rules for the recording of accidents involving hazardous substances) | Social Security (Claims and Payments) Regulations 1979 | |