The Sussex Swim School
Data Policy – How we protect customer information
1. Our Commitment & Responsibilities
The Sussex Swim School is committed to the protection of all personal data for which it holds responsibility as the Data Controller and the handling of such data in accordance with all legal obligations.
Changes to data protection legislation shall be monitored and implemented in order to remain compliant with all requirements.
The Sussex Swim School is also committed to ensuring that its teachers and support staff are aware of data protection policies and legal requirements. The requirements of this policy are therefore mandatory for all teachers and support staff contracted to provide services to the company.
- Analyse and document the type of personal data we hold;
- Check procedures to ensure they cover all the rights of the individual;
- Identify the lawful basis for processing data;
- Ensure consent procedures are lawful;
- Implement and review procedures to detect, report and investigate personal data breaches;
- Store data in safe and secure ways;
- Assess the risk that could be posed to individual rights and freedoms should data be compromised.
Teacher/Support Staff Responsibilities
- Fully understand data protection obligations and comply with this policy at all times;
- Check that any data processing activities comply with our policy and are justified;
- Do not use data in any unlawful way;
- Do not store data incorrectly, be careless with it or otherwise cause us to breach data protection laws and our policies through your actions;
- Raise any concerns, notify any breaches or errors, and report anything suspicious or contradictory to this policy or our legal obligations without delay.
The Sussex Swim School shall comply with the principles of data protection as set out in the Data Protection Act 1998 and the General Data Protection Regulation (GDPR).
We will make every effort possible in everything we do to comply with these principles.
The principles are:
- Lawful, fair and transparent
Data collection must be fair, for a legal purpose and we must be open and transparent as to how the data will be used.
- Limited for its purpose
Data can only be collected for a specific purpose.
- Data minimisation
Any data collected must be necessary and not excessive for its purpose.
The data we hold must be accurate and kept up to date.
We cannot store data longer than necessary.
- Integrity and confidentiality
The data we hold must be kept safe and secure.
3. Legal Basis for Holding & Using Data
We shall be transparent about the intended processing of data and communicate these intentions through a ‘Privacy Notice’ issued to teachers, support staff, parents/legal guardians and pupils prior to the processing of personal data.
Notifications shall be in accordance with ICO guidance and, where relevant, be written in a form understandable by those defined as ‘Children’ under the legislation.
Any proposed change to the processing of personal data shall first be notified to those affected.
4. Data Storage & Security
In order to assure the protection of all data being processed and inform decisions on processing activities, we shall undertake an assessment of the associated risks of proposed processing and equally the impact on an individuals privacy in holding data related to them.
Security of data shall be achieved through the implementation of proportionate physical and technical measures. Nominated staff shall be responsible for the effectiveness of the controls implemented and reporting of their performance.
The security arrangements of any organisation with which data is shared shall also be considered and these organisations shall provide evidence of the competence in the security of shared data.
Data storage requirements are as follows:
- When data is stored on paper, it must be kept in a secure place where unauthorised people cannot access it (this includes data that is usually stored electronically but has been printed out).
When not required, paper records must be kept in a locked drawer or filing cabinet.
- Teachers/support staff must make sure paper and printouts are not left where unauthorised people could see them.
- Data on paper must be shredded and disposed of securely when no longer required. When data is stored electronically, it must be protected from unauthorised access, accidental deletion and malicious hacking attempts.
- Data must be protected by strong passwords that are changed regularly and never shared.
- Data must not be stored on removable media (e.g. memory sticks) or downloaded to portable devices (e.g. mobile phones).
- Data must be backed-up frequently.
- Data should be held in as few places as necessary (teachers and support staff must therefore not create any unnecessary additional data sets).
- Data must not be shared with any unauthorised third party.
5. Data Accuracy
We will ensure that any personal data we process is accurate, adequate, relevant and not excessive, given the purpose for which it was obtained. We will not process personal data obtained for one purpose for any unconnected purpose unless the individual concerned has agreed to this or would otherwise reasonably expect this.
Individuals may ask that we correct inaccurate or incomplete personal data relating to them. If you believe that information is inaccurate you should record the fact that the accuracy of the information is disputed and inform the Data Controller.
6. Subject Access Requests
All individuals whose data is held by us, have a legal right to request access to such data. Such requests should be made in writing to:
The Sussex Swim School
23 Searle’s View
West Sussex RH12 4FG
We shall respond to such requests within 30 calendar days.
7. Photographs and Video
Digital photography images (comprising still photographs and/or video images incorporating soundtrack/sound bites) of teachers, parents/legal guardians and pupils will only be captured with the prior consent of teachers, parents/legal guardians and where required, pupils at appropriate times and as part of pre-arranged photo-shoot opportunities and/or in support of publicity and marketing campaigns.
It is The Sussex Swim Schools policy that external parties (including teachers, parents/legal guardians, pupils, relatives and friends) may not capture images of pupils (including their own children or children they are accompanying) during swimming activities without prior explicit written consent from the company and the parents/legal guardians of those appearing in the images.
Photography in changing areas or in shower/toilets facilities is strictly prohibited.
8. Data Retention and Disposal
The Sussex Swim School recognises that the secure disposal of redundant data is an integral element to compliance with legal requirements and an area of increased risk.
All data held in any form of media shall be properly destroyed and/or permanently deleted in accordance with our retention policy.
9. Data Breaches & Notifications
If there is an actual or suspected personal data breach this must be reported to The Sussex Swim School office without delay. Support staff will investigate and determine what action is necessary which may comprise:
- Taking action to prevent any further data breaches;
- Informing those people adversely affected without undue delay;
- Document the data breach and actions taken;
- If appropriate, inform the Information Commissioners Office within 72 hours.
We take compliance with this policy very seriously as failure to comply puts individual office holders, as well as the company, at risk.
The importance of this policy means that failure to comply with any requirement may lead to disciplinary action and/or termination of contract.
The Sussex Swim School