Active Academies Ltd provides sports camps, clubs and other education-based activities to children across Surrey and Sussex. We are committed to meeting the highest standards of data protection, which means providing information on exactly how we use and store information that relates to an identified or identifiable individual (personal data). This includes, never using personal data for any purpose other than what we have consent for and taking all reasonable steps to ensure personal data is stored and transferred securely.
Active Academies Ltd is registered with the Information Commissioners Office (ICO) and processes all personal data, including that collected via this website, in accordance with EU General Data Protection Regulation 2018 (GDPR), which governs data protection and user privacy standards throughout the European Union.
GDPR outlines how organisations must collect, handle and store personal information. To comply with the law, personal information must be collected and used fairly, stored safely and not be disclosed to any unauthorised parties unlawfully. We must also ensure that client information is protected against accidental loss.
Users who entrust their personal data to companies like Active Academies Ltd have the following rights under GDPR:
- The right to have all personal data erased following a request.
- The right to see all personal data by submitting a Subject Access Request.
- The right for individuals to receive personal datain a common usable format.
- The right to correct inaccurate personal data.
- The right to opt-out of marketing communications as easily.
- The right to restrict or object to processing.
- The right to complain.
Active Academies Ltd is dedicated to ensuring it only obtains the personal data necessary to deliver a highly effective service and, with consent, keep clients fully informed. As things stand, this personal data includes; the name, address, mobile number and email address of parents or guardians; the name, age and gender of children; emergency contact names and mobile numbers. In addition, registered and non-registered users can post messages on our website, which are stored and closely monitored to ensure that personal data, which does not relate to the user themselves, is not published. We also seek permission to take and display photographs of children who attend our camps, which are stored in exactly the same way as other personal data, with the same conditions and rights attached.
We believe that none of the personal data we hold on clients is ‘sensitive’ based on the definition provided under GDPR. Significantly, Active Academies Ltd does not process any financial data in relation to clients. All financial transactions are managed on our behalf by PayPal, who have their own security and privacy protocols, which can be checked separately.
Storing and Processing Data
The main platform for receiving and storing data is via our website, which has been created using WordPress and is hosted by SiteGround on secure servers. Occasionally, we download selected personal data to laptops, which is then encrypted and password protected, and we may also occasionally print basic information, such as children’s names and ages, to create a register, which also includes emergency telephone numbers. These are never left on public display and, whether held on a laptop or as a hard copy, are deleted or destroyed as soon as they become obsolete, which is normally at the end of each session.
Furthermore, we continually review the personal data we ask for and securely discard any centrally held information that we consider obsolete, which in most instances happens immediately but, in the case of inactive user accounts, we wait for 6 months. This means that if a user account remains dormant for this period, which includes us receiving no bookings or communications, we delete all personal data we hold in relation to that client.
We only share personal data with the people who deliver some of our programmes or administer our website. They have all been briefed on data protection and if they hold personal information on devices, then these documents are encrypted and password protected, alongside the devices themselves. The documents are then subject to the same conditions of use as previously described.
Opting Out, Changing or Requesting Personal Data
All contact with Active Academies Ltd concerning correspondence and personal data, should be made using the email firstname.lastname@example.org
Clients have the right to opt out of receiving emails from us at any time. This can be done by simply replying to an initial email or contacting us separately and clearly stating that all correspondence should stop.
If a client believes any personal data we hold is incorrect, they should email us to confirm the correction, which will be made within one week.
Finally, should a client wish to receive a copy of the personal data we hold on them they should request this via an email headed ‘Subject Access Request’, which will be responded to in full within one week.
Our understanding of the personal data we hold is that, if breached, it is unlikely to lead to limitation of client rights, including discrimination, identity theft or fraud, financial loss, unauthorised reversal of pseudonymisation, damage to reputation, loss of confidentiality of personal data protected by professional secrecy or any other significant economic or social disadvantage to the person concerned. With this in mind we would not, therefore, ordinally report a breach to the Information Commissioners Office (ICO). That said, we would naturally take every measure to contain the breach and notify all affected parties if we felt any sight, loss or unauthorised manipulation of data might result in a personal issue.
Workforce and Third-Party Data
In addition to client information, Active Academies Ltd also holds information that relates to its workforce and third-party organisations, such as schools and leisure facilities. Regarding our workforce, because these people are self-employed, we only retain basic contact information in the form of names, emails and telephone details, which is held on a generic ‘contacts’ list, accessed via the cloud through password protected processes and devices.
In order to remunerate colleagues, we receive paper and electronic invoices that contain basic bank details such as account numbers and sort codes. All invoices are, therefore, retained securely for our financial records in the form they arrive, either in a locked filling cabinet for paper documents, accessed only by the two Active Academies managing directors, or electronically on password protected encrypted devices. All financial transactions are processed online via the Active Academies Ltd bank website, which has three levels of security. Any workforce or third-party data breach would be handled in the same way as client breaches, identified above.