Data Protection Policy


Creative Sport & Leisure is required to retain certain personal information about employees, learners and other individuals who come into contact with the company. This information is gathered to enable it to provide education and other associated functions. In addition, there may be a legal requirement to collect and use information to ensure that the company complies with its statutory obligations. To comply with the law, information must be used fairly, stored safely and not disclosed to any other person unlawfully.

This policy is intended to ensure that personal data collected is dealt with correctly and securely in accordance with the UK data protection law. This policy applies to all personal data, regardless of whether it is paper or electronic format. All staff involved with the collection, processing and disclosure of data will be made aware of their duties and responsibilities.

This policy meets the requirements of the:

  • UK General Data Protection Regulation (UK GDPR) – the EU GDPR was incorporated into UK legislation, with some amendments, by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2020
  • Data Protection Act 2018 (DPA 2018)

It is based on guidance published by the Information Commissioner’s Office (ICO) on the GDPR. The UK GDPR is based on data protection principles that our organisation must comply with.

The principles state that personal data must be:

  • Processed lawfully, fairly and in a transparent manner
  • Collected for specified, explicit and legitimate purposes
  • Adequate, relevant and limited to what is necessary to fulfil the purposes for which it is processed
  • Accurate and, where necessary, kept up to date
  • Kept for no longer than is necessary for the purposes for which it is processed
  • Processed in a way that ensures it is appropriately secure

This policy sets out how the organisation aims to comply with these principles.

1 Personal Information

Personal information or data is defined as; any information that relates to an identified, or identifiable, living individual who can be identified from that data, or other information held.

Creative Sport & Leisure obtains personal information during recruitment and enrolment processes and stores this data on the appropriate database (PICS for learners and customers and Cezanne for staff). This information is stored on databases that require the use of personalised log in credentials which are updated regularly. Both these systems are web based and accounts are created specific to the individual to ensure correct user rights and access is established. The information on these databases is backed up to ensure data security. Access from outside the organisation is controlled by a firewall which uses non-standard port numbers in addition to usernames and passwords that greatly enhance security and limit the opportunity for access violation.

Creative Sport & Leisure will only collect personal data for specified, explicit and legitimate reasons. These reasons will be explained to the individuals when the data is first collected.

If Creative Sport & Leisure want to use personal data for reasons other than those given when first obtained, we will inform the individuals concerned before we do so, and seek consent where necessary.

Staff must only process personal data where it is necessary in order to do their jobs.

We will keep data accurate and, where necessary up-to-date. Inaccurate data will be rectified or erased when appropriate.

In addition, when staff no longer need the personal data they hold, they must ensure it is deleted or anonymised. This will be done in accordance with Creative Sport & Leisure’s retention schedule.

2 Company Responsibilities

The company is committed to maintain the above principles at all times and will therefore:

  • Inform individuals why the information is being collected, when it is collected;
  • Inform individuals when their information is shared, and why and with whom it was shared;
  • Check the quality and the accuracy of the information it holds;
  • Ensure that information is not retained for longer than is necessary;
  • Ensure that when obsolete information is destroyed that it is done so appropriately and securely;
  • Ensure that clear and robust safeguards are in place to protect personal information from loss, theft and unauthorised disclosure, irrespective of the format in which it is recorded;
  • Share information with others only when it is legally appropriate to do so;
  • Set out procedures to ensure compliance with the duty to respond to requests for access to personal information, known as ‘Subject Access Requests’
  • Ensure our staff are aware of and understand our policies and procedures in relation to Data Protection.

3 Staff Responsibilities 

This policy applies to all staff that are employed by Creative Sport & Leisure, and to external organisations or individuals working on our behalf. Staff who do not comply with this policy may face disciplinary action.

The Board of Directors has overall responsibility for ensuring that Creative Sport & Leisure complies with all relevant data protection obligations.

Staff are responsible for:

  • Collecting, storing and processing any personal data in accordance with this policy
  • Informing the organisation of any changes to their personal data, such as a change of address
  • Contacting the Data Protection Officer in the following circumstances:
  • With any questions about the operation of this policy, data protection law, retaining personal data or keeping personal data secure
  • If they have any concerns that this policy is not being followed
  • If they are unsure whether or not they have a lawful basis to use personal data in a particular way
  • If they need to rely on or capture consent, draft a privacy notice, deal with data protection rights invoked by an individual, or transfer personal data outside the UK
  • If there has been a data breach
  • Whenever they are engaging in a new activity that may affect the privacy rights of individuals
  • If they need help with any contracts or sharing personal data with third parties

Staff will only release information about learners to the following persons:

  • Those identified on the learner’s application form, their key employer contact
  • Those who can identify the learner’s date of birth accurately

In all cases, to safeguard the learner, Creative Sport & Leisure will not disclose to anyone:

  • Learner’s personal details
  • Day’s the learner attends Creative Sport & Leisure
  • The learner’s place of work

It is assumed that authorised persons will know this information and can ask the learner directly if they need to. Learners whose programmes are funded by government agencies will have key information released to these agencies through data returns in order to have their programmes funded. All learners and customers on courses that aim to achieve accredited qualifications must have key information used in order to register and certificate those qualifications. This information will, in most cases, only be date of birth and/or national insurance number.

Persons who cannot identify themselves as above will be required to request information, in writing, to Central Services. These requests will be authorised with the learner prior to any information being released.

All staff will process data about learners on a regular basis, when marking registers, or Creative Sport & Leisure course work, writing reports or references, or as part of a pastoral or academic supervisory role. Creative Sport & Leisure will ensure, through registration procedures, that all learners give their consent to this sort of processing, and are notified of the categories of processing, as required by UK data protection law. The information that staff deal with on day-to-day basis will be ‘standard’ and will cover categories such as:

  • General personal details such as name and address
  • Details about class attendance, course work marks and grades and associated comments
  • Notes of personal supervision, including matters about behaviour discipline

Information about a learner’s physical or mental health; sexual life; political or religious views, trade union membership or ethnicity or race is sensitive and can only be collected and processed with the learner’s consent. Examples: recording information about dietary needs for religious or health reasons prior to taking learners on a field trip; recording information that a learner is pregnant, as part of personal duties.

All staff have a duty to make sure that they comply with the data protection principles. In particular, staff must ensure that records are: accurate, up-to-date, fair, kept and disposed of safely, and in accordance with Creative Sport & Leisure’s policy.

Creative Sport & Leisure will designate staff as ‘authorised staff’. These are the only staff authorised to hold or process data that are not standard data or sensitive data.

The only exception to this will be if a non-authorised staff member is satisfied that the processing of the data is necessary and is in the best interests of the learner or staff member, or a third person, or Creative Sport & Leisure AND he or she has either informed the authorised person of this, or has been unable to do so and processing is urgent and necessary in all the circumstances.

This should only happen in very limited circumstances.

4 Learner Responsibilities

Learners must ensure that all personal data provided to Creative Sport & Leisure is accurate and up to date. They must ensure that changes of address, etc are notified to their Tutor/Assessor and or other person as appropriate.

Learners who use Creative Sport & Leisure computer facilities may, from time to time, process personal data. If they do they must notify the designated Data Controller. Any learner who requires further clarification about this should contact the designated Learner Data Controller.

5 Data Security and storage of records

Creative Sport & Leisure will protect personal data and keep it safe from unauthorised or unlawful access, alteration, processing, or disclosure and against accidental or unlawful loss, destruction or damage.

In particular:

  • Paper-based records and portable electronic devices, such as laptops and hard drives that contain personal data are kept under lock and key when not in use
  • Papers containing confidential personal data must not be left on desks or anywhere else that has general access
  • Where personal information needs to be taken off site, staff must ensure this is agreed with Data Controller
  • Passwords that are at least 10 characters long containing letters and numbers are used to access organisation laptops and other electronic devices
  • Encryption software is used to protect all portable devices and removable media, such as laptops and USB devices
  • Where we need to share personal data with a third party, we carry out due diligence and take reasonable steps to ensure it is stored securely and adequately protected
  • If information is required to be shared through email, then all attachments are required to be protected with a password. The password will not be included in the content of email and will be shared separately.

6 Subject access requests and other rights of individuals

6.1 Subjects access requests

Individuals have the right to make a ‘subject access request’ to gain access to personal information that Creative Sport & Leisure holds about them. This includes:

  • · Confirmation that their personal data is being processed
  • · Access to a copy of the data
  • · The purposes of the data processing
  • · The categories of personal data concerned
  • · Who the data has been, or will be, shared with
  • · How long the data will be stored for, or if this isn’t possible, the criteria used to determine this period
  • · Where relevant, the existence of the right to request rectification, erasure or restriction, or to object to such processing
  • · The right to lodge a complaint with the Information Commissioners Office (ICO) or another supervisory authority
  • · The source of the data, if not the individual
  • · Whether any automated decision-making is being applied to their data, and what the significance and consequences of this might be for the individual
  • · The safeguards provided if the data is being transferred internationally

Subject access requests can be submitted in any form, but we may be able to respond to requests more quickly if they are made in writing and include:

  • · Name of the individual
  • · Correspondence address
  • · Contact number and email address
  • · Details of the information requested

If staff receive a subject access request in any form, they must immediately forward it to the designated Data Controller.

6.2 Responding to subject access requests

When responding to requests, we:

  • · May ask the individual to provide 2 forms of identification
  • · May contact the individual via phone to confirm the request was made
  • · Will respond without delay and within 1 month of receipt of the request (or receipt of the additional information needed to confirm identity, where relevant)
  • · Will provide the information free of charge
  • · May tell the individual we will comply within 3 months of receipt of the request, where a request is complex or numerous. We will inform the individual of this within 1 month, and explain why the extension is necessary

If the request is unfounded or excessive, we may refuse to act on it, or charge a reasonable fee to cover administrative costs. We will take into account whether the request is repetitive in nature when making this decision.

When we refuse a request, we will tell the individual why, and tell them they have the right to complain to the ICO or they can seek to enforce their subject access right through the courts.

6.3 Other data protection rights of the individual

In addition to the right to make a subject access request and to receive information when we are collecting their data about how we use and process it, individuals also have the right to:

  • Withdraw their consent to processing at any time
  • Ask us to rectify, erase or restrict processing of their personal data (in certain circumstances)
  • Prevent use of their personal data for direct marketing
  • Object to processing which has been justified on the basis of public interest, official authority or legitimate interests
  • Challenge decisions based solely on automated decision making or profiling (i.e. making decisions or evaluating certain things about an individual based on their personal data with no human involvement)
  • Be notified of a data breach (in certain circumstances)
  • Make a complaint to the ICO
  • Ask for their personal data to be transferred to a third party in a structured, commonly used and machine-readable format (in certain circumstances)

Individuals should submit any request to exercise these rights to the DPO. If staff receive such a request, they must immediately forward it to the Data Controller.

7 Subject Consent

In many cases, Creative Sport & Leisure can only process personal data with the consent of the individual. In some cases, if the data is sensitive, express consent must be obtained. Agreement to Creative Sport & Leisure processing some specified classes of personal data is a condition of acceptance of a learner onto any course, and a condition of employment for staff. This includes information about previous criminal convictions.

Some jobs or courses will bring the applicants into contact with children, including young people between the ages of 16 and 18. Creative Sport & Leisure has a duty under the Children Act and other legislation to ensure that staff are suitable for the job, and learners for the courses offered. Creative Sport & Leisure also has a duty of care to all staff and learners and must therefore make sure that employees and those who use Creative Sport & Leisure facilities do not pose a threat or danger to other users.

Creative Sport & Leisure will also ask for information about particular health needs, such as allergies to particular forms of medication, or any conditions such as asthma or diabetes. Creative Sport & Leisure will only use the information in the protection of the health and safety of the individual but will need consent to process in the event of a medical emergency, for example. Therefore, all prospective staff and learners [AT6] will be asked to sign a Consent to Process form, regarding particular types of information when an offer of employment or a course place is made. A refusal to sign such a form can result in the offer being withdrawn.

8 Processing Sensitive Information

Sometimes it is necessary to process information about a person’s health, criminal convictions, race and gender and family details. This may be to ensure the Creative Sport & Leisure is a safe place for everyone, or to operate other Creative Sport & Leisure policies, such as the Sick Pay Policy or Equal Opportunities Policy. As this information is considered sensitive, and it is recognised that the processing of it may cause particular concern or distress to individuals, staff and learners will be asked to give express consent for Creative Sport & Leisure to do this. Offers of employment or course places may be withdrawn if an individual refuses to consent to this, without good reason. More information about this is available from the Data Controller.

9 The Data Controller and the Designated Data Controller(S)

Creative Sport & Leisure as a body corporate is the Data Controller under the Act, and the board is therefore ultimately responsible for implementation. However, there is a designated Data Controllers dealing with day-to-day matters. The first point of contact for enquirers is:

Fiona Grocock – Head of Central Services, Vantage House, 6-7 Claydons Lane, Rayleigh, Essex SS6 7UP


Telephone: 01268 551910

10 Examination Marks

Learners will be entitled to information about their marks, where appropriate, for both coursework and examinations. However, this may take longer than other information to provide. Creative Sport & Leisure may also withhold certificates, accreditation or references in the event that the full course fees have not been paid, or all books and equipment returned to the Creative Sport & Leisure.

11 Retention of Data

Creative Sport & Leisure will keep some forms of information for longer than others. Refer to Document Control Policy for further detail.

12 Disposal of Data

When personal data is no longer required, or has passed its retention date, paper records must be shredded. If there is a significant amount of material which cannot be dealt with by normal shredding machines, this should be disposed of using a reputable disposal contractor. Computerised records must be permanently deleted, with particular care taken that 'hidden' data cannot be recovered. The IT Help desk can advise on permanent deletion of computerised records.

13 Conclusion

Compliance with the UK data protection law is the responsibility of all members of the Creative Sport & Leisure. Any deliberate breach of the data protection policy may lead to disciplinary action being taken, or access to Creative Sport & Leisure facilities being withdrawn, or even a criminal prosecution. Any questions or concerns about the interpretation or operation of this policy should be taken up with the designated Creative Sport & Leisure Data Controller.

Contact Us

If you would like more information on any of our programmes, or any other enquiries, please fill in the contact form.

Alternatively, please call us on 01268 552218 or use our online chat facility.

From time to time, we may like to send you information and offers about our products and services. Your information will never be passed on to third parties. Would you like to receive our marketing material: