Creative Sport & Leisure is required to retain certain personal information about employees, learners and other individuals who come into contact with the company. This information is gathered to enable it to provide education and other associated functions. In addition, there may be a legal requirement to collect and use information to ensure that the company complies with its statutory obligations. To comply with the law, information must be used fairly, stored safely and not disclosed to any other person unlawfully.
This policy is intended to ensure that personal data collected is dealt with correctly and securely in accordance with the UK data protection law. This policy applies to all personal data, regardless of whether it is paper or electronic format. All staff involved with the collection, processing and disclosure of data will be made aware of their duties and responsibilities.
This policy meets the requirements of the:
It is based on guidance published by the Information Commissioner’s Office (ICO) on the GDPR. The UK GDPR is based on data protection principles that our organisation must comply with.
The principles state that personal data must be:
This policy sets out how the organisation aims to comply with these principles.
Personal information or data is defined as; any information that relates to an identified, or identifiable, living individual who can be identified from that data, or other information held.
Creative Sport & Leisure obtains personal information during recruitment and enrolment processes and stores this data on the appropriate database (PICS for learners and customers and Cezanne for staff). This information is stored on databases that require the use of personalised log in credentials which are updated regularly. Both these systems are web based and accounts are created specific to the individual to ensure correct user rights and access is established. The information on these databases is backed up to ensure data security. Access from outside the organisation is controlled by a firewall which uses non-standard port numbers in addition to usernames and passwords that greatly enhance security and limit the opportunity for access violation.
Creative Sport & Leisure will only collect personal data for specified, explicit and legitimate reasons. These reasons will be explained to the individuals when the data is first collected.
If Creative Sport & Leisure want to use personal data for reasons other than those given when first obtained, we will inform the individuals concerned before we do so, and seek consent where necessary.
Staff must only process personal data where it is necessary in order to do their jobs.
We will keep data accurate and, where necessary up-to-date. Inaccurate data will be rectified or erased when appropriate.
In addition, when staff no longer need the personal data they hold, they must ensure it is deleted or anonymised. This will be done in accordance with Creative Sport & Leisure’s retention schedule.
The company is committed to maintain the above principles at all times and will therefore:
This policy applies to all staff that are employed by Creative Sport & Leisure, and to external organisations or individuals working on our behalf. Staff who do not comply with this policy may face disciplinary action.
The Board of Directors has overall responsibility for ensuring that Creative Sport & Leisure complies with all relevant data protection obligations.
Staff are responsible for:
Staff will only release information about learners to the following persons:
In all cases, to safeguard the learner, Creative Sport & Leisure will not disclose to anyone:
It is assumed that authorised persons will know this information and can ask the learner directly if they need to. Learners whose programmes are funded by government agencies will have key information released to these agencies through data returns in order to have their programmes funded. All learners and customers on courses that aim to achieve accredited qualifications must have key information used in order to register and certificate those qualifications. This information will, in most cases, only be date of birth and/or national insurance number.
Persons who cannot identify themselves as above will be required to request information, in writing, to Central Services. These requests will be authorised with the learner prior to any information being released.
All staff will process data about learners on a regular basis, when marking registers, or Creative Sport & Leisure course work, writing reports or references, or as part of a pastoral or academic supervisory role. Creative Sport & Leisure will ensure, through registration procedures, that all learners give their consent to this sort of processing, and are notified of the categories of processing, as required by UK data protection law. The information that staff deal with on day-to-day basis will be ‘standard’ and will cover categories such as:
Information about a learner’s physical or mental health; sexual life; political or religious views, trade union membership or ethnicity or race is sensitive and can only be collected and processed with the learner’s consent. Examples: recording information about dietary needs for religious or health reasons prior to taking learners on a field trip; recording information that a learner is pregnant, as part of personal duties.
All staff have a duty to make sure that they comply with the data protection principles. In particular, staff must ensure that records are: accurate, up-to-date, fair, kept and disposed of safely, and in accordance with Creative Sport & Leisure’s policy.
Creative Sport & Leisure will designate staff as ‘authorised staff’. These are the only staff authorised to hold or process data that are not standard data or sensitive data.
The only exception to this will be if a non-authorised staff member is satisfied that the processing of the data is necessary and is in the best interests of the learner or staff member, or a third person, or Creative Sport & Leisure AND he or she has either informed the authorised person of this, or has been unable to do so and processing is urgent and necessary in all the circumstances.
This should only happen in very limited circumstances.
Learners must ensure that all personal data provided to Creative Sport & Leisure is accurate and up to date. They must ensure that changes of address, etc are notified to their Tutor/Assessor and or other person as appropriate.
Learners who use Creative Sport & Leisure computer facilities may, from time to time, process personal data. If they do they must notify the designated Data Controller. Any learner who requires further clarification about this should contact the designated Learner Data Controller.
Creative Sport & Leisure will protect personal data and keep it safe from unauthorised or unlawful access, alteration, processing, or disclosure and against accidental or unlawful loss, destruction or damage.
Individuals have the right to make a ‘subject access request’ to gain access to personal information that Creative Sport & Leisure holds about them. This includes:
Subject access requests can be submitted in any form, but we may be able to respond to requests more quickly if they are made in writing and include:
If staff receive a subject access request in any form, they must immediately forward it to the designated Data Controller.
When responding to requests, we:
If the request is unfounded or excessive, we may refuse to act on it, or charge a reasonable fee to cover administrative costs. We will take into account whether the request is repetitive in nature when making this decision.
When we refuse a request, we will tell the individual why, and tell them they have the right to complain to the ICO or they can seek to enforce their subject access right through the courts.
In addition to the right to make a subject access request and to receive information when we are collecting their data about how we use and process it, individuals also have the right to:
Individuals should submit any request to exercise these rights to the DPO. If staff receive such a request, they must immediately forward it to the Data Controller.
In many cases, Creative Sport & Leisure can only process personal data with the consent of the individual. In some cases, if the data is sensitive, express consent must be obtained. Agreement to Creative Sport & Leisure processing some specified classes of personal data is a condition of acceptance of a learner onto any course, and a condition of employment for staff. This includes information about previous criminal convictions.
Some jobs or courses will bring the applicants into contact with children, including young people between the ages of 16 and 18. Creative Sport & Leisure has a duty under the Children Act and other legislation to ensure that staff are suitable for the job, and learners for the courses offered. Creative Sport & Leisure also has a duty of care to all staff and learners and must therefore make sure that employees and those who use Creative Sport & Leisure facilities do not pose a threat or danger to other users.
Creative Sport & Leisure will also ask for information about particular health needs, such as allergies to particular forms of medication, or any conditions such as asthma or diabetes. Creative Sport & Leisure will only use the information in the protection of the health and safety of the individual but will need consent to process in the event of a medical emergency, for example. Therefore, all prospective staff and learners [AT6] will be asked to sign a Consent to Process form, regarding particular types of information when an offer of employment or a course place is made. A refusal to sign such a form can result in the offer being withdrawn.
Sometimes it is necessary to process information about a person’s health, criminal convictions, race and gender and family details. This may be to ensure the Creative Sport & Leisure is a safe place for everyone, or to operate other Creative Sport & Leisure policies, such as the Sick Pay Policy or Equal Opportunities Policy. As this information is considered sensitive, and it is recognised that the processing of it may cause particular concern or distress to individuals, staff and learners will be asked to give express consent for Creative Sport & Leisure to do this. Offers of employment or course places may be withdrawn if an individual refuses to consent to this, without good reason. More information about this is available from the Data Controller.
Creative Sport & Leisure as a body corporate is the Data Controller under the Act, and the board is therefore ultimately responsible for implementation. However, there is a designated Data Controllers dealing with day-to-day matters. The first point of contact for enquirers is:
Fiona Grocock – Head of Central Services, Vantage House, 6-7 Claydons Lane, Rayleigh, Essex SS6 7UP
Telephone: 01268 551910
Learners will be entitled to information about their marks, where appropriate, for both coursework and examinations. However, this may take longer than other information to provide. Creative Sport & Leisure may also withhold certificates, accreditation or references in the event that the full course fees have not been paid, or all books and equipment returned to the Creative Sport & Leisure.
Creative Sport & Leisure will keep some forms of information for longer than others. Refer to Document Control Policy for further detail.
When personal data is no longer required, or has passed its retention date, paper records must be shredded. If there is a significant amount of material which cannot be dealt with by normal shredding machines, this should be disposed of using a reputable disposal contractor. Computerised records must be permanently deleted, with particular care taken that 'hidden' data cannot be recovered. The IT Help desk can advise on permanent deletion of computerised records.
Compliance with the UK data protection law is the responsibility of all members of the Creative Sport & Leisure. Any deliberate breach of the data protection policy may lead to disciplinary action being taken, or access to Creative Sport & Leisure facilities being withdrawn, or even a criminal prosecution. Any questions or concerns about the interpretation or operation of this policy should be taken up with the designated Creative Sport & Leisure Data Controller.
If you would like more information on any of our programmes, or any other enquiries, please fill in the contact form.
Alternatively, please call us on 01268 552218 or use our online chat facility.