GDPR stands for General Data Protection Regulation and replaces the previous Data Protection Directives that were in place. It was approved by the EU Parliament in 2016 and comes into effect on 25th May 2018.
GDPR means that Upside Down Arts must;
* Manage and process personal data properly
* Protect the individual’s rights to privacy
* Provide an individual with access to all personal information held on them
GDPR states that personal data should be ‘processed fairly & lawfully’ and ‘collected for specified, explicit and legitimate purposes’ and that individual’s data is not processed without their knowledge and are only processed with their ‘explicit’ consent. GDPR covers personal data relating to individuals. Upside Down Arts is committed to protecting the rights and freedoms of individuals with respect to the processing of children’s, parent’s, visitor’s and staff’s personal data.
The Data Protection Act gives individuals the right to know what information is held about them. It provides a framework to ensure that personal information is handled properly.
GDPR includes 7 rights for individuals
1) The right to be informed -
Upside Down Arts is a registered Performing Arts provider with Acrobatic Arts and as so, is required to collect and manage certain data. We need to know parent’s names, addresses, telephone numbers, email addresses. We need to know children’s full names, addresses, date of birth and primary school, allergies, along with any SEN requirements. We are requested to provide this data if and when our students participate in performances and their Acrobatic Arts Exams.
As an employer Upside Down Arts is required to hold data on its Teachers; names, addresses, email addresses, telephone numbers, date of birth, National Insurance numbers, photographic ID such as passport and driver’s license, bank details. This information is also required for Disclosure and Barring Service checks (DBS) and proof of eligibility to work in the UK.
2) The right of access
At any point, an individual can make a request relating to their data and Upside Down Arts will need to provide a response (within 1 month). Upside Down Arts can refuse a request, if we have a lawful obligation to retain data but we will inform the individual of the reasons for the rejection. The individual will have the right to complain to the ICO if they are not happy with the decision.
3) The right to erasure
You have the right to request the deletion of your data where there is no compelling reason for its continued use. However, Upside Down Arts has a legal duty to keep children’s and parent’s details for a reasonable time. Upside Down Arts retain children’s accident and injury records for 19 years (or until the child reaches 21 years), and 22 years (or until the child reaches 24 years) for Child Protection records. Staff records must be kept for 6 years after the member of staff leaves employment, before they can be erased. This data is archived securely on Class4Kids (Our online database) and deleted after the legal retention period.
4) The right to restrict processing
Parents, visitors and staff can object Upside Down Arts processing their data. This means that records can be stored but must not be used in any way, for example reports or for communications.
5) The right to data portability
Upside Down Arts requires data to be transferred from one IT system to another; such as from Upside Down Arts to the Local Authority, for performance licences, and dance Associations for examinations. These recipients use secure file transfer systems and have their own policies and procedures in place in relation to GDPR.
6) The right to object
Upside Down Arts will send out marketing material relating to Upside Down Arts from time to time, to our students, parents and persons who have enquired about our classes. Parents, visitors and staff can object to their data being used for certain activities like marketing or research. Please inform us if you do not wish to receive this information.
7) The right not to be subject to automated decision-making including profiling.
Automated decisions and profiling are used for marketing based organisations. Upside Down Arts does not use personal data for such purposes.
Storage and use of personal information:
Information about individual children is used in certain documents, such as, a weekly register, medication forms, referrals to external agencies and disclosure forms. These documents include data such as children’s names, date of birth and sometimes address. These records are shredded after the relevant retention period.
Upside Down Arts collects a large amount of personal data every year including; names and addresses of those on the waiting list. These records are shredded if the child does not attend or added to the child’s file and stored appropriately.
Upside Down Arts stores personal data held visually in photographs or video clips or as sound recordings. No names are stored with images in photo albums, displays, on the website or on Upside Down Arts social media sites.