General Data Protection Regulation Policy
GDPR stands for General Data Protection Regulation and replaces the previous Data Protection
Directives that were in place. It was approved by the EU Parliament in 2016 and comes into effect on 25th May 2018.
GDPR states that personal data should be ‘processed fairly & lawfully’ and ‘collected for specified, explicit and legitimate purposes’ and that individual data is not processed without their knowledge and are only processed with their ‘explicit’ consent. GDPR covers personal data relating to individuals. Rhythmix Academy of Dance is committed to protecting the rights and freedoms of individuals with respect to the processing of children's, parents, visitors and staff personal data.
The Data Protection Act gives individuals the right to know what information is held about them. It provides a framework to ensure that personal information is handled properly.
GDPR includes 7 rights for individuals
1) The right to be informed
Rhythmix Academy of Dance is required to collect and manage certain data, to provide the service that we offer, allowing us to keep the children safe and parents updated. We need to know parent’s names, telephone numbers, email addresses. We need to know children’s’ full names, addresses and date of birth and any medical needs.
Rhythmix Academy of Dance is required to hold data on its Teachers; names, addresses, email addresses, telephone numbers, date of birth, membership number for dance faculty, bank details.
Rhythmix Academy of Dance is required to hold full names, email addresses, telephone numbers, date of birth and medical details of all adult class attendees in order to keep participants safe and update them of any changes.
Rhythmix Academy of Dance is required to obtain photo consent from all members which holds participants full name and telephone numbers.
2) The right of access
At any point an individual can make a request relating to their data and Rhythmix Academy of Dance will need to provide a response (within 1 month). Rhythmix Academy of Dance can refuse a request, if we have a lawful obligation to retain data but we will inform the individual of the reasons for the rejection. The individual will have the right to complain to the ICO if they are not happy with the decision.
3) The right of rectification
At any point an individual can make a request to update and alter their data held by Rhythmix Academy of Dance.
4) The right to erasure
You have the right to request the deletion of your data where there is no compelling reason for its continued use. However, Rhythmix Academy of Dance has a legal duty to keep children’s and parent’s details for: children's accident and injury records for 19 years (or until the child reaches 21 years), and 22 years (or until the child reaches 24 years) for Child Protection records. Staff records must be kept for 6 years after the teaching member leaves, before they can be erased. This data is archived securely onsite and shredded after the legal retention period if this is the teachers request. Once a student is no longer attending classes any personal data will be deleted and / or shredded within 2 years unless agreed otherwise.
5) The right to restrict processing
Parents, visitors and staff can object to Rhythmix Academy of Dance processing their data. This means that records can be stored but must not be used in any way, for example reports or for communications. This must be submitted in written form to Rhythmix Academy of Dance.
6) The right to data portability
Rhythmix Academy of Dance requires data to be transferred from one IT system to another; such as from Rhythmix Academy of Dance to the Local Authority, for performance licences, and dance/music Associations for examinations. These recipients use secure file transfer systems and have their own policies and procedures in place in relation to GDPR. Rhythmix Academy of dance requires data to be transferred to our accountant KSL and potentially HMRC for tax reasons, both organizations have their own policies which are GDPR compliant.
7) The right to object
Parents, visitors and staff can object to their data being used for certain activities like marketing or research. Members can unsubscribe to our e-mail newsletters at any time by clicking unsubscribe or contacting us directly.
8) The right not to be subject to automated decision-making including profiling.
Automated decisions and profiling are used for marketing based organisations. Rhythmix Academy of Dance does not use personal data for such purposes.
Storage and use of personal information
All paper copies of children's and staff records are kept in a locked filing cabinet in the office at the studio or the home office in Potters Bar. Members of staff can have access to these files but information taken from the files about individual children is confidential and apart from archiving with consent, these records are shredded after the retention period.
Information about individual children is used in certain documents, such as, a weekly register, medication forms, referrals to external agencies and disclosure forms. These documents include data such as children's names, date of birth and medical details. These records are shredded after the relevant retention period.
On our weekly registers and music booking register, a full name and emergency contact details is listed. When these registers are not in use they are stored in a locked cabinet at the studio.
Rhythmix Academy of Dance collects a large amount of personal data every year including; names, email addresses and telephone numbers of those on the waiting list and enquiry list. These records are shredded within 2 years if the individual does not attend or added to the participants file and stored appropriately.
Rhythmix Academy of Dance stores personal data held visually in photographs or video clips or as sound recordings. No names are stored with images in photo albums, displays, on the website or on The Rhythmix Academy of Dance website or social media sites.
Access to all electronic data is password protected. When a member of staff stops teaching for the school these passwords are changed in line with this policy and our Safeguarding policy. Any portable data storage used to store personal data, e.g. USB memory stick, are password protected and/or stored in a locked filing cabinet.
Email addresses will be collected and shared with Mailchimp to send out updates, newsletters and information about events. Participants can unsubscribe at any time by clicking unsubscribe or contacting us directly to be removed.
Booking forms for classes, music lessons, clubs and holiday camps with participants full name on will be shared with our accountant KSL as they are receipts for payments we receive, and they may in turn be shared with HMRC. KSL and HMRC have their own privacy policies in place which are GDPR compliant.
Medical forms and accident report forms are stored on site in a locked filing cabinet.
All registration and photo consent forms are renewable after 2 years. Our next renewal date will be 1st June 2020, where we will obtain all new consents and old consents will be shredded.
GDPR means that Rhythmix Academy of Dance must;
* Manage and process personal data properly
* Protect the individual’s rights to privacy
* Provide an individual with access to all personal information held on them