Documented Created: 15th May 2018
Date of Last Review: 15th May 2018
Date of Next Review: 15th May 2023
GDPR: Data Protection Policy:
Sarah Jane Bullock, The Lodge School of Theatrical dance
Sarah Jane Bullock
8 Graffham Close Lower Earley Reading Berkshire RG6 4DJ
This policy outlines our data protection policy, and thus how we complywith the GDPR.
We have registered with the ICO and this is renewed automatically eachyear.
1.The data that we process and how it flows into,through and out of my business.
Data comes into my business in four ways:
a.Via email messages to me from potential clients (PC) and clients(C)that have my email address.
b.Via text messages (as above)
c.Via my website
d.Via Facebook Messenger
It flows through my business via:
●My laptop - which goes from work to home
●My smart phone - everywhere I go
●My paper file - occasionally from work to home if I am working
The information does not flow out of my business.
2. The personal data I hold, where it came from,who I share I with and what I do with it.
Information Asset Register
●I hold personal information about my clients that they have given me.
●This includes name, address, contact details, and, where appropriate,age. I also hold health and wellbeing information about them which I collectfrom the mat their first consultation.
●I hold information about classes that they attend.
●I don't share this information with anyone.
●I use the information I have to inform my teaching colleagues workingfor the Lodge
●I keep all data for:
a. claimsoccurring insurance: for which I am required to keep my records for 7 yearsafter the last treatment.
b.lawregarding children's records: for which I am required to keep my records untilthe child is 25, or if 17 when treated then until they are 26.
c.registrationwith the 'Royal Academy of Dance' and the 'Imperial Society of Teachers ofDancing'
3.The lawful bases for me to process personal dataand special categories of data.
I process the personal data under:
●Legitimate interest: I am required to retain the informationabout my clients in order to provide them with the best teaching options andadvice.
●Special Category Data - Health Related: I process under special category data, therefore the additionalcondition under which I hold and use this information is for me to ensure theirsafety while on the premises and awareness of health conditions, (bound underthe BTPA Confidentiality as defined in their Codes of Practice and Ethics)
4. Privacy Notice
Individuals need to know that their data is collected, why it isprocessed and who it is shared with. This information in included in my privacynotice on my website and within any forms or letters I send to individuals.
I have written a privacy notice for my website and for my students, andhave ensured that the privacy notice includes all of the information includedin the ICO privacy notice checklist at: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-to-be-informed#table
5.Processes to recognise and respond toindividuals' requests to access their personal data.
All individuals will need to submit a written request to access theirpersonal data - either by email or by letter. I will provide that informationwithout delay and at least within one calendar month of receipt. I can extendthis period by a further two months for complex or numerous requests (in whichcase the individual will be informed and given an explanation).
I will identify the client using reasonable means, which because of thespecial category under which I process data, will be photographic ID.
I will keep a record of any requests to access personal data.
6.Processes to ensure that the personal data I holdremains accurate and up to date.
I will ensure that client information is kept up to date and will updateclient information as I am informed of any changes.
Once a year I will also have a review of all data.
7.Schedule to dispose of various categories ofdata, and its secure disposal.
Once a year I will review my client information and will place dormantclients in a separate file. This will be assessed each month to ensure thatdata that is no longer required to be kept under GDPR is destroyed securely.
8.Procedures to respond to an individual's requestto restrict the processing of their personal data.
As I only hold data in order to provide classes andthe correct training and care for my pupils. If I do receive a request I willrespond as quickly as possible, and within one calendar month, explainingclearly what I currently do with their data and that I will continue to holdtheir data but will ensure that it isn't processed.
9. Processes to allow individuals to move, copy or transfertheir personal data from one IT environment to another in a safe and secureway, without hindrance to usability.
Should clients wish their data to be copied ortransferred I would work with the client to ensure that this is done in a waythat was most appropriate for them - for example this could be an electronic summaryof treatment received and progress made, copies of individual treatmentrecords. I do not hold any treatment information electronically.
10. Procedures to handle an individual's objectionto the processing of their personal data.
I will inform my clients of their right to object“at the point of first communication" and have clearly laid this out in myprivacy notice.
11. Processing operations that constitute automate decisionmaking.
I do not have any processing operations thatconstitute automated decision making and therefore, do not currently requireprocedures in place to deal with the requirements. This right is, however,included in my privacy statement.
12. Data Protection Policy
This document forms my data protection policy andshows how I comply with GDPR.
This is a live document and will be amended as andwhen any changes to my data processing takes place, at the very least it willbe reviewed annually.
As the only member of staff I believe that I havedone an appropriate amount of research around the implications of the new GDPR,including taking heed of the advice and guidance provided by my professionalmembership organisations
13. Effective and structured information risksmanagement
The risks associated with my data, and how thatrisk is managed is as follows:
●Break into office - all my paper files are stored in locked filingcabinet in a locked room. No one else has the key but me.
●Theft of paper file while at home - if I take any work home with methis is kept in my office, and my home and in a locked cabinet.
14. Named Data Protection Officer (DPO) andManagement Responsibility
Sarah Jane Bullock
15. Security Policy
As detailed in my risk assessment. I have alsochosen my electronic equipment based on their industry record as having themost robust inbuilt protection possible.
16. Data Breach Policy
A personal data breach means a breach of security leading to thedestruction, loss, alteration, unauthorised disclosure of, or access to,personal data.
I understand that I only have to notify the ICO of a breach where it islikely to result in a risk to the rights and freedoms of individuals.
Where a breach is likely to result in a high risk to the rights andfreedoms of individuals, I will notify those concerned directly and withoutundue delay.
In all cases I will maintain records of personal data breaches, whetherthey were notifiable to the ICO.
Data Protection Policy created: 21st May2018
This is a live document and will be updated as andwhen changes occur.
Date of Next Review: 15th May 2023
Signed: Sarah Jane Bullock
- Mia Hadid illus Age 10 -
The Lodge School of Theatre Dance
8 Holmes Road
07758 412 854
07758 412 854