DocumentedCreated: 15th May 2018
Date of LastReview: 15th May 2018
Date of NextReview: 15th May 2019
GDPR: DataProtection Policy:
Sarah Jane Bullock, The Lodge School ofTheatrical dance
This policy outlines our data protection policy, and thus how wecomply with the GDPR.
We have registered with the ICO and this is renewed automatically eachyear.
1.The data that we process and how it flows into, through andout of my business.
Data comes into my business in 4ways:
a.Viaemail messages to me from potential clients (PC) and clients(C) that have myemail number.
b.Viatext messages (as above)
It flows through my business via:
●Mylaptop - which goes from work to home
●Mysmart phone - everywhere I go
●Mypaper file - occasionally from work to home if I am working
The information does not flow outof my business.
2. The personal data I hold, where it came from, who Ishare I with and what I do with it.
Information Asset Register
●I hold personal information about myclients that they have given me.
●This includes name, address, contactdetails, and, where appropriate, age. Ialso hold health and wellbeing information about them which I collect from themat their first consultation.
●I hold information about classes thatthey attend.
●I don't share this information withanyone.
●I use the information I have to inform myteaching colleagues working for theLodge
●I keep all data for:
a. claims occurring insurance: for which I amrequired to keep my records for 7 years after the last treatment - please see
b.law regarding children'srecords: for which I am required to keep my records until the child is 25, orif 17 when treated then until they are 26.
c.registration with the'Royal Academy of Dance' and the 'Imperial Society of Teachers of Dancing'
3.The lawful bases for me to processpersonal data and special categories of data.
I process the personal dataunder:
●Legitimate interest: I am required to retain the information about my clientsin order to provide them with the best teaching options and advice.
●Special Category Data - HealthRelated: I process under special category data, therefore theadditional condition under which I hold and use this information is for me to ensuretheir safety while on the premisesand awareness of health conditions, (bound under the BTPA Confidentiality as defined intheir Codes of Practice and Ethics)
4. Privacy Notice
Individuals need to know that their data is collected, whyit is processed and who it is shared with. This information in included in my privacy notice on my website andwithin any forms or letters I send to individuals.
Ihave written a privacy notice for my website and for my students, and haveensured that the privacy notice includes all of the information included in theICO privacy notice checklist at: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-to-be-informed#table
5.Processes to recognise and respond to individuals' requests to access theirpersonal data.
All individuals will need to submit a written request toaccess their personal data - either by email or by letter. I will provide that information without delayand at least within one calendar month of receipt. I can extend this period bya further two months for complex or numerous requests (in which case theindividual will be informed and given an explanation).
I will identify the client using reasonable means, whichbecause of the special category under which I process data, will be photographicID.
I will keep a record of any requests to access personaldata.
6.Processes to ensure that the personal data I hold remains accurate and up todate.
I will ensure that client information is kept up to date,and will update client information as I am informed of any changes.
Once a year I will also have a review of all data.
7.Schedule to dispose of various categories of data, and its secure disposal.
Once a year I will review my client information and willplace dormant clients in a separate file. This will be assessed each month to ensure that data that is no longerrequired to be kept under GDPR is destroyed securely.
8.Procedures to respond to an individual's request to restrict the processing oftheir personal data.
As I only holddata in order to provide classes and the correct training and care for mypupils. If I do receive a request I will respond asquickly as possible, and within one calendar month, explaining clearly what Icurrently do with their data and that I will continue to hold their data butwill ensure that it ist processed.
9. Processes to allow individuals to move, copy ortransfer their personal data from one IT environment to another in a safe andsecure way, without hindrance to usability.
Should clients wish their data tobe copied or transferred I would work with the client to ensure that this isdone in a way that was most appropriate for them - for example this could be anelectronic summary of treatment received and progress made, copies ofindividual treatment records. I do nothold any treatment information electronically.
10. Procedures to handle an individual's objection to theprocessing of their personal data.
I willinform my clients of their right to object “at the point of firstcommunication" and have clearly laid this out in my privacy notice.
11. Processing operations that constitute automateddecision making.
I do nothave any processing operations that constitute automated decision making andtherefore, do not currently require procedures in place to deal with therequirements. This right is, however,included in my privacy statement.
12. Data Protection Policy
This document forms my dataprotection policy and shows how I comply with GDPR.
This is a live document and willbe amended as and when any changes to my data processing takes place, at thevery least it will be reviewed annually.
As the only member of staff Ibelieve that I have done an appropriate amount of research around theimplications of the new GDPR, including taking heed of the advice and guidanceprovided by my professional membership organisations
13. Effective and structured information risks management
The risks associated with mydata, and how that risk is managed is as follows:
●Break in to office - all my paper filesare stored in locked filing cabinet in a locked room. No one else has the key but me.
●Theft of paper file while at home - if Itake any work home with me this is kept in my office, and my home and in alocked cabinet.
14. Named Data Protection Officer (DPO) and ManagementResponsibility
Sarah Jane Bullock
15. Security Policy
As detailed in my riskassessment. I have also chosen myelectronic equipment based on their industry record as having the most robustinbuilt protection possible.
16. Data Breach Policy
A personal data breach means a breach of security leadingto the destruction, loss, alteration, unauthorised disclosure of, or access to,personal data.
I understand that I only have to notify the ICO of abreach where it is likely to result in a risk to the rights and freedoms ofindividuals.
Where a breach is likely to result in a high risk to therights and freedoms of individuals, I will notify those concerned directly andwithout undue delay.
Inall cases I will maintain records of personal data breaches, whether or notthey were notifiable to the ICO.
Data Protection Policy created: 21st May 2018
This is a live document and willbe updated as and when changes occur.
Date of Next Review: 21st May 2019
Signed: Sarah Jane Bullock
- Sigalit Boujo -
The Lodge School of Theatre Dance
8 Holmes Road
07758 412 854
07758 412 854