I confirm my business will comply all the time with GDPR 2018 act and principles outlined below when it comes to collecting, handling and storing personal data.
|Lawfulness, fairness and transparency||Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject|
|Purpose limitation||Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes|
|Data minimisation||Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed|
|Accuracy||Personal data shall be accurate and, where necessary, kept up to date|
|Storage limitation||Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed|
|Integrity and confidentiality||Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against accidental loss, destruction or damage.|
|Accountability||The DPO shall be responsible for, and be able to demonstrate compliance with the GDPR|
I am responsible as a business for ensuring that any personal data held is processed in accordance with the principles laid out above. I am permitted to process data where one of the following legal bases applies:
I do not require this type of data on my students. It has a special status under the law, as it is particularly personal in nature. It concerns a person’s race, ethnicity, politics, religion, trade union membership, genetics, biometrics used for identification purposes, health, sex life or sexual orientation. There are a number of strict rules about the processing of this kind of data, and the kinds of situations in which it is legitimate to process it, and usually the data controller needs the data subject’s explicit consent to do so or a clear legal basis. I will never disclose such data to any third party unless legally obliged to do so, and then only to appropriate authorities as required by law.
Data held: Full name, Date of birth, Address, Home / mobile telephone number & email address
The ‘emergency’ contact details of each subject’s next of kin in cases of emergency only.
Any medical conditions that could affect the subject’s participation in my courses or my handling of them
Any ISTD pin numbers, previous examination history & records of other appropriate dance qualifications.
Reference numbers (only) of a photographic identification document, as required by ISTD for Exam entry purposes.
Subjects are responsible for keeping their information up to date. Jackie Barnes / Hildale Academy of Performing Arts cannot be held responsible for missed communications and the consequences of such, if subjects do not inform them of changes in their contact details.
NO bank details are kept on file.
Once the subject has completed or left a course, their data will be stored for 6 years for tax & accountancy requirements. Hard copy of any data will be destroyed within 12 months.
Digital copies of data are held on computer that is password protected.
Hard copies of data are held in locked filing systems.
Subjects have the right to withdraw consent for your data to be used / stored at any time.
‘Subject Access Requests’ (SARs), can be made by data subjects where an organisation holds personal data about them. This can be done at any time, and the requests are made in order for the data subject to find out what data is being held, and what is being done with it.
I will not charge the data subject any fee for responding to the SAR, unless the subject is asking for multiple copies of data already supplied or unless the request is manifestly unfounded or excessive.
I will take the following steps in relation to the collection, holding and processing of personal data:
All personal data breaches must be reported immediately to the DPO.
If such a breach occurs, and it is unlikely to result in a risk to the rights and freedoms of data subjects due to the nature of the information held.
However, the DPO is required to ensure that the ICO is informed without delay and, in any event, within 72 hours of the breach.
Jackie Barnes is the registered DPO.
Jackie Barnes / Hildale Academy of Performing Arts cannot be held responsible for any data protection breaches that have originated from passing your data on to the examination board for the purposes of examination / qualification processing, processing, or from emailed course communications.
This Policy is effective as of 25 May 2018. No part of the Policy is retrospective in effect and applies to matters occurring on or after 25 May 2018.
This Policy has been approved and authorised by:
Jacqueline Foot trading as: Jackie Barnes
“Jackie was always very clear with instruction and always worked with me to find a way to help me fully understand so that my work and teaching would improve.”
Carla Gentry Principal of GENTRY PERFORMING ARTS