Data Protection (GDPR)

Jump to Facebook Page (for users) GDPR Policy.

Purpose and Statement:

New Groove Creative is committed to ensuring the data processed by our school remains safe and secure.

This policy has been written in line with legislative change, including both the Data Protection Act (1998) and the EU’s General Data Protection Regulation (GDPR).

New Groove Creative has determined the lawful reasons with which it processes personal data:

Legal obligation – GDPR Article 6(1)(c)
Legitimate interest – GDPR Article 6(1)(f)
Contract - GDPR Article 6(1)(b)

There is also some limited data we process with consent from the Data Subject; Consent – GDPR Article 6(1)(a).

While New Groove Creative avoids sharing data with third parties at most times, some data is shared in accordance with our business practices. The sharing of data with third parties will always be consensual with the data subject and/or their parent/guardian, and only if New Groove Creative is satisfied that their Data Protection policy is GDPR compliant.

Main Aims for the policy:

Specify the data New Groove Creative collect, how it is stored/protected and the reason for collecting it
State New Groove Creative use personal data in processing
Disclose who has access to the data and how long we retain information for
Explain Data Subject’s rights with New Groove Creative data including access, rectification and erasure

Distribution:

To be displayed on the New Groove Creative website
This policy will be sent directly to members of the public on request
Confirmation of receipt of information - Signed statement from recipient to be held on file

Review and monitoring of policy:

Reviewed annually or in instances of legislative change
Monitoring is part of Management and Supervision.

The following policy is based on the below principles:

The GDPR includes the following rights for individuals:

the right to be informed
the right of access
the right to rectification
the right to erasure
the right to restrict processing
the right to data portability
the right to object
the right not to be subject to automated decision-making including profiling

General Principles

New Groove Creative is committed to providing fair and understandable privacy policies in relation to personal data.

New Groove Creative will, at all times, keep data in secure locations (including, but not limited to, encrypted and access restricted files) and not retain data unnecessarily or past the retention length as set out in this policy.

In the rare instance a data processor that is not an New Groove Creative employee is used, such as a third party, the data subject will either be asked for consent pre to supplying the data or be notified and have the right to object to processing.

Participants and Customers

How New Groove Creative collect personal data:
New Groove Creative customers and participants supply their personal data when signing up for classes through our registration form either via the website, or via paper form.

This is either completed by a parent/guardian or the child themselves if they deemed able to do so.

Personal data may also come to us unsolicited via enquiries through our website and to our generic email account.

Why New Groove Creative collect personal data:
To attend any of New Groove Creative’s activities participants/parents/guardians must agree to some processing of their personal data. This is due to Legitimate Interests – GDPR Article 6(1)(f), Legal Obligation GDPR Article 6(1)(c), Contract - Article 6(1)(b) and/or Consent - Article 6(1)(a).

Should New Groove Creative be unable to process participant’s data, we would be contravening both our Health & Safety and Child Safeguarding policies. We would also be ignoring best practice regarding working with children/vulnerable adults.

Our participants must remain safe at all times, therefore information about participants must be collected in order to create registers and accurate student records. This information is also used to provide students with appropriate classes, including dividing students into age groups.

As physical activity providers it is essential that this consent is given should a participant have any medical/disability needs. This allows us to incorporate participants safely into classes. It is also used in assessing if we can incorporate participants safely into classes.

Ethnicity and other sensitive data is to provide information to funding bodies for statistical purposes.

This data is always provided to third parties as quantified data (i.e. cumulative numerical data only with no identifying information relating to any data subject).

What data we collect:

Personal data and some special category is collected.

It is essential to our primary function (providing classes to participants) that we are provided, and allowed to process and store the following:

Participant Personal Data:

Full Name - GDPR Article 6(1)(f)
Date of Birth - GDPR Article 6(1)(f)
Home Address - GDPR Article 6(1)(f)
Sex - GDPR Article 6(1)(f)
Permission to go home alone - GDPR Article 6(1)(f)
School/Educational Institution - GDPR Article 6(1)(f)
Exam results (vocational exams taken through New Groove Creative only) - GDPR Article 6(1)(f)
Classes attended/Price paid - GDPR Article 6(1)(f)

Participant Special Category Data:

Medical Information/History – GDPR Article 9 (a)
Disability Information - GDPR Article 9 (a)
Ethnicity – GDPR Article 9 (a & j) – further explicate consent sought
Gender/Sex – GDPR Article 9 (a & j) – further explicate consent sought
Sexuality – GDPR Article 9 (a & j) – further explicate consent sought

Parent/Guardian Personal Data:

Name - GDPR Article 6(1)(f)
Address - GDPR Article 6(1)(f)
Email Address - GDPR Article 6(1)(f)
Mobile Telephone Number - GDPR Article 6(1)(f)
Work/Home Number - GDPR Article 6(1)(f)
Emergency Contact Number - GDPR Article 6(1)(f)

Parent/Guardian Special Category Data:

Concession Type – further explicate consent sought
Documented proof of financial need – further explicate consent sought
Bank Details – further explicate consent sought in the instance of refunds etc.

How data collected is sent internally:

New Groove Creative transports data with all due diligence.

Enrolment forms are sent to New Groove Creative through an encrypted email server directly from our website online admin system Love Admin which has controlled access. Received enrolment forms are stored on an encrypted email server for no more than 6 months. Received paper enrolment forms are destroyed after no more than 4 weeks.

Storage/Retention of data:

Data received through enrolment forms is uploaded manually into our database software LoveAdmin. Our database is stored both in encrypted files on office-based hardware and backed up regularly in our encrypted cloud-based server. Access to these files is restricted through password protection and only available to authorised staff members.

Registers and emergency contact lists created from student data are stored in encrypted files on office-based hardware and backed up regularly in our encrypted cloud-based server. Access to these files is restricted through password protection and only available to authorised staff members.

Hard copies of registers and emergency contacts are carried by authorised staff members. They are locked away while not in use. When they are no longer in use or out-dated, they are destroyed thoroughly.

Waiting lists are stored on an encrypted cloud-based server.

Our standard retention policy (without the data subject’s right to access, rectification and erasure etc.) is THREE YEARS post final attendance.

Exceptions to our retention policy:

Financial records are kept for 6 years due to legal obligation
First Aid records are kept for 21 years due to legal obligation
Photo consent may be kept indefinitely
Child Safeguarding records are kept indefinitely on a case-by-case basis, the minimum these will stored for is 6 years due to legal obligation
Bank details are deleted after the action concerning them is complete
Unsolicited enquiries that do not turn into bookings with current classes are deleted after they have been dealt with

Third Parties/Data Processors:

New Groove Creative does not actively share data with third parties, however there are certain instances where sharing information is crucial to our business processes.

Track and Trace:

New Groove Creative uses NHS Track and Trace to monitor and check in each member as they attend any classes. Your personal data will be shared with Track and Trace should they need to contact you regarding Coronavirus risk.

By using NHS track and Trace you agree to their own (GDPR Compliant) policies.

New Groove Creative is satisfied that their GDPR regulations are thorough, and the information stored in NHS Track and Trace is secure.

Freelance Teachers:

As many of New Groove Creative teachers are freelance staff, we have confidentiality and data processor agreements in place. Teachers will never be provided with personal details aside from participant’s first names and any medical information that is pertinent to the running of a class (subject to consent from the data subject)

MailChimp:
New Groove Creative uses a USA based company ‘MailChimp’ to provide newsletters and marketing via email. This is an optional process, which people consent to during enrolment or sign-up directly through our website. Data Subjects can opt-out and erase/rectify their record stored with MailChimp at any time.

New Groove Creative is satisfied that their GDPR regulations are thorough, and the information stored in MailChimp (email addresses) is secure.

LoveAdmin:
New Groove Creative uses LoveAdmin and Stripe to process orders through our website.

By purchasing through LoveAdmin or Stripe you must agree to their own (GDPR Compliant) policies.

New Groove Creative is satisfied that their GDPR regulations are thorough, and the information stored in LoveAdmin and Stripe is secure.

Child Performance Licensing:

In order to process child performance licences, New Groove Creative are legally required to provide some personal data to local councils (including but not limited to: full name, date of birth and school details). This is an optional consent, which will be sought at the time of sending participation consent forms.

New Groove Creative is satisfied that their GDPR process are thorough and any data will be stored in a secure environment, and not unnecessarily retained. For more information:

https://www.kent.gov.uk/about-the-council/information-and-data/access-to-information/gdpr-privacy-notices/office-of-the-general-counsel/information-rights-privacy-statement

Child Safeguarding Concerns:

In the unlikely event New Groove Creative has a safeguarding concern in relation to one of our participants, New Groove Creative are legally required to provide data to the safeguarding board at the local council.

New Groove Creative is satisfied that their GDPR process are thorough and any data will be stored in a secure environment, and not unnecessarily retained.

Event Programmes:

New Groove Creative may occasionally produce programmes for events. These will only ever contain the first name and first initial of a child’s last name (unless otherwise consented to). The name of a child’s class may also be included. Participants/their Parent and/or Guardians may choose if they want to be included in the programme when they agree to participate at an event.

Schools:
New Groove Creative must sometimes share personal data with schools (names, DOB and payment information) when taking part in an internal class in order for them to check persons attending. This also helps the school work out New Groove Creative’s payment in terms of renting space.

New Groove Creative is satisfied that their GDPR process are thorough and any data will be stored in a secure environment, and not unnecessarily retained.

Rights of the data subject and New Groove Creative compliance with responses:

Any data subject with personal data stored within New Groove Creative is entitled to the rights of:

Access

You may contact New Groove Creative at any time to access all data held relating to you and/or your child(ren). New Groove Creative will ensure that we respond to a subject access request without undue delay and within one month of receipt. If the information request will also include data regarding others, New Groove Creative has the right to refuse the request or take steps in order to obtain consent from other involved parties.

The right of access does not apply to New Groove Creative’s legal obligations such as Child Safeguarding records.

Rectification
You may contact New Groove Creative at any time in order to rectify data held relating to you and/or your child(ren). New Groove Creative will ensure that we respond to a rectification request without undue delay and within one month of receipt.
The right to rectification does not apply to New Groove Creative’s legal obligations such as payment record information.
Erasure

You may contact New Groove Creative at any time in order to erase data held relating to you and/or your child(ren). New Groove Creative will ensure that we respond to an erasure request without undue delay and within one month of receipt.

The right to erasure does not apply New Groove Creative’s legal obligations such as First Aid records.

Restrict Processing
You may contact New Groove Creative at any time in order to restrict the data we process relating to you and/or your child(ren). New Groove Creative will ensure that we respond to a request to restrict processing without undue delay and within one month of receipt.
However, due to our legitimate interest in most of the data collected- we may have to revoke your membership with New Groove Creative until the restriction is lifted. This is due to Health and Safety and Child Safeguarding.
Data Portability
You may contact New Groove Creative at any time in order to obtain the data we process relating to you and/or your child(ren) and reuse it across different services. New Groove Creative will ensure that we respond to a request to restrict processing without undue delay and within one month of receipt.
Please note, this does not apply to New Groove Creative’s legal obligations.
Objection
You may contact New Groove Creative at any time in order to object to the processing of data relating to you and/or your child(ren). New Groove Creative will ensure that we respond to a request to restrict processing without undue delay and within one month of receipt.
However, due to our legitimate interest in most of the data collected- we may have to revoke your membership with New Groove Creative until the restriction is lifted. This is due to Health and Safety and Child Safeguarding.
Rights related to automated decision making including profiling
You may contact New Groove Creative at any time in order to object to profiling relating to you and/or your child(ren). New Groove Creative will ensure that we respond to a request to restrict processing without undue delay and within one month of receipt.
However, due to our legitimate interest in most of the data collected- we may have to revoke your membership with New Groove Creative until the profiling restriction is lifted. This is due to Health and Safety and Child Safeguarding.
New Groove Creative has a lawful reason for profiling; Legitimate Interests and consent.
None of New Groove Creative’s decision making is automated. Profiling is only used in circumstances where a participant may have certain health/disability needs which may prevent them from taking part in classes (as it would be unsafe to do so).

Any and all verbal requests are noted, and then contacted again either via phone or email to verify the request. Verbal requests will be responded to in the time frames mentioned above.

Photos/Videos of Participants

New Groove Creative often use footage/photos used from shows, performances and classes for marketing purposes both in print, social media and the website. Participants/their Parent and/or Guardians may choose if they do not wish themselves/their child to be depicted.

Some attendees at events may film/take photos for their own personal use (e.g. parents of other participants). Participants/their Parent and/or Guardians may choose if they do not wish themselves/their child to be depicted.

Social Media:

New Groove Creative regularly share photos/videos of students in workshops, events and performances through social media platforms including; Instagram, Facebook, Twitter, Email. These will never be shared with any identifying information (age, location etc.). There may be times where we will share first names, but only with the explicit consent of the parents.

Staff (Employees/Freelance), Trustees, Volunteers and Potential Staff/Trustees and/or Volunteers

For the purposes of this policy, the aforementioned persons above will be referred to as ‘staff’.

How New Groove Creative collect personal data:
New Groove Creative staff supply their personal data when applying for roles within the company. This is either completed through an application form or submission of a CV.

Further information is collected when applicants are considered successful. Unsolicited data may come to New Groove Creative in the form of applicants emailing regarding work/volunteer opportunities.

Why New Groove Creative collect personal data:

It is New Groove Creative’s legal obligation to collect staff’s personal data in relation to their employment. This is due to Legal Obligation GDPR Article 6(1)(c) and/or Contract - Article 6(1)(b)

Should New Groove Creative be unable to process staff’s data, we would be contravening UK Employment law, our own employment contracts (both PAYE and Freelance) and our own Health & Safety and Child Safeguarding policies.

Special category data is only collected with the consent of the data subject. Special category data New Groove Creative collects includes but is not limited to: Medical/Disability information, Ethnicity, Gender and Sexuality New Groove Creative’s lawful purpose for collecting this data is both Article 6(1)(b) – contract and Article 9(2)(b) – employment. This also ensures we are confirming to our Equal Opportunities policy. Any data is always recorded as quantified data (i.e. cumulative numerical data only with no identifying information relating to any data subject).

New Groove Creative is also entitled to obtain and process data in relation to criminal convictions and DBS checks. Most posts within New Groove Creative are exempt from the Rehabilitation of offenders act (1974) by the 1975 and 2001 Exceptions Amendment, as they involve working with vulnerable and/or young people. This is further supported by article 10 of GDPR.

What data we collect:

Personal data and some special category is collected.

It is essential to our business that we are provided, and allowed to process and store the following:

Staff Personal Data:

Full Name Legal obligation – GDPR Article 6(1)(c) Legal Obligation
Date of Birth - GDPR Article 6(1)(c) Legal Obligation
Contact Details - GDPR Article 6(1)(c) Legal Obligation
Pension Information - GDPR Article 6(1)(c) Legal Obligation
NI number - GDPR Article 6(1)(c) Legal Obligation
UTR number - GDPR Article 6(1)(c) Legal Obligation
Right to work in the UK - GDPR Article 6(1)(c Legal Obligation
References - GDPR Article 6(1)(c) Legal Obligation
Bank Details - Article 6(1)(b) Contract
Tax details - GDPR Article 6(1)(c) Legal Obligation
Qualifications - Article 6(1)(b) Contract
Pay Details - GDPR Article 6(1)(c) Legal Obligation
Performance Details - Article 6(1)(b) Contract
Annual Leave Details - Article 6(1)(b) Contract
Sick/Compassionate/Maternity/Paternity Leave Details - Article 6(1)(b) Contract
Safeguarding Concerns - GDPR Article 6(1)(c) Legal Obligation
Emergency Contact - GDPR Article 6(1)(b) Contract

Staff Special Category Data:

Criminal Record/DBS Checks - GDPR Article 6(1)(c) Legal Obligation & GDPR Article 10
Medical/Disability - Article 6(2)(b) Contract & Article 9(2)(b)
Ethnicity – Further explicit consent sought- Article 9(2)(a & b)
Sexuality – Further explicit consent sought - Article 9(2)(a & b)

How data is sent internally:
Any transfer of data regarding staff is conducted through encrypted emails and/or stored in our encrypted cloud-based server.

Any unsolicited information is received to an encrypted email server.

Storage/Retention of data:

All Staff personal data is stored on encrypted files in our cloud-based server. It is also stored on encrypted hardware within the office. Any hard copies are stored in a locked cabinet. All of these files have restricted access to authorised staff only.

Most staff data is retained for 6 YEARS (post-employment).

Exceptions to our retention policy:

Pension details are stored for 75 years (post-employment) due to legal obligation
Child Safeguarding records are kept indefinitely on a case-by-case basis, the minimum these will stored for is 6 years due to legal obligation
First Aid records are kept for a minimum of 21 years due to legal obligation

Unsuccessful applicant data is stored 6-months post campaign, this includes unsolicited data from potential applicants.

Third Parties/Data Processors:
New Groove Creative does not actively share data with third parties, however there are certain instances where sharing information is crucial to our business processes.

Barclays:
In order to process payments by BACs, staff’s bank details and names must be added to our online banking system. New Groove Creative is satisfied that their GDPR process are thorough and any data will be stored in a secure environment, and not unnecessarily retained.

HMRC:
In order to fulfil our legal obligations to HMRC, New Groove Creative must supply PAYE staff’s personal data each month and at the end of every financial year. New Groove Creative is satisfied that their GDPR process are thorough and any data will be stored in a secure environment, and not unnecessarily retained.

References:
In order to supply references for staff members, some personal data must be divulged. This will only be done with the data subject’s consent, as New Groove Creative may not be fully aware of the recipients GDPR policies.

Child Performance Licensing:

In order to process child performance licences, New Groove Creative are legally required to provide some staff’s personal data to local councils (including but not limited to: full name and DBS details).

New Groove Creative is satisfied that their GDPR process are thorough and any data will be stored in a secure environment, and not unnecessarily retained. For more information: https://www.lewisham.gov.uk/mayorandcouncil/aboutthecouncil/access-to-information/Pages/Data-Protection-Act.aspx

Child Safeguarding Concerns:

In the unlikely event New Groove Creative has a safeguarding concern in relation to one of participants and/or staff members, New Groove Creative are legally required to provide data to the safeguarding board at the local council and the Disclosure and Barring service.

New Groove Creative is satisfied that their GDPR process are thorough and any data will be stored in a secure environment, and not unnecessarily retained.

Website Biography:

New Groove Creative’s website includes staff biographies, these are available for public viewing. Consent it sought before any/all staff profiles are added to the website.

Rights of the data subject and New Groove Creative compliance with responses:

Any data subject with personal data stored within New Groove Creative is entitled to the rights of:

Access

You may contact New Groove Creative at any time to access all data help relating to you. New Groove Creative will ensure that we respond to a subject access request without undue delay and within one month of receipt. If the information request will also include data regarding others, New Groove Creative has the right to refuse the request or take steps in order to obtain consent from other involved parties.

The right of access does not apply New Groove Creative’s legal obligations such as confidential Child Safeguarding records.

Rectification
You may contact New Groove Creative at any time in order to rectify data held relating to you. New Groove Creative will ensure that we respond to a rectification request without undue delay and within one month of receipt.
The right to rectification does not apply to New Groove Creative’s legal obligations such as payment record information.
Erasure
You may contact New Groove Creative at any time in order to erase data held relating to you. New Groove Creative will ensure that we respond to an erasure request without undue delay and within one month of receipt.
The right to erasure does not apply to New Groove Creative’s legal obligations such as First Aid records.
Restrict Processing
You may contact New Groove Creative at any time in order to restrict the data we process relating to you. New Groove Creative will ensure that we respond to a request to restrict processing without undue delay and within one month of receipt.
However, due to our legitimate interest and legal obligations in most of the data collected- we may not be able to restrict processing.
Data Portability
You may contact New Groove Creative at any time in order to obtain the data we process relating to you and reuse it across different services. New Groove Creative will ensure that we respond to a request to restrict processing without undue delay and within one month of receipt.
Please note, this does not apply to New Groove Creative’s legal obligations.
Objection
You may contact New Groove Creative at any time in order to object to the processing of data relating to you. New Groove Creative will ensure that we respond to a request to restrict processing without undue delay and within one month of receipt.
However, due to our legitimate interest and legal obligations in most of the data collected - we may not be able to accept your objection.
Rights related to automated decision making including profiling
You may contact New Groove Creative at any time in order to object to profiling relating to you). New Groove Creative will ensure that we respond to a request to restrict processing without undue delay and within one month of receipt.
Please note, this does not apply to New Groove Creative’s legal obligations.
New Groove Creative has a lawful reason for profiling; Legitimate Interests and consent.
None of New Groove Creative’s decision making is automated. Profiling is only used in circumstances where a staff member has a criminal conviction.

Any and all verbal requests are noted, and then contacted again either via phone or email to verify the request. Verbal requests will be responded to in the time frames mentioned above.

Last updated: 13/10/2020

Facebook Page (for users) GDPR Policy:

Purpose and Statement:

New Groove Creative uses a Facebook page to advertise its services and connect/share with its (and a wider) audience. The web address for our Facebook page is: https://www.facebook.com/newgroovecreative.

Facebook has its own GDPR policies & uses cookies. Please refer to Facebook GDPR policies for further details.

New Groove Creative is able to process some personal data from interactions with our Facebook page, which is described below, however, how New Groove Creative processes this data is very limited.

Distribution:

· To be displayed on our Facebook Page, https://www.facebook.com/newgroovecreative

· This policy will be made available to members of the public on request

Review and monitoring of policy:

· Reviewed annually or in instances of legislative change

· Monitoring is part of Management and Supervision

General Principles:

· Administrators of the New Groove Creative Facebook Page are authorised by New Groove Creative staff

· New Groove Creative does not actively collect, harvest or store any data in connection with Facebook

Facebook Posts:

Types of Facebook Posts:

· Marketing/Advertisement of our various courses, workshops and events

· General News and updates including, but not limited to, student achievements, photos from events, updates, videography from classes/events

If you communicate with New Groove Creative via the page we will respond to your communications & make information available to you that is relevant to those communications. If you choose to ‘like’ the page, you can ‘unlike’ at any time.

As a public Facebook page all communication you share to the page can be seen by anyone. If you need to discuss anything privately with New Groove Creative, please contact the office.

Anonymous Data:

Administrators of Facebook Pages can obtain anonymous statistical data on visitors to the page and those who ‘like’ the page via a function called ‘Facebook Insights’ which Facebook makes available to them free of charge under non-negotiable conditions of use

The data is collected by ‘cookies’, each containing a unique user code, which are active for two years and are stored by Facebook on the device used by visitors to the page. This user code, which can be matched with the connection data of users registered on Facebook, is collected and processed by the Facebook Insight programme.

Anonymous Data our Facebook Page collects:
- Demographic information (including Age, Sex, Location, Relationship Status, Occupations)

- Internet usage (including times online and length of page visits)

- Sales information (including online purchase history, categories of goods or services)

How New Groove Creative may use this data:
New Groove Creative may use this anonymous data to target marking to specific categories of peoples, and to effectively time manage campaigns (in terms of when to release posts and time lengths of special offers etc)
New Groove Creative may also use this data in the evaluation of marketing campaigns

How New Groove Creative retain/archive this information:
New Groove Creative do not remove any of this anonymous data from Facebook (a GDPR compliant company), except in the instance of reporting the effectiveness of advertising campaigns.

Non-anonymous Data:

Administrators of Facebook Pages can obtain limited personal data about people who choose to ‘like’ and/or ‘follow’ the page and/or communicate with the page.

A Facebook user’s Name is actively sent by Facebook to the page administrator as a notification. The Facebook page contains a list of all users who ‘like’ or ‘follow’ the page.

Administrators are also able to access the profile of those who choose to ‘like’ and/or ‘follow’ the page and/or communicate with the page.

How New Groove Creative retain/archive this information:

No record of names are removed from Facebook or used for any purpose.

Further Privacy Policies:

Please see our full privacy policy for further information upon request.

Last updated: 27/03/2020

Data Protection (GDPR)

Facebook Page (for users) GDPR Policy:

Dance to express, not to impress

Classes

Workshops